December 08, 2022

Catching Cybercriminals Unawares with SpyderBat | Episode #55

In this episode I talk with Brian Smith , Co-Found and CTO at SpyderBat. Spyderbat delivers cloud native runtime security to customers with unprecedented precision in intrusion prevention and mitigation. They secure Linux VMs...

Play Episode

Apple Podcasts podcast player badge

Spotify podcast player badge

Castro podcast player badge

RSS Feed podcast player badge

Breaker podcast player badge

PocketCasts podcast player badge

YouTube Channel podcast player badge

Show Notes
Transcript

In this episode I talk with Brian Smith, Co-Found and CTO at SpyderBat. Spyderbat delivers cloud native runtime security to customers with unprecedented precision in intrusion prevention and mitigation. They secure Linux VMs and Kubernetes clusters at runtime and block attacks against cloud native workloads. They are making threat prevention and security operation automation available with their SaaS platform and UI through the use of Nano Agents leveraging eBPF for early, accurate, and thorough recognition of attacks. Brian and I talk about how SpyderBat is flipping the tables in the cyber security war by proactively reporting on suspicious activity... effectively spying on the bad guys and catching them unawares.

SpyderBat was founded in 2019 and is head quartered out of Austin Texas.

☑️ But me a coffee? - https://ko-fi.com/gtwgt

☑️ Technology and Technology Partners Mentioned: Public Cloud, Microsoft, AWS, Azure, Kubernetes, Containers, Networking, Security, Linux, Kernel, eBPF

☑️ Raw Talking Points:

Shift Left vs shift right security
Scanning code and artefacts going into build
Todays Threat Environment
Runtime Security
Bridging DevOps and SecOps
eBPF and Nano Agents sandbox
SaaS vs on Prem
Real time mapping
Zero Day, Supply Chain, Compromised Build, Misconfiguration Threats
Human Factor?
Spyderbat Labs - research arm
What's the problem across containers and cloud workloads
Automating security
Intrusion Detection Sec and Op issues (SecOps Automation)
Community account?
Kubernetes and Container platforms and the need for security
Solutions for AWS, Multi-cloud, Kubernetes
Anything Linux - rPi
Containerised Security and Guardrails during dev process
Proactive vs reactive
On the node... keep innovating

☑️ Web: https://www.spyderbat.com/
☑️ Platform: https://www.spyderbat.com/the-spyderbat-platform/

☑️ eBPF: https://ebpf.io/what-is-ebpf

☑️ Crunchbase: https://www.crunchbase.com/organization/spyderbat

☑️ Interested in being on #GTwGT? Contact via Twitter @GTwGTPodcast or go to https://www.gtwgt.com
☑️ Subscribe to YouTube: https://www.youtube.com/@GTwGTPodcast?sub_confirmation=1

☑️ Music: https://www.bensound.com

Transcript

hello and welcome to episode 55 of great things with great Tech the podcast highlighting companies doing great things with great technology my name's Anthony spiteri and in this episode we're talking to a company that was founded just recently in 2019 recognizing that the manual process of traditional security operations was ineffective in this rapidly changing Cloud World a company that's making

threat prevention and Security operation available via a platform that provides early and accurate metrics and visualizations through recognition of attacks providing companies with an unprecedented level of intrusion prevention and mitigation that company is spider bat and I'm talking to Brian Smith co-founder and CTO at spiderbat welcome to the show hey thanks it's great being here with you Anthony excellent all right then so before we get into all things intrusion detection and Security in this crazy

crazy world that we live in just want to give a shout out if you love great things with great Tech and would like to feature in future episodes you can click on the link on the show notes or go to gtwgt.com register your interest and as a reminder all episodes are available on all good podcasting platform Google Apple Spotify all hosted and distributed by anchor dot fm go to YouTube as well hit that like And subscribe button and with that let's get into the show so Brian just um firstly let's talk about

spider bat um you know but I want to find out a little bit about you first where you came from you've had a really interesting you know last well I guess 20 30 years in in it and Technology as a Founder so give us some background there and then you know tell us about what got you to you know go go through it again and create spider-bat yeah I think uh you know getting me to go through it again this is my third startup and it sort of reminds me of uh like people who go get their phds at school some people never learn yes

