2019 TAG Cyber Security Interview with Industry Luminary: John Viega

Securing Linux for the Data Center and Cloud
An Interview With John Viega, CEO, Capsule8

A SURPRISING characteristic of modern computing is that Linux has become the dominant operating system. That a Unix-based underlying framework would guide the present and future data center, cloud, and other server-rich environments should not be a huge surprise, given the maturity and effectiveness of that technology. Just about all operating systems, even Windows, are built from that base.

But not all security professionals realize how extensive the open source base has become, and that now requires world class, commercialized cyber security controls to ensure sufficient compliance support, and attack avoidance. We recently spent time with John Viega of Capsule8 to learn more how data centers, cloud infrastructure, and other environments can benefit from improved Linux security.

EA: What statistics are available on the use of Linux in the data center and cloud?
JV: The adoption of Linux in Fortune 500 staggering. According to the Linux Foundation, Linux runs 90 percent of the public cloud workload. It’s the operating system for more than 95 percent of the top one million domains and more than 75% of cloud-enabled enterprises report using Linux as their primary cloud platform. That’s why it was such a huge market for Capsule8 to address. We went out and spoke with CIOs and CSOs at major companies and one of the main issue we heard time and again was that there was no solution focused on protecting Linux production infrastructure.

EA: What is your strategy for introducing improved security to Linux?
JV: Capsule8’s main strategy is to provide real-time, zero-day attack detection and response for Linux-based production environments. And while everyone knows how big of an issue zero-day attacks are, no vendor has been able to bring that detection to the scale required for the production environment. In addition, with cloud-native technologies like containers now being widely adopted, traditional security appliances don’t have the visibility needed to detect attacks. To address these challenges, we knew our solution had to be easy to deploy, effective, and scalable for all potential Linux production environments. No production environment is the same and we had to be prepared to protect them all, whether containerized, virtualized, or bare metal. Essentially how it works is that Capsule8 deploys sensors throughout your infrastructure —in the cloud and the data center, on both bare metal and containers. These sensors run outside the kernel, to ensure the performance and stability of the workload. The sensors capture only small amounts of security-critical data, and stream it to nearby analysis instances, which can detect and respond in real time, allowing you to catch zero-days and other unwanted activity as they happen. And when Capsule8 detects an attack it can immediately disrupt that attack before it takes hold with an automated response such as automatically killing attacker connections, restarting workloads, or immediately alerting an investigator.

EA: Can you provide a simple explanation of what a container is and how you secure it?
JV: Containers are an OS-level virtualization method for running multiple isolated Linux workloads on a host using a single Linux kernel. Everything outside the kernel is virtualized, and the applications, runtimes and files in one container can’t see other containers on the same machine, but they share an underlying operating system. Containers have not only allowed companies to pack more onto a single machine, they’ve made it much easier to build portable software that is continuously redeployed. They’ve become a key technology to enable micro- services and auto-scaling applications, and are now a staple in many continuous integration/continuous delivery (CI/CD) pipelines. When it comes to containers, there is a significant amount of isolation built in by default. One of the most significant issues with securing containers is visibility. When multiple containers live on the same machine and talk to each other, communication doesn’t go over the network and can never be seen by an appliance—even a virtual appliance. You still don’t have access to what is going on inside. The solution to container security lies within tooling that is container aware. By looking real-time into system, network and intra-container data, you achieve the level of visibility needed to know when something bad is happening inside of a container and can respond to it appropriately, such as shutting down or isolating the affected container.

EA: Why is it so difficult is it to detect attacks in production?
JV: Production has some specific challenges that have prevented past technologies from working well, and why many organizations have much better security for their endpoints than their servers. One of the biggest reasons is because things like performance and reliability generally trump security when it comes to production. Servers tend to deal with large numbers of transactions at once, and so performance overhead is a big issue. The CPU overhead to handle security processing needs to be very low, even when machines are under heavy load. And when it comes to reliability, if a bug in the security solution might cause the application to not function properly (or for the instance to crash), that’s a huge issue. As a result, kernel modules are generally frowned upon in most environments, and the second there’s a bug in production that can’t be replicated outside of it, the security solution takes the blame and is ripped out. And, anyone trying to build a solution for production knows that production ecosystems are evolving extraordinarily quickly. Solutions must be able to deal with new cloud- native technologies to be effective, be container-aware, and so on. It’s a huge challenge, and one we’re willing to take on.

EA: What are the top few attacks you’ve been hearing about from customers?
JV: Meltdown and Spectre were big concerns for our customers and prospects, and a wakeup call to the industry. It wasn’t just the breadth of processors affected, but how difficult it was to patch or remediate without causing even more damage, performance issues, and so on. And some of the patches hardly provided enough protection to be considered a mitigation at all. It forced companies to start prioritizing detection as part of their security strategy. When it comes to newly disclosed vulnerabilities, or even major high-profile exploits from the past like Heartbleed and Shellshock, real-time detection is what our customers want, and the problem we are trying to solve.