Launching ThreatMapper 1.4: A framework for defense against the evolving threat landscape – built by the community, for the community
When public clouds first came into existence, cloud providers had to educate organizations using their products and services about the shared responsibility model – basically, the notion that the cloud service provider (CSP) is responsible for the security of the cloud, and customers are responsible for the security of what they put in the cloud (such as applications and data). However, Deepfence firmly believes that the shared responsibility model is not merely two-sided and that security vendors and the security community play a shared role in securing the world’s most sensitive data and applications – a role that goes beyond making a profit and creating alert fatigue for security professionals.
Meanwhile public cloud spend is approaching $400B per year, and there is still not a single open source tool or platform that can visualize multiple clouds and all cloud native modalities. What works for K8s, does not work for serverless and so on. If you cannot observe your environment, you cannot secure it.
We dream of a better future — a shared security model, if you will, between the security community and vendors that create a framework, and an equitable starting point for defense against today’s and tomorrow’s threat landscape.
In the shared security model, the security community demands:
- An equitable starting point for gaining visibility into their attack surface.
- Security tools that scale and support modern application architectures.
- Access to tools that help prioritize risk by attackability and impact to help alleviate the operational resource constraints the industry faces to respond to these threats.
- A resilient and robust security ecosystem built by the community, not reliant on any single corporate entity for security and control.
- Open platforms that integrate and work with the operational workflows and security and ops tooling.
In return, security vendors promise to:
- Build in public.
- Build with their community, providing community members with an easy way to contribute security intelligence, features, and findings to projects for the public good.
- Build API-first to support integration and collaboration with other tools in the security ecosystem.
- Build for multiple modalities and multiple clouds.
- Give back to the open source communities on top of whose backs their products have been built, by also releasing their work as open source software to the community.
- Build software that is 100% open source and free; this means no phoning home, no rate limiting, and no hidden features.
By working together towards a future where these statements are truly put into practice, the security industry can keep pace with the explosion of threats to our applications and the supply chain. We must bring together parties from across the community to harness their wisdom and forge a collective response. That necessitates an open source model.
Why Open Source Matters in Cloud-Native Security
Open source is eating the world, with one exception: cybersecurity. Sure, there are many cybersecurity platforms aimed at securing open source applications, but there has been a gaping hole where open cybersecurity platforms should be.
Most modern applications are the result of free, open, collaborative efforts. It makes sense, then, that cybersecurity should be rooted in the collective expertise of the community – and, with today’s non-stop barrage of new attacks, the community’s collective energy and wisdom.
Indeed, the real power of an open source cybersecurity platform is that it is available to all – not just large enterprises or companies with a deep cybersecurity bench – and that it benefits from the contributions of all. An open cybersecurity platform also plays an important role in educating users – security experts or not – on the importance of securing applications from development, through production and beyond.
The ascent of open source has not been without its bumps. We’ve seen a 146% increase in ransomware attacks on Linux, and manufacturing has replaced financial services as hackers’ top target as they shift their attention to IoT, according to X-Force Threat Intelligence Index.
The software supply chain used by developers is leaving the systems that they build vulnerable to a wide variety of attacks. Synopsis found 78% of source code used by applications were from open source, and reckons 81% of that code contains at least one vulnerability. Attackers are weaponizing those vulnerabilities, with the software supply chain serving as an avenue for attack for two-thirds of companies, according to a 2022 report from Anchore.
Securing the software supply chain will take a cyber defense of comparable scale and breadth. The foundations of such a defense must also be community based – and that means open source.
ThreatMapper 1.4, Fulfilling The Shared Security Model
With the launch of ThreatMapper 1.4, Deepfence is defining and doing our part in fulfilling the shared security model. We call upon the cybersecurity community to come together to build a better common defense.
While cloud-native environments themselves are built on the backs of OSS tools and frameworks, the security products designed to protect these environments have remained largely in the domain of enterprise security companies. These vendors have held back foundational security tooling and actionable, prioritized security alerting from the security community. This changes now.
