Drishti

Abstract

Application and platform security has always been critical for the success of any business. Traditionally, applications were deployed directly on physical servers. As a result, there are myriad traditional security solutions that were developed around this model to run as local agents on the systems they monitor and protect. These solutions are then refined and standardized with decades of experience. With the emergence of virtualization, cloud and particularly containerization, use of these solutions is becoming challenging with consolidation and scale. As we begin to deploy hundreds of cloud instances on a single node, traditional solutions, designed for local execution do not scale out. At the same time, the clean separation of a virtual machine (VM) or a container from the platform itself, and maturing introspection and inspection APIs provide a simple, practical way to decouple monitored from the monitors [3]. Furthermore, as the scope of cloud security expands from simple monitoring and auditing to more complex learning based analytics, analytics components are further offloaded to separate services, where they can burn extensive cycles, and in some cases use specialized hardware for security analytics, out of the critical path of the monitored applications [5]. As a result, traditional agent-based tightly-coupled model is being replaced by a more dis-aggregated {system, observation, analytics, actions} architecture. To implement such dis-aggregated model in practice, first system state needs to be transferred from cloud platform to analytic platform. File system more generally is representative of the system state that persists features of interest for security analytics like processes, metrics, configurations, packages across various files. Remote replication or snapshotting [1] of whole file system is very in-efficient, since only small set of files are accessed during the analytics. As a result, a new family of cloud-native security solutions have recently emerged in the field that uses various specialized collection techniques[2, 4]. These techniques perform out-of band introspection of systems to interpret and extract required system features from the file system to essentially serialize system state into data. This is then transferred to an analytic platform for analysis. Unlike the traditional security solutions that locally against the system's standard POSIXy file system interfaces, these emerging security analytics work from data on the analytic platform. However since the target system is now available as existing agent-based security solutions become incompatible to against the system. One mitigating solution is to rewrite all existing solutions, which requires huge amount of resources and effort. In Drishti, we address this challenge from a fundamentally different perspective. Instead of rewriting security solutions to from data, we make the for traditional security applications. We achieve this by developing a pseudo-system interface over systems collected from cloud instances. With this approach, existing solutions run unmodified, as black box software over this system interface, as if they were running on the actual cloud instance. Drishti framework is our realization of this approach. It is logically the inverse of the first step of cloud-native security analytics that convert system state into data. With Drishti we transform back to system on the analytic platform by orchestrating two file system components. First, a standard native system interface is re-calibrated over the system through our new FUSE file system, confuse or ClOud Native Filesystem in UserSpacE. Second, we mimic the effect of an agent installation via an overlay file system based on the the agent image. Within the Drishti framework the underlying looks like a standard POSIX system to each on-boarded security solution. This allows us to run existing agent-based security solutions as is, but still decoupled from the actual system. Drishti also provides a standard and interoperable platform for designing new security analytic solutions. Overall, Drishti demonstrates a novel, pragmatic and highly-practical approach for bringing security analytics into the cloud. It enables us to leverage existing solutions built based on decades of experience by eliminating the need for reinventing the wheel for cloud.