James , great write-up . I assume Sysdig's Falco solution that leverages syscall cant be categorized fully as a runtime reachability tool ? Raven . Oligo etc. have something that differentiates what Sysdig (and several others) have up their sleeves currently ?
Hey! Sysdig does package level runtime reachability, whereas Raven & Oligo extend that to the function level, which provides a much more impactful vulnerability reduction.
Great write up James. Have you considered getting runtime function-level reachability by utilizing the existing APM / observability agent that the site-reliability or performance management teams have already installed into the hosts and containers at an organization? It saves the security team the step of deploying an agent and often provides even more reachability information than typical runtime reachability solutions (e.g. identification of public internet reachability over 1 or more hops, identification of downstream database reachability over 1 or more hops). Vendors like Dynatrace have this as part of the already installed solution so security teams don't have to install anything new (and, depending on the licensing, may be able to utilize without a purchase order).
I think the agent requirement (even if eBPF plug-in only) is a big hill for a startup. It would have to be part of a multi-faceted agent (e.g. Sysdig or Falcon). Alternatively, these vendors could be inspired of DAST scanning techniques to simulate runtime execution pre-deployment?...
Hey James, Great write up. Any thoughts on precision on runtime reachability? Different vendors have different techniques hooking into interpreted, JITted language runtimes and pure memory analysis at some time intervals. Vendors are often not able to share same degree of precision for function call analysis. This is often sold as an eBPF add-on, like you mention, making this more difficult to comprehend. Which vendor/approach will lead the pack in the long term in terms of coverage and precision?
Hey! Part three should cover this with more depth, but right now Oligo, Raven, and Kodem are certainly the most mature at doing it in the context of a runtime environment
James , great write-up . I assume Sysdig's Falco solution that leverages syscall cant be categorized fully as a runtime reachability tool ? Raven . Oligo etc. have something that differentiates what Sysdig (and several others) have up their sleeves currently ?
Hey! Sysdig does package level runtime reachability, whereas Raven & Oligo extend that to the function level, which provides a much more impactful vulnerability reduction.
Great write up James. Have you considered getting runtime function-level reachability by utilizing the existing APM / observability agent that the site-reliability or performance management teams have already installed into the hosts and containers at an organization? It saves the security team the step of deploying an agent and often provides even more reachability information than typical runtime reachability solutions (e.g. identification of public internet reachability over 1 or more hops, identification of downstream database reachability over 1 or more hops). Vendors like Dynatrace have this as part of the already installed solution so security teams don't have to install anything new (and, depending on the licensing, may be able to utilize without a purchase order).
I think the agent requirement (even if eBPF plug-in only) is a big hill for a startup. It would have to be part of a multi-faceted agent (e.g. Sysdig or Falcon). Alternatively, these vendors could be inspired of DAST scanning techniques to simulate runtime execution pre-deployment?...
I think in the long run there will be one agent that does it, which is why I made up the CADR category here! https://pulse.latio.tech/p/wtf-is-cloud-application-detection
Amazing read 👍 informative.
Hey James, Great write up. Any thoughts on precision on runtime reachability? Different vendors have different techniques hooking into interpreted, JITted language runtimes and pure memory analysis at some time intervals. Vendors are often not able to share same degree of precision for function call analysis. This is often sold as an eBPF add-on, like you mention, making this more difficult to comprehend. Which vendor/approach will lead the pack in the long term in terms of coverage and precision?
Hey! Part three should cover this with more depth, but right now Oligo, Raven, and Kodem are certainly the most mature at doing it in the context of a runtime environment