Techzine has detailed the moves of Cloud Application Detection & Response (CADR) framework company Upwind this year as it acquired Nyx, a dedicated threat detection vendor. With a key ability to extend application security to monitor which “application write functions” are actually being sent to (and subsequently executed) in memory, is the world now a safer place?
In the cloud, applications are more dynamic in terms of their need to process real-time data, in terms of their ability to experience continuous delivery and updates, in terms of their interconnection points to Application Programming Interfaces (APIs)… and in terms of their need for real-time observability and vulnerability detection inside the application fabric itself. Being able to secure all of these factors is the pipe dream of all cloud infrastructure and application security specialists, who long for one unified toolset through which to achieve this.
Upwind now thinks it can lay claim to being able to deliver at this level.
What Is Function-Level Runtime Visibility?
It’s what the team calls “function-level runtime visibility” (a competency that Upwind gets from its now-absorbed Nyx DNA), which aims to provide threat detection and vulnerability prioritisation across the application layer and downward to the infrastructure substrate.
Modern extended notions of cloud security aim to push beyond what we used to call observability and now offer function-level runtime visibility i.e. an insight into how an application or component service might be affected by the flow of real-world data traffic patterns that pass across, beside and through it. This technology practice focuses on locating and analysing the precise values, attributes and conditions that an application’s state will be in when a pathway of vulnerable code is loaded into memory and executed. Deeply granular work at this level will remediate vulnerable runtime calls with carefully crafted patches. This is not your average browser update; this is keyhole surgery for cloud application security.
The real race is in the runtime
Amiram Shachar, CEO and co-founder of Upwind says that the extensions his firm’s platform now offers with Nyx inside mean that Upwind offers CADR with what he says is “A single runtime-native solution that spans process behaviour, network activity, API usage and application function execution. This establishes Upwind as the only CNAPP with fully integrated application-layer runtime protection. We acquired Nyx because we believe that runtime is where the real battle for cloud security is happening.”
Although massively overlooked at the start of the millennium, cloud security has obviously evolved from its ground-zero state. We know that vendors in this space have moved to focus on cloud systems misconfiguration errors (Qualys has been traditionally strong in this space) and procedures needed to scan infrastructure and posture. Upwind says that’s great, but it often misses what happens when code is running and services are live. That’s where attackers are now operating.
High-fidelity telemetry
“Upwind was built from day one to secure live cloud environments through lightweight, high-fidelity runtime telemetry. With the integration of Nyx’s eBPF-based engine, Upwind’s capabilities extend to observing and correlating function-level application behaviour, enabling two key capabilities,” noted Shachar and team.
By identifying whether vulnerable functions in third-party packages are invoked at runtime, Upwind aims to suppress false-positive vulnerability alerts, improve triage and reduce alert fatigue for software engineering teams Combined with Upwind’s existing baselines for process, network, syscall, and API activity, Nyx’s technology adds a new layer of activity-based anomaly detection and runtime forensics, enabling deeper, real-time insight into application-level threats.
Competitor analysis
Although we know that Upwind is happy to lay claims to leadership and firsts in this market, there are obviously a selection of other vendors who operate around this level of application security. Kodem is known as a dynamic software composition analysis (SCA) platform company with a specific focus on runtime intelligence (you may have heard that term mentioned above) and the company works to identify and mitigate application security risks in real-time production environments.
Also in this market are Lacework, Sysdig and Orca Security, plus Wiz and then there’s Palo Alto Networks (wit its Prisma Cloud technology) and there are overlaps and “unique” aspects to every platform in this arena.
Wiz is a dominant player, known for agentless cloud security scanning, posture management (CSPM), and deep visibility into vulnerabilities, misconfigurations, and identity risks across multi-cloud environments. Prisma Cloud by Palo Alto Networks (also a CNAPP offering) provides what the firm calls code-to-cloud security in any cloud across multi-cloud hybrid environments. Sysdig has a core specialism in runtime security alongside its compliance and performance monitoring capabilities for containers and Kubernetes – and the firm is known for its work in Falco-based threat detection. Then there’s Lacework, with its behaviour-based anomaly detection that makes use of machine learning and has what many think is a pleasing DevSecOps integration level. Let’s also mention Orca Security, which has a nifty agentless side-scanning technology for cloud visibility. What is side scanning in cloud security? That’s another story for another day.
In other words, when we read about “one unified central platform solution”, it’s best to remember that the world does keep spinning and many other vendors do exist.
Coming next, AI
At Upwind, CEO Shachar talks about a philosophy of “live, in-line security” and its role in the cloud today. He insists that the integration of Nyx offers real-time signal, context and action – from the infrastructure to the process level. “Mergers and acquisitions in the software industry are never easy. A perfectly executed integration, across both culture and technology, is essential to deliver a seamless user experience and a resilient architecture. That’s exactly what we’ve achieved with Nyx,” he added.
Upwind will (spoiler alert, you know what’s coming next) subsequently now turn its attention to not just application runtime security, but deeper levels of data fabric security and (wait for it) of course AI security. Whether it develops these competencies in-house organically or looks to other strategic mergers and acquisitions is unknown at this stage. What is known is that cloud security is going deeper… and perhaps one louder.