that's a good one uh which I can say because I I got my PhD from Berkeley and then I was I I was a professor at Cornell for about five years okay went down into um in the computer science department yeah that was that was a that was a really neat run and um then I started a company down in Texas with uh with a bunch of other people uh called Tipping Point and that was around 2000 2001 and that was doing uh the first intrusion prevention systems which were kind of network intrusion prevention systems and so the

uh what those uh well I can tell you more about Tipping Point but anyway out of that company uh we got to see a lot about how um people people came to us with a lot of really interesting problems of you know how to protect this and we always took them with a you know view of how do I solve them with with the stuff we have and a lot of them we could do but a lot of them was ooh that's that's a toughie and that company got that company was sold to 3com out of uh we started click Securities my my second company out of that after that

in 2009 that was sold to alert logic and that you think of that as an early day xdr and then spider bat was founded in 2019 and we got our you know our uh seed round funding in uh around July 2020 right in the middle of pandemic and uh uh went after uh trying to do use a lot of what we learned over the years to secure uh cloud and kubernetes and Linux workloads because there's just Linux being used for everything that's it in the cloud and and that's where the crown jewels are and yet the Security

Solutions is just a dearth of good Security Solutions out there for a variety of reasons but yeah actually that's where there's a lot of opportunity actually so I just noticed that you just got your series a as well didn't you so yeah that's pretty good uh we announced that in October so we're uh that was another that was a 10 million round so there you go so there might be something there might be something in this uh it we definitely think so and so do our customers it's really it's it's a

fun run it's uh um I'm really excited about what we're doing because it's so different from kind of the state approach that we've seen before yeah and I gotta ask where'd the name come from ah yeah no that's that's a good question so uh naming companies is is kind of fun so we we we're out of Austin and so Austin has this thing called the this bridge called the Congress Avenue Bridge which goes over the water and it has the largest colony of uh bats in North America and there's at least Mexican

free-tailed bats millions of the things live underneath the bridge and so Austin's known with bats and so we thought spider bat would be a fun name just because it's these there's these bats that eat spider yeah spiders are spider pets but when we went to open the bank account uh the the bank teller misspelled spider bat with a Y ah there you go spider and we thought oh that's pretty cool and so we actually changed the name of the complicated we just fire filed the incorporation papers and so

that's awesome it changed it and that's how Spider-Man got to be yeah I was gonna I was gonna say with the wire there that's an awesome origin story I I was in Austin this year oh this year yeah I think in July and I didn't even go to that bridge that's interesting so next time I go I'll have to uh take a look there awesome them I loved Austin it was great City yeah if you go out there at Sunset you just on the edge of the bridge you can see just millions of bats four hours eat all the mosquitoes it's awesome

it's actually a funny funny about um you know that why I'm a misspelling of my daughter actually her name's Lorelei and um at the end of that name it's a bit of a weird one my wife misspelled it when she was when she was born um instead of IE it was Ai and we just stuck with the misspelled because it was just easy because it was written down so there you go interesting little segue there all right yeah going back into it so you've talked about you know the problem that you're trying to solve around security around

containerization as workloads are moving you know from traditional on-prem virtual machines um but you still basically you said to me earlier anything Linux based right so what's what's the problem statement what are you guys trying to solve fundamentally at spiderbat and so so there's it uh there's really two parts to it one is that good security uh the foundation of good security is kind of knowing what's going on at runtime in your environment and if you look uh there is a dearth of good

solutions that let you know what's really happening at runtime and that are able to react and and and stop bad things from happening what typically happens in uh um in a in most attacks is they get the attacker will get in through some vulnerability or some weakness in the system maybe even stolen credentials um uh things like this and they'll get a foothold in the system and the very first thing they do is they start looking around because they've got these you know they're on this new system and

they're not really sure where they are so they start poking around most of that activity is Recon activity that they try to set up persistence so they can get back in in case they get knocked out um and all that activity is usually goes undetected it they continue to kind of case the joint and figure out figure out what's going on until they actually uh start launching the attack and usually it's somewhere around two months on average yeah yeah before you actually detect them and that's just like a travesty

um because they're on our turf and we should be able to detect them they're making noise it's a violation right yeah they're violating your the the secrecy of of you of your company of your network of your people it's actually scary so what we wanted to be able to do was detect them just right of Boom from right the moment that they got in and then be able to tell everything that they did on uh since they had been and maybe detect them 12 hours in and they set up a little bit of persistence but

