Runtime Security

Runtime security provides continuous protection for applications as they run in production, complementing pre-deployment security testing.

What runtime security monitors

• Process execution and system calls.
• Network connections and traffic patterns.
• File system access and modifications.
• Memory access and exploitation attempts.
• Container and Kubernetes activity.
• API calls and data access patterns.

Runtime security tools

• Cloud-native: AWS GuardDuty, Azure Defender, GCP Security Command Center.
• Container-focused: Falco, Sysdig, Aqua, Prisma Cloud.
• RASP: Runtime Application Self-Protection (Contrast, Imperva).
• eBPF-based: Cilium, Tetragon for kernel-level visibility.

Detection capabilities

• Container escape attempts.
• Cryptomining processes.
• Reverse shells and backdoors.
• Privilege escalation.
• Lateral movement.
• Data exfiltration.
• Anomalous API usage.

Response actions

• Alert: Notify security team for investigation.
• Block: Terminate malicious process or connection.
• Isolate: Quarantine affected container or workload.
• Capture: Collect forensic data for analysis.

Container runtime security

• Read-only filesystems.
• No-new-privileges flag.
• Seccomp profiles limiting system calls.
• AppArmor/SELinux policies.
• Network policies restricting traffic.

Best practices

1. Baseline normal behavior before alerting on anomalies.
2. Start with detection mode before blocking.
3. Integrate with SIEM for correlation.
4. Automate response for known attack patterns.
5. Maintain updated threat intelligence feeds.
6. Test detection rules with red team exercises.

Kubernetes-specific controls

• Pod Security Standards (Restricted, Baseline, Privileged).
• Network Policies for microsegmentation.
• Admission controllers for policy enforcement.
• Audit logging for API server activity.