Navigating Threats at Runtime: Bridging Application Context with Risk Management through CNAPP

Navigating Threats at Runtime: Bridging Application Context with Risk Management through CNAPP
September 6, 2023

In the continuously shifting cybersecurity domain, grasping the nuances of runtime protection within the boundaries of Cloud-Native Application Protection Platforms (CNAPP) has become indispensable. Recently, Deepfence hosted a discussion on this pivotal subject with industry experts Mike Sabbota, Head of Security Engagements at Amazon Prime Video, and Sandeep Lahane, the CEO at Deepfence. In this post, we dive into the insights and strategic directions divulged during the webinar, accentuating the importance of application context in risk management and the powerful role of Cloud-Native Application Protection Platforms (CNAPP) in maneuvering the intricate paths of runtime protection.

Navigating the Runtime Protection Landscape and Modern CNAPP Challenges 

Having garnered substantial experience in the security sector, Mike has become a pivotal figure spearheading progressive security projects at Prime Video. His perspective on the changing terrain stressed the essentiality of integrating runtime protection into business workflows without hindering the velocity of business operations. The conversation outlined the intricacies of scaling operations, emphasizing the necessity to remain nimble and well-informed in the CNAPP sphere.

Directing the discussion towards pressing issues related to vulnerability management in the extensive CNAPP ecosystem, Sandeep, alongside Mike, delved into the art of identifying critical vulnerabilities amidst a sea of alerts, thereby averting potential decelerations and maintaining a focus on vital concerns.

In this CNAPP landscape, where a plethora of teams and projects often obscure visibility, discerning between critical and non-critical vulnerabilities becomes a pivotal task. This discernment not only conserves time but also circumvents potential distractions that could hinder progress.

Minimizing Alert Fatigue: Reshaping Priorities in CNAPP

Shifting focus towards the pervasive issue of alert fatigue, a significant impediment causing teams to sift through countless non-actionable alerts, the discussion emphasized adopting precise strategies for monitoring key areas. This approach avoids the pitfalls of exhaustive coverage that overlooks essential sectors, potentially resulting in substantial control failures. In order to understand which alerts are truly critical and in need of an organization’s attention, it is important to build context into your understanding of cloud security. And it is this topic of context that our speakers tackled so gracefully in the next part of the webinar.

Context is Supreme: Strategic Security in the CNAPP Realm

The webinar highlighted the revolutionary potential of incorporating context into security strategies. This comprehensive methodology encompasses various factors, including grasping user behaviors and data nuances, infrastructure metrics, and system health parameters. A unanimous agreement highlighted the promising prospects of a context-centric approach in transforming vulnerability management within CNAPP, fostering the development of refined and proficient security protocols.

The dialogue pinpointed four pivotal focus areas or "prisms" for gathering context: application business context, data context, network context, and identity context. The discussion ventured into using in-depth telemetry from one or more of these prisms to identify and concentrate on the most significant vulnerabilities and attack routes.

The discussion underlined the need to comprehend business-critical services, grasp the nature of data managed by different applications, discern network contexts, and monitor identity facets such as API keys and tokens. While recognizing the existence of numerous vulnerabilities, the focus remained on employing contextual insights to prioritize addressing critical issues first.

Moreover, the dialogue acknowledged that at times, medium or low-severity vulnerabilities could pose heightened risks if exposed extensively, especially if exploitable on a broad scale. The discussion further probed the role of drift (infrastructure and data) in vulnerability management, emphasizing the importance of managing and prioritizing drift as an essential component of a successful program.

Utilizing eBPF for Detailed Insights and Augmented Security

As the conversation transitioned into the technical realm, the significant role of eBPF (Extended Berkeley Packet Filter) in strengthening cloud security became prominently evident. The talk highlighted eBPF's proficiency in offering real-time insights, facilitating a comprehensive analysis of traffic patterns, and enabling effective monitoring of encrypted traffic at a process level. This technological innovation emerges as a powerhouse, promising a future of scalable, accurate, and adaptive security strategies in the cloud domain.