if you were like sitting on the shoulder of their the attacker as they were going through it and that's actually some people have described Spider-Man it's like sitting on their shoulders they're pivoting and moving through your network um you can see everything that touched everything they did prevent them from doing damage and clean up the mess and it's really really fast to do that so it's basically click on an alert and you get a picture of exactly what's going on and how to stop it and how to undo any

damage that's been done really really fast so it takes this thing that's you know six months of work down to five minutes that's that's really impressive you can get more into how that works but no that's cool yeah we might dig into it we might dig into it a little bit but I think you know from that point of view what I've seen obviously you've got the UI that you guys provide and there's all sorts of dashboards very nice UI actually gets to the point but then I saw the demo of it that showed that you

know it showed you know someone doing some stuff like elevated privileges trying to get elevated privileges to a certain machine you know snooping around so it actually showed you you know what was happening on the on on the system itself and saying this is not normal you know have a look at this and that there's the alert like this isn't what we think is normal behavior in a normal operating environment and then you've also got these these causal visualized graphs which basically from from what I

can see give you a no down or a node up whichever way you're looking at view of the system to show you what's actually happening at the different levels so it's it's really cool and and it looks like it's intuitive as well so that's and that's a hard thing to get right when you're only what two and a bit years in really yeah yeah I think you know I mean it's one of the things that we did was we made it open for other people to to try and so we had we took Min several attacks

um that um like a log 4J attack and from a Honeypot and some some real attacks and some some uh defend the flag type challenges and what we did was we put those up so that you can actually explore the system you just log you create a free account and you click on defend the flag challenges and you can actually play with UI and see what a log4j attack looks like in in action or see what different types of attacks and you'll get a sense of what you're talking about because that what what you were describing there the causal graph

the notion there is the real problem of security is it's a little bit like debugging like reverse debugging you see something happen that's that your your alert your your initial signal that something's going on that's like the bug happen and then there are a bunch of things that cause that bug to happen and what you want to do is work your way backwards what caused this well this file got written well what who wrote the file well that was written by this program well how did that program get going well that was

um that program you know was installed over here and it was pulled down from S3 and that S3 file was written by this other program up on this other system where the user sshed in and copied it in so all that activity of you know from the beginning from when the SSH happened to copying it up to S3 to pulling it down to starting another program yeah um those activities our causal chain this caused this to happen and so if you can start at the at the point and work your way backwards it we provide that backwards linkage and

that's what I mean by you click on it and you get back oh four days ago this this is what where it started from that's most of the time that you get to see it you know 30 seconds later or a minute later but because the attacker's in there they're constantly doing things that trigger more and more activity and so you get multiple bytes of the Apple before and the truth and the attacker wouldn't have a clue that you're effectively spying on them you know what I mean that's yeah no it's you're bad

you've got spyware on them that's a great yeah that is actually really interesting so you've you've created almost the inverse of of spyware but it's still kind of a spying situation it's proactive and reactive at the same time it's it's interesting I wanna I wanna dig into how you do it right and it's really cool when you're leveraging some cool Linux technology in kernel to be able to do what you're doing through nanoagents just before that you talk a lot about shifting left and I've heard

this I was at re invent 2022 last week I heard a lot of this shift left you know talk so just give us a little bit of a background as to you know what shift left is and where you guys fit with that and how you're trying to sort of shift them a little bit more right so yeah just go through that yeah so there uh it's a it's a good topic the um the notion of shift left is really trying to catch security problems as early as possible in the uh in the life cycle of software so uh the earliest POS you know that the

best way to do it they that theoretically best is to ship with notebooks it's because really software vulnerabilities are just bugs that uh attackers can exploit in some way to do something that you never intended to do you know Anthony if you think about what hacking is hacking is understanding how something is implemented so you can use it in a way that it was never intended that's like you know people say hacking The genome or hacking my car to get it to start yeah exactly that it's understanding how it works to to make it

do something it doesn't do that's right yeah yeah exactly so um so the theory is that if I could prevent every vulnerability um before it entered the software the the attack surface would be smaller so it would be harder for attackers to get in and and and that's that's a great it's a it's a laudable gold problem is is that it's incomplete because you're still gonna it's like saying that I ship with no bucks what software that's an impossibility shift out there that has

zero bugs impossibility that's just zero known bugs zero bugs period yeah they're they're already moving forward I mean when we haven't gotten to the stage where we've got so this week it's a bit topical where AI is writing code for us right as we ask it but we haven't got to the point where that code is perfect it'll never be because it is fundamentally flawed because humans do create it so there's always going to be a fundamental challenge with it well and so yeah so what uh as soon as

there's bugs in the program because you can have unknown bugs in the library you can have known bugs in the library you can have unknown bugs in your code you can have no bugs in your code and still have combination of features that conspire together to allow the attacker to do something that you didn't want them to do or expect them to do and so all of those those reasons make mean that you need a portion that is monitoring at runtime yeah what's actually going on detecting bad things and shutting them down is just right of

