Kubernetes Security Operations Center (KSOC) released the first threat detection capabilities spanning from Kubernetes role-based access control (RBAC) to cloud IAM, using AI to quickly spot anomalous patterns in large amounts of audit logs and cloud metadata.
Compromised credentials and malicious insiders represent the most costly and common attack vectors of a breach, and played a key role in three of the four Kubernetes targeted attacks in 2023. With cloud native identity threat detection, security and engineering teams now have insight into the actual usage of over permissions, versus lists of over permissions that don’t indicate malicious usage.
“When it comes to identity in Kubernetes and the cloud, the legacy approach is to create noisy lists of misconfigurations and over permissions and call it ‘good enough.’ But security and engineering teams are now too overwhelmed, and identity has proven too critical and challenging to manage at scale, for this approach to remain practical. With this feature, customers are able to take advantage of AI’s strength in finding patterns in large datasets to efficiently identify identity-based attacks in their cloud native environments,” says Jimmy Mesta, CTO and Co-Founder of KSOC.
KSOC’s new cloud-native identity threat detection platform includes the following capabilities:
- Attack paths between Cloud IAM and Kubernetes RBAC: find risks in the interaction of Cloud IAM and Kubernetes RBAC
- Cloud native identity anomaly detection: AccessIQ shows actual usage based on AI queries of Kubernetes API audit logs to find malicious insiders and other attacks utilizing valid or overly permissive credentials, plus baselines ‘normal’ RBAC behavior and detects anomalies using AI to query cloud metadata, RBAC configurations and Kubernetes API audit logs
- Top priority RBAC and IAM misconfigurations: prioritize the most critical configurations based on the connections between RBAC permissions, Kubernetes misconfigurations, network exposure, runtime alerts and image CVEs on the same workload