Use Case – Runtime Threat Mapping for Amazon ECS Using Deepfence ThreatMapper

Use Case – Runtime Threat Mapping for Amazon ECS Using Deepfence ThreatMapper
June 11, 2020

Recently we released ThreatMapper, a subset of the Deepfence cloud native workload protection platform, completely free for community use with no upgrade obligations. This is not just another ordinary command line scanner! ThreatMapper is an enterprise grade feature set of our main product and comes with ready to use integrations for Slack, PagerDuty, Splunk, Sumo Logic, and more.

You can take a quick look at the live demo here.

It's easy to get started with runtime threat mapping for Amazon ECS (as well as other containers, K8s, serverless, and more), and in this post we will show you how.

Getting Started

Deepfence installation consists of two components, namely the Deepfence Management Console which is installed outside of a cluster being threat mapped (for obvious reasons!), and super lightweight Deepfence sensors which are deployed as a daemon service using ECS task definition.

Installing the Deepfence Management Console

We will focus on a single node installation of the management console here.

  1. Spin up a Linux EC2 instance with 8 cores, 16GB RAM and at least 120GB of disk space.
  2. Download the Docker Compose file from here.
  3. Run docker-compose as follows:

docker-compose -f docker-compose.yml up -d
Give it a few seconds and you are ready to register your product installation as described here.

Installing the Deepfence Sensor on Amazon ECS

Now that we have the management console installed and registered, let’s install Deepfence sensors as follows:

  • Give IAM permissions for ECS task execution role to access this secret as outlined here.
  • Create a new task definition for the Deepfence sensor and deploy the service by following the steps outlined in ECS – Deepfence.

After registration, it can take up to 30–60 minutes for the vulnerability database to be populated. Once the vulnerability database is updated, you can scan running hosts and containers as shown below.

Runtime ThreatMapping includes finding and patching the most exploitable vulnerabilities present in your containers and hosts. ThreatMapper helps you prioritize and focus on only the most important vulnerabilities and rank them based on CVSS score, severity, attack complexity, and ease of exploitation.

You can explore ThreatMapper features in detail here.

In this post, we showed you how to get started with threat mapping for Amazon ECS with Deepfence ThreatMapper. If you’re interested in learning more about ThreatMapper or ThreatStryker, reach out. We’d love to show you how we can help you protect against vulnerabilities and increase the security of your applications across the entire CI/CD pipeline.

Threat map and stay safe!