Boom and that actually ends up being a much more practical way to solve the problem because what's happening you know what what happens if you try to squash absolutely every vulnerability is that you spend an inordinate amount of time trying to do defending against theoretical attacks where in practice they actually could never happen yeah um and so uh so it's it's just kind of slow and inefficient whereas a more practical way is to have a compensating control that can detect the attack kill it tell you about it and with enough

details present that you can go back and prioritize that that any the problem that caused that to uh the vulnerability in your software that allowed that attack to happen yeah that's this is the whole concept of runtime but still fitted back into the the software development life cycle like that to fix the problem it's not an excuse for not fixing the problem yeah I get it it just gives you a really good way to prioritize the problem it actually it's logical makes sense yeah it's logical it makes sense um so

this is this this is this concept of runtime security right like I think that's kind of really what it comes down to but what you explained is very interesting because obviously there are companies out there that will go you know on the left side of that if pardon the pun there but you know basically try and hit it and make it perfect before it goes into production but like you know there's all these unexplained vulnerabilities all these hidden ones and they just you're never going to be able to detect all of them you're

correct so being able to be proactive and reactive in the actual run time when things really are on on you know deployed and actually in motion is the way to do it and I think that's a really interesting and unique approach and one that I don't think I've seen elsewhere in the market today so that's good in itself the other benefit you get out of it is once you have the system that can tell you you know why this thing happened it helps you with the operation side too so we have customers who the security group

gets involved because the kubernetes cluster got deleted and they think they're under attack and so then they spent the security group spends you know does the weekend fire drill and spends four days crawling through logs and found out there was six levels down in scripting that that someone fat fingered and had an environment variable is that wrong and it invoked a command to delete a cluster so it wasn't an attack most of these things end up being friendly fire incidents okay yeah yeah but the security group just spends ridiculous

amounts of time trying to chase this stuff down by looking at logs and it and it's a terrible job it's no fun at all well yeah that's why it's a very special type of person that does security so you know there you go um is their main focus but this is the concept of like I guess bridging you know devops from my point of view platform operations uh and whatnot with and setups so you're kind of trying to bridge that together um but but not you know but not have it connected in a way right so I think

that's what you're kind of getting at you're trying to make the security guys team a lot easier while making it more of a function of of Devon platform right sres well yeah I mean if you look at the the two problems are really closely related because a lot of what devops does is in investigating is investigating this the system's not behaving the way I expected to and trying to figure out the root cause a lot of what security guys do is I have some an indicator of a possible attack and trying to figure out root cause and

so that's really what spider bat was is you know what we found out if we could record everything that happened on the system and Link it together causally to build a map that matches what's in the user's mind of how how computers work processes read files write files processes make network connections processes start other processes and how that one thing causes another then you can you can solve both problems with that it's like we have a tape it's almost like a DVR everything that happened on on your on all your systems

and how they interrelated and so you just roll the tape to figure out what happened and we can then the problem you run into is it's too much data but the causal tricks is the one that gives you the answer to that because you start with the the effect and work your way back up the causal chain and then you know exactly why it happened yeah so that that's that's that's the theory and we've been working on it for for two and a half years and we've actually figured out how to how to do that thing yeah it

definitely sounds it sounds that way right so in terms of you know how it's delivered so let's go into a little bit about you know how you're delivering the platform today at the moment it's it's SAS based um so you log in you've got your UI and then it deploys this concept of nanoagents um which is using ebpf which you know for me I have to do a bit of research on that being honest and finding out exactly exactly what that was it's like um it's got its origins in the Linux kernel it basically runs a Sandbox

program inside the operating system kernel so you're plugged right in there and it's from what I've done the research on it's a really safe and efficient way to extend the capabilities of the kernel without changing it so your yeah yeah so how did we get on to that to use as these nanoagents number one and just tell me a little bit more about that because I find that quite fascinating okay yeah so the the concept of the nanoagents is uh pretty simple they're they're a small software agent that runs

