2. ThreatMapper protects the Cloud Native Continuum
Where “Shift Left” ends, ThreatMapper takes over
• DevOps: “It was fine when it was pushed to production”
• AppSec: “I have no idea if it’s still secure”
ThreatMapper reveals weaknesses in your attack surface
Learn the topology and attack surface
Discover components and infrastructure
Supports multi-cloud, multi-modality apps
Scan components and dependencies
3. ThreatMapper tiers
Learn the
attack surface
1
Gather
attack intel
2
ThreatMapper
Open source Security
Observability platform
Discover
Topology
Locate
Vulnerabilities
Indicators of
Compromise
Build
Threat Map
Platform
Compliance
Resource
Anomalies
Indicators
of Attack
Additional
ecosystem
solutions
3
https://github.com/deepfence/ThreatMapper
5. “Shift Left” secures code to production
84%
Percentage of OSS codebases
surveyed that had at least one
vulnerability
- Synopsis 2021 OSSRA
IBM Systems Science Institute / Deepsource
18,351
Number of CVEs
published in 2020
- NVD / MITRE.org
17,826
CVEs published in 2021
(up to Nov 2021)
- NVD / MITRE.org
> 50%
OSS vulnerabilities rated
“high” or “critical”
- Whitesource SoOSV 2021
> 12,000
Software Supply Chain
attacks
- Sonatype SoSSC 2021
528
Average number of OSS
dependencies in an enterprise
application
- Synopsis 2021 OSSRA
6. “Shift Left” deals with half the problem
Shift Left Secure Right
Am I deploying secure
code into production?
Are my cloud and server
platforms configured securely?
Are my applications still secure?
Are they under attack?
How should I respond?
7. “Shift Left” deals with half the problem
Limitations of Shift Left
• Not all vulnerabilities can be patched
before code is deployed to production
• 3rd-party resources may not be subject to
the “Shift Left” security pipeline
• Unknown vulnerabilities may be
discovered after a component is deployed
120thousand
120k Apache webservers
vulnerable to unlimited path
traversal exploit
- CVE-2021-41773, Oct 2021
143million
Customer records
compromised as a result of
Apache Struts vulnerability
- Equifax
96%
3rd-party container apps
deployed contain known
vulnerabilities
- Unit 42
4years/12weeks
4 years: Time to discover
12 weeks: Time to remediate
software vulnerabilities
- GitHub Octoverse 2020
Shift Left responsibility ends
when code goes into production
8. In the past 12 months,
what security incidents
or issues related to
containers and/or
Kubernetes have you
experienced?
94% of respondents
experienced at least
one security incident
in their Kubernetes
environments in the
last 12 months
9. Dev Devops AppSec
Infrastructure-wide:
10,000+ potential vulnerabilities
Per-host:
100+ potential vulnerabilities
Per-container:
10+ potential vulnerabilities
Dev/DevOps and AppSec are not aligned
“We cannot prioritize
long lists of theoretical vulnerabilities.”
“Developers are slapdash and
don’t make time for security concerns.”
12. ThreatMapper Now
• Released October 2021
• Apache2 License
• https://github.com/deepfence/ThreatMapper
Learn the
attack surface
1
ThreatMapper
Open source Security
Observability platform
Discover
Topology
Locate
Vulnerabilities
Build
Threat Map
Platform
Compliance
13.
14. ThreatMapper - Next Steps
Learn the
attack surface
1
Gather
attack intel
2
ThreatMapper
Open source Security
Observability platform
Discover
Topology
Locate
Vulnerabilities
Indicators of
Compromise
Build
Threat Map
Indicators
of Attack
Platform
Compliance
Resource
Anomalies
15. Indicators of Attack
‘Indicators of Attack’ are precursors to ‘Indicators of Compromise’
• Deepfence uses eBPF probes to capture all required network traffic from all nodes
• Traffic is matched against threat rules to identify reconnaissance, exploit,
command-and-control and exfiltration activities
Indicators
of Attack
Other solutions may say: Deepfence’ Indicators of Attack provide more insights
We gather network traffic stats
to identify anomalies
Flow, Bandwidth and Connection counts are L4 data (“resource anomalies”).
They are not equivalent to Deepfence’ L7 Indicators of Attack
We capture traffic from Web Application
Firewalls to get indicators of attack
This only captures blocked traffic from the edge, using performance-reducing proxy.
Deepfence is not proxy-based and captures all traffic from all locations
We instrument Istio Mesh / Envoy to
capture N/S and/or E/W network traffic
This relies on support from a service mesh or other proxy-based technology.
Deepfence works with all Mesh sidecars and in all non-mesh environments.
We use eBPF
to gather attack information
eBPF for process or file anomalies
eBPF for network traffic (Deepfence)
== Indicator of Compromise
== Indicator of Attack
Indicators of
Compromise
16. ThreatMapper - Ecosystem
Learn the
attack surface
1
Gather
attack intel
2
ThreatMapper
Open source Security
Observability platform
Discover
Topology
Locate
Vulnerabilities
Indicators of
Compromise
Build
Threat Map
Platform
Compliance
Resource
Anomalies
Indicators
of Attack
Additional
ecosystem
solutions
3
17. Deepfence Roadmap
Learn the
attack surface
1
Gather
attack intel
2
Understand
and respond
3
Deepfence ThreatMapper
Open source
Vulnerability Scanning
Compliance, Sensors
Platform API
Deepfence ThreatStryker
Ecosystem add-on
Correlation and Protection
API integration
Deepfence ThreatMapper
Open source
Vulnerability Scanning
Deepfence ThreatStryker
Commercial, closed source
Compliance, Sensors
Correlation and Protection
October 13, 2021
Open source ThreatMapper
initial release
Q4 2021 / Q1 2022
Open source ThreatMapper
security observability platform
Present (November 2021) Future (3-6 months)