Foundational security is a basic right and a common good. We imagine a world where day zero needs like vulnerability management, cloud security posture management, malware detection, secret scanning and ANY other tool that helps users measure what is attackable is free, open to the public, and driven by community-contributed security intelligence.
Amid a constantly evolving threat landscape across clouds, environments, infrastructure modalities, and attack vectors, enterprise security vendors have built a never-ending series of better mouse traps that do little more than let customers know that a threat exists or could exist. These solutions provide alerts in siloed, disparate systems. Worst of all, they merely highlight what could go wrong, with no context for likelihood or impact. And, as the threat landscape grows scarier and ever-closer to home, vendors have been able to convince customers to buy additional modules and features: VMDR for vulnerability detection, CWPP for cloud workload protection, CSPM for cloud mis-configurations, AV for malware detection, … the list goes on – and on.
Yet despite these multiple layers of products and add-ons, we are still seeing headlines such as “Log4j: The Pain Just Keeps Going and Going,” “Just Because You Don’t See Hackers, Doesn’t Mean They Are Not In Your Network,” and “Why There is No Quick Fix to Cyber Attacks.”
There is no end in sight to attacks affecting our cloud-native infrastructure, either through the supply chain that we have all become so dependent on, or through taking advantage of the lack of visibility companies have within closed ecosystem tools, that do not integrate nor effectively share data. Traditional security tools not only aren’t helping, they may be actively hurting by compounding the problems of alerts without context, and companies lacking in security time, money, and resources.
It has become apparent that there is a missing piece of the puzzle for security professionals trying to effectively defend against the threats and threat actors that have exploded exponentially over the years.
Security observability is that missing piece of the puzzle, and ThreatMapper 1.4 is the first open source security platform on the market to:
- Give companies deep visibility into all the different attack vectors within their cloud-native environments while layering on runtime context to create a prioritized and actionable ThreatGraph. This ThreatGraph gives organizations a complete picture of their attack surface ordered by attackability and reachability.
- Provide a comprehensive, open platform for scanning, mapping, and ranking vulnerabilities in running pods, images, hosts, and repositories.
- Scan for known and unknown vulnerabilities, secrets, cloud misconfigurations, and then put those findings in context.
- Have scans happen as part of CI/CD or at runtime, ensuring that the complete CI/CD lifecycle is secured.
This empowers organizations to not only identify threats but also to determine how – and how quickly – to deal with them. In a globally connected environment in which a single vulnerability can put untold numbers of organizations and their customers at risk (think Log4j), a platform like ThreatMapper is critical.
ThreatMapper generates an actionable ThreatGraph for cloud-native environments by scanning for vulnerabilities, cloud misconfigurations, exposed secrets, and malware. By layering the results of these scans with runtime context about the workload, cloud configuration, and, most importantly, live network traffic, organizations can prioritize their risk.
Open source ThreatMapper 1.4 is truly an industry first. There is no other project, open source or commercial, that applies these comprehensive features and capabilities across the cloud-native continuum.
Specifically, ThreatMapper 1.4 includes the following new features, launching today:
- ThreatGraph, a powerful new feature that uses runtime context like network flows to prioritize threat scan results and enables organizations to narrow down attack path alerts from thousands to a handful of the most meaningful (and threatening).
- Agentless cloud security posture management (CSPM) of cloud assets mapped to various compliance controls, such as CIS, HIPAA, GDPR, SOC 2, and more.
- YaraHunter, the industry’s first open source malware scanner for cloud-native environments.
ThreatMapper 1.4 enables organizations to find and rank potential threats, such as the Log4j2 vulnerability, so security teams can make informed decisions and shore up critical gaps that may have otherwise gone unnoticed. This builds on the advanced security tools in Deepfence ThreatMapper 1.3, such as secret scanning at runtime and runtime Software Bill of Materials (SBOM), protecting not only individual organizations but also our ever-more-interconnected society as a whole.
ThreatMapper 1.4 is 100% open source and available on GitHub. We encourage you to download it today to begin working toward a more open and secure future. Visit our Deepfence Community website to collaborate on democratizing cloud-native security for all.