in user space that um installs these these little plug-in modules we call bats little programs okay thank you other data from from the endpoints and guess what they come from the bat cave so that's the nanoagent downloads these bats and the bats gather data uh from the endpoint so the the basic concept I wanted was we have an analytic that that the bats should ship their data through the Nano agent to the back end to the SAS back end and then a set of um software on that column analytics uh run our detection build our models and run

our detection so if I as a security researcher want to protect against detect a new attack uh what I do is I say it would be really easy if I had this data so I write a little bat to gather that data and then feed that back to the back end and because I have exactly the data I want in a very regular way I can it's very easy to write the detection that's accurate and um and effective whereas most other if you look at systems that try to do that from third-party data logs it's really a rough place to be because usually the

data is not there or if the data is there it's so Twisted in a way that you can't be accurate and that's why that's that's the historical problem of Sims so getting back to your question some of the bats we have are using ebpf and we when we originally started this we tried to use some of the other capabilities like the Linux audit system that's built into Linux kernel and it was just crushing the Box because it was from a performance standpoint to log the data we needed yeah I understand it plus it

wasn't as extensible as we wanted so evbf gave us a chance to say I I want to for example track the life cycle of every process from when it's born as it mutates and then when it dies and so with the ebpf we can write we can intercept the function calls in the kernel that where the process is born where it mutates exacts another program changes user uh you know privileges stuff like that and dies and send those as very lightweight events to our Nano agent the net result of this is we we have some that uh track

all the network communications another one that tracks all the file accesses now there's a look at DNS requests another is a bunch of various bats that solve different security issues for us but the ebpf method gives us a way to extend almost extend the kernel for what we want to do the data we want to gather yeah and do it in a way that has almost no performance impact on the box it's like usually one to two percent of the total load of the Box on this and yet we're Gathering all the data we want and

it's and it's a very lightweight amount of data in fact it's about 100 kilobits up out of the system going back to the back end okay just before I go to the back end just a question that pops into my head there was you know obviously you're correct because if uh if an attacker or or a malicious user was on a box and they were you know doing their research and doing their reconnaissance and waiting in a few months if they if they happen to see if they had H top running and they saw like you know the

spike of CPU or or activity on the disk they would get a little bit they're smart enough to go that's a bit weird and maybe they will catch on so the fact that you're not triggering significant overheads in the system actually makes the the spyware element that you guys are doing you know more real um I'm assuming though that these bats and the Nano agents they're not able to be seen by anyone on the command line you know what I mean so if if I go to hey if I go into a h top and see they're

basically invisible is what I'm trying to ask uh they're they're they're obfuscated uh because they're running in in users fees they are in fact visible but there are just getting protected and we monitor it on the back end so that yeah essentially you you want to know if the nanoagent uh gets killed they're hard to kill okay because we use a lot of the same techniques that uh that viruses and you know malware uses to prevent itself from being killed so it's it's pretty hard for the

attacker to kill it it brings itself back and then that itself that the if it they do somehow manage to kill it that itself becomes a signal that uh yeah and I guess usually by then by the time they've got that they've done so much Recon that we've already identified them and interesting yeah you know what's going on because all that data is already in the back end that's it and it's a massive red flag if they kill it as well like straight away okay it's sort of like you know if you're in it's

sort of like if you're in a bank and there are security cameras and someone's rummaging around the bank and going through all the drawers and then they look up the security camera and take out a gun and shoot it and all that footage is back at the back it's not like there's any ambiguity of what's going on it's yeah say that backhand so when you're you're shift are you are you in real time sort of obviously you're taking the event or whatever you're looking for through the bats and you're

sending that data up to um the platform is that uh is that like a pulled are you pulling all the data together to basically get some economy of scale with regards to to the big to the data that's in there and then basically running I know you've got the labs and the research arm that you know are part of this but is that going into a particular user's uh pool of data but I'm not sure where you're storing it wherever you're storing it or does that then go into a larger pool to basically

maximize the the amount of info and data points that you're actually getting uh it goes in it's it's we divide the world into organizations because those those are customers and each organization is is firewalled off from yeah that's what I was getting it right so it's a you know it's kind of natively multi-tenant uh so we get economies at scale for that what happens from the nanoagent is we batch up small batches of events every 5 to 15 seconds we send them to the back end they take about

