Deepfence FAQ – June 2022

Deepfence FAQ – June 2022
June 17, 2022

Welcome to our first FAQ blog post where we recap popular questions we’ve received along with the answers to them. What is the inspiration for this particular post? While on the road recently, at KubeCon + CloudNativeCon Europe, as well as RSA, we noticed a few recurring questions about Deepfence and our products. In this blog post, we’ll recap the top questions and answers from discussions we had. Before diving in, we’d like to give a huge thank you to everyone who came to meet us — your curiosity and interest in Deepfence is what inspired this post! 

If you're not yet familiar with Deepfence and how our products can help you, here's a quick primer: For those of you who run cloud native applications and are anything less than 100% certain that your apps and platforms are 100% free from vulnerable dependencies, then Deepfence can help. Designed to fill a blindspot left by using “shift left” tooling alone, open source ThreatMapper finds and prioritizes vulnerable dependencies in production so you know which ones are critical to fix right now because they pose the greatest risk to the security of your application. ThreatStryker, our enterprise offering, extends ThreatMapper and automatically protects your cloud native applications from exploit by deploying targeting remediation.

What’s in Deepfence open source (ThreatMapper)?

Deepfence’s open source project is called ThreatMapper. It’s a complete GUI/API-based platform that maps your infrastructure, then scans it for vulnerable dependencies and exposed secrets. ThreatMapper presents the risks in an intelligent, prioritized order — starting with vulnerabilities that are high severity, remotely exploitable, and closest to your attack surface.

There are no performance restrictions, limits on the number of scans or size of infrastructure, and no privacy-compromising ‘phone-homes’ in Deepfence ThreatMapper. Simply visit ThreatMapper on GitHub to find everything you need to get started.

What is the difference between the two Deepfence products, ThreatMapper and ThreatStryker?

ThreatMapper (open source) identifies the most significant risks-of-exploit in your cloud native applications and infrastructure.

If you’re not able to remediate these risks immediately, or if you want to protect against other, undetected risks, then ThreatStryker (enterprise) observes anomalies, rates the risk of exploit against each workload, and intervenes to secure exploits from succeeding or spreading laterally.

More details about how ThreatMapper and ThreatStryker compare are available here.

Are they self-install or SaaS?

ThreatMapper and ThreatStryker consoles are self-install, on-prem solutions. They each use lightweight sensor agents that are deployed on each of the production platforms you wish to scan, observe, and secure.

We recently announced the availability of Deepfence Cloud, a SaaS platform that hosts dedicated ThreatStryker consoles on-demand.

What’s the impact of the agent on Kubernetes?

The agent is deployed as a DaemonSet, and operates as a ‘privileged container.’ The privileges are necessary in order to read container and host filesystems, sample network traffic, and (in the case of ThreatStryker) apply security interventions.

The agent only communicates with your management console. It does not listen for traffic or expose any open ports, it has been reviewed and pen-tested by an independent security specialist, and the source code for the ThreatMapper agent is open for review.

The ThreatMapper and ThreatStryker agents have minimal impact on memory and CPU resources. The highest impact comes from network-related features in ThreatStryker, where by default, with high network traffic (>10 Gb/s), the CPU usage stays around 6-8% and the memory usage around 40-60 MB. With lower traffic, the resource usage also becomes lower. The ThreatStryker agent collects telemetry data, and can be tuned (sampling rate, targets) to limit the resources needed.

This article offers a thorough rundown of how agent-based and agentless solutions work and explains the Deepfence approach.

Which vulnerability feeds do you use?

For dependency scanning, we use a series of public vulnerability feeds. These include up-to-the-minute:

Secret Scanning uses the feeds from Deepfence’s open source SecretScanner project, and network traffic is matched against a range of threat feeds, including the Emerging Threats feed.

What’s next?

Thanks for checking out our first-ever FAQ blog post! Here are a few next steps to consider:

  • Give ThreatMapper a try! You can find everything you need to get started on GitHub.
  • If you like what you see, give us a star. Stars are one way of showing your support of open source projects you care about – we’d be honored to have you among our stargazers
  • Got questions in the meantime? Join the Deepfence community Slack channel to ask questions and get answers, or just follow along with the discussion.