The dialogue specifically underscored the advantages of employing eBPF in monitoring and securing microservices architectures. Here are several focal points and themes from the conversation:

Transition from Traditional Infrastructure to Microservices

  • Traditional Infrastructure: Previous systems had definite physical boundaries, defined primarily by elements such as firewalls and servers. Security in this setup was relatively straightforward, focusing mainly on safeguarding the infrastructure and monitoring specific entry and exit points.
  • Microservices Architecture: Conversely, modern systems reliant on microservices witness data traversing in various directions, characterized by logical instead of physical boundaries. This shift demands a more dynamic and adaptive security approach.

eBPF as a Security Instrument

  • Real-time Analysis: eBPF facilitates real-time transaction analysis, aiding in establishing superior baselines for threat prioritization and contextualization, fostering faster detection and response to security incidents.
  • Specific Case Study: The discussion recounted an instance where a database was exfiltrated through DNS calls before being erased. In this case, eBPF could have served as a more potent control, potentially identifying the issue quicker than the NetFlow sampling utilized.
  • Traffic Analysis: Implementing eBPF encourages deeper traffic analysis, instrumental in recognizing and understanding behavioral patterns in cloud environments.

Challenges and Prospects in Cloud Security

  • Encrypted Traffic: A considerable portion of cloud traffic is encrypted, creating a blind spot in security surveillance. The traditional strategy of employing Man-in-the-Middle (MITM) proxies is not optimal, with eBPF emerging as a superior alternative by facilitating the monitoring of ingress and egress traffic at a process level.
  • Distributed Nature of Security: The dialogue pointed to the advantages of eBPF's distributed attributes, allowing for a more scalable and specific implementation of controls, potentially preventing the slow-down of detection processes commonly associated with large, centralized log ingestion systems.
  • Prioritization and Contextualization: Implementing eBPF can amplify threat prioritization and contextualization, granting deeper insight into traffic patterns and behaviors in cloud environments.

Projecting the Future: Evolving Trends and Anticipations

Peering into the future, the speakers envisioned a unification of features in cloud security products, steering towards a more concentrated focus on data security and vendor specializations. They forecasted a progression where cloud security platforms would surpass traditional boundaries, adopting a cohesive approach that amalgamates data from networks, applications, and other sources to safeguard against specific attack vectors. Furthermore, the conversation delved into the evolving role of agents in security, anticipating a transition towards context-driven solutions for enhanced telemetry and runtime security.

Here are the projected trends and expectations outlined by Mike and Sandeep:

  • Consolidation and Platform Solutions: A forthcoming consolidation of features in cloud security products is anticipated, migrating towards more inclusive platform solutions to prevent functional overlaps prevalent in current vendor offerings.
  • Focus on Data Security: An imminent shift towards emphasizing data security is expected, incorporating a focus on real-time monitoring of data movements and third-party data exchanges.
  • Vendor Specializations: It's likely that cloud security vendors will specialize in particular areas, focusing either on data, applications, or identities, providing deeper insights and controls in their chosen fields.

The dialogue also addressed the recent SEC guidelines proposing a four-day window for incident reporting, emphasizing clear definitions of "material" incidents and encouraging organizations to conduct tabletop exercises with diverse teams to ensure rapid and appropriate responses to incidents.

Towards the end, the conversation highlighted the integration of data security within cloud security products, suggesting that collaborations and integrations within vendors will become a prevalent trend, fostering a cohesive, context-rich, and comprehensive approach to cloud security.


In the dynamic landscape of cloud security, the role of CNAPPs in fortifying runtime protection remains paramount. As security experts navigate through complex challenges, the infusion of context into vulnerability management emerges as a promising direction, fostering the development of agile and effective protocols.

Harnessing the capabilities of eBPF in realizing a detailed and adaptive security model is viewed as a significant advancement in the field. As the future unfolds, industry leaders anticipate a convergence of features within cloud security products, directing efforts towards enhancing data security and crafting specialized vendor solutions.

This webinar brought to light insightful perspectives and innovative strategies, paving the way for a safer, secure, and more efficient cloud environment in the forthcoming era. Stay tuned for more webinars in our Webinar Series: How Top Tech Teams Operationalize Security at Scale!