three to five seconds to make our make their way through our analytic system and then their life so what you're seeing on the screen is about 20 seconds delayed you know anywhere from 10 to 20 seconds to let you to fly so here's great demos because you sit there someone logs into a system and it starts typing commands and you can watch the watch the commands on the on the screen as they're they're doing it that's very cool May working in there which is the thing yeah I was going to say they're working

in the backup space I am I'm my brain's ticking away in terms of the the potential for this because you know we we obviously deal with the the back end of that situation when something's gone really wrong and they've got to recover it you know but there's always a problem of how do you stop that from happening you know like it's an end-to-end type of play right so yeah it's really interesting I'll tell you a story that what you know happened to one of our customers on the operations side they'd give it to give

an example he went in and uh he got an alert he was running dark trees among other things and that detected the spike in network traffic uh between two systems there was it was an abnormal Spike and it was going between a a server and the backup system and so he basically looked up the the alert and uh not the alert the network connection in spiderbot and found it was coming from a program that had been launched by a script and you can see all the other script commands of where it weren't created a guitar ball seated in a

directory ran a uh command to compress the file we see it in another directory and then you know copied it copied it out and there was a bug in it where he see the the he looked at the script and it just been installed the day before you could see exactly who installed it and there was a bug in the script where it was seating into the wrong directory before it did the gzip so the file was never being compressed okay yeah and so it was the uncompressed file going out yeah yeah the scripted the backup script had just been updated he saw who updated

when he updated it this whole thing took him like three minutes and he called the guy up on the phone and said hey you know that script you installed the other day on the system there's a bug in it you CD into the wrong directory and it did and so you're not compressing the files being sent to the backup wow keep watching me man are you watching me here like what's going on yeah that would have been so it's it's it was it but it was really straightforward you know it's yeah it's not

Labs as well so talk to me a little bit about that and how that fits into the puzzle of what you guys are doing yeah so what the if you think about an attacker getting onto your system uh um and then they start rummaging her out there is a whole there's a whole Matrix of things they can do and a good play place that tracks this is the um the miter attack Matrix uh if you've heard of that it just basically tax um tracks tools techniques and procedures that attackers use um and a lot of them are really low

level things that you wouldn't care about someone running I mean as simple as running who am I or Ps on the box to figure out what processes are running or you know commands like this just very simple Recon commands pinging us pinging a host um and what you find is that if you can detect those low level things and then causally relate them that this and this and this were all part of the same session for this user you can score them together as a group and that that collection of low level 6 signals makes

one really strong high level signal that that something weird is going on yeah it's sort of like detecting you know 43 proteins that float around in your blood and but correlated together they're you know 25 of them are associated with uh with a particular form of cancer you probably got that cancer so it's it's it detects that inside in inside the system sonar Labs is all about uh building the the security content that detects those things low level high level and and gluing them together to make uh to very accurate

ways to detect attacks and you know use this Recording Technology very practically for for attack detection technology so that's that's basically that that is what makes spider that spot a BET right the smarts that are in that particular lab to detect it you know you've got the great technology that's you know the Linux based um nanoa agency which also which you mentioned actually quite interestingly is kind kind of architecture agnostic isn't it because you're mentioning you've installed it on

Raspberry Pi's and whatnot which is cool because those things in the arm processes are making their way into us into our networks and our Edge locations and just data centers in general so the fact that you're able to be architecture agnostic is is a big tick um just I am interested to know in the windows side of it because obviously there's a lot of there are I mean lots of obviously in public clouds I mean you you cross AWS multi-cloud you could containerize workloads with kubernetes but windows

are still there right so how do you if you've got a customer that comes to you and say hey you know I do have a lot of Linux but I've also got these windows boxes like what can you guys do for me well so most uh right now we're um you know we're a startup so we've uh you have to pick where you're focusing and so we've been focusing on the the Linux side of the the equation people tend to have fairly mature uh security processes around windows and Linux and you know big investments in them we uh

have been we have techniques where we can get the same type of data out of Windows but we haven't gone to the effort of commercializing those yet because there's so basically there's such a dearth of stuff going available for the Linux world if you ask people you know to what visibility they have into the real runtime workloads that are happening on their their Linux servers and in their kubernetes boxes and compare the security there versus the maturity of security they have in the windows and yeah uh Mac things it's

really weak and so we we're focusing on filling that Niche um get to Windows once our customers demand it but they're they're telling us right now focus on the Linux box because that's that's where I'm completely blind especially with kubernetes which is still so new and fluid as as a platform right um and it's always changing and and I think kubernetes is inherently a black box like you know there's very few people especially in the devops world they'll just kind of deploy their their

applications they get the namespace they've got the artifacts and and they they kind of do their thing but I don't think a lot of them really care about how that happens and how you know what's happening whereas me and a lot of the platform guys are really still interested in okay what's the CPU doing what's the storage doing what's the network doing so that level of understanding I believe is getting lost to a certain extent as more workloads shift to containerization cloud and whatnot so you're absolutely correct

that there's a addressable Market in that space is significant because it's it's wild west still for me there's so many tier one applications going out there Enterprises are adopting kubernetes more and more but honestly I feel like they are like Lamb's Slaughter at the moment without this sort of Technology and the kubernetes thing is a is a great example of the nanoagent architecture because where we ended up what we did was we built a uh about that we call it the lighthouse bat and it goes off and

monitors the the kubernetes environment just monitors uh both the container through the con um uh container interface the and the uh kubernetes audit interface we're able to inspect the kubernetes environment and tie that back to what the physical processes are on the machine so every process in the machine I'm able to map back to kubernetes pod namespace deployment but then I can also visualize exactly how for example a kubernetes rollout happens from uh watching the the containers be pulled down a new set of containers go

up and the network traffic between all the containers and the actual processes on the containers once you have that a really neat thing happens if you think about the average you know kind of micro service it's it's really is micro it tends to be have just a few programs running in it and it talks to a few other services it gets you know requests from a few Services it talks to a few Services um and it's it's pretty tight of what it does we're able to look at multiple runs of those because they run off the same

uh Docker image or same image yeah and be helped build behavioral Fingerprints of each one and use combine those together to create a behavioral Baseline that's human readable that says this is these are all the processes that are run and the treat the process tree that gets created this is all the Ingress connections egress connections once I have that as a developer that is can be integrated into my workflow where every time I roll out a new image I get a new finger just by deploying it in my integration

environment I get a new fingerprint from it and I can compare that against the Baseline and see if anything's changed yeah this allows you to detect things like supply chain attacks unexpected behaviors when you upgraded to libraries or anything else because something new happens it's talking to a nurse service it's launching a new program and you have no idea yeah I get it yeah that's really cool so we're able to see you know tell the developer about it and then they say they say yes or no and if it's expected

Behavior they say yes that thing can then become a contract or you know something I can give to the security group and say these are the guard rails for my application this is how it should behave at runtime and if it doesn't you know shut it down or let me know or or anything else and it it reduces operational issues and it also provides really really good security because now instead of trying to detect attacks based on the known attack technique we're able to you know essentially put a padlock around this this can container

image and say this is the the guardrails for it and if it ever deviates shoot it in the head okay and we'll move on it's interesting and also just to finish off with kind of rapidly running out of time here but um do you have extensibility and the ability to plug into you know ecosystem partners and whatnot so actionable items so if something happens you know obviously you've got the UI but can they plug into the API and basically insert it into a pipeline or something or even just plug it into some other system to

do actionable items afterwards because I think that opens up a tremendous opportunity yeah there's there's multiple um avenues for that first off you can get it's it's all an open API everything that's done on the console has done is available through API calls through a well-documented API uh so everything's automatable at that level secondly um we have so the the data you can get out of it is pretty easy to understand and parse so you can use that for your own purposes and import it into we have

connectors for all the usual you know uh Splunk elastic the usual uh suspects and then the third thing is uh we can attach for any given uh detection we can attach actions to that that can be and everything from things the nanoagent does on your behalf like killing processes or pods or things or invoking web hooks which might send a message to your to a slack Channel or invoke uh scripts on your site and that's all extensible as well so you can install your own scripts to do things on the on the cloud side or invoke them on the

back end okay so you can automate a lot of security yeah well hey we could have chatted for a lot longer um you know the time is short now but like hey great conversation I think to be fair the people are going to understand the the greatness of what spider that's creating I think you guys are under a really great thing and I wish you all the success um you know as you move the startup into you know a very very competitive world but thank you for being on the show just want to finish off by saying if you like great things

with great Tech and would like to go on future episodes please once again go to jtwgt.com you can find me at Anthony spiteri or at jtwj atpodcast.com with that thank you Brian thank you spiderbat and we will see you next time on great things with great Tech great time we're going to cut off in about two seconds [Music]