AWS Partner Network (APN) Blog

Enhancing Amazon EKS Security with SentinelOne’s Real-Time eBPF Protection on AWS

By Laura Roantree, Product Marketing Director – SentinelOne
By Jason Patterson, Sr. Partner Solutions Architect, Security – AWS
By Sahil Thapar, Principal Solutions Architect – AWS

Enhancing Amazon EKS Security with SentinelOne's Real-Time eBPF Protection on AWS
SentinelOne

Many organizations develop and deploy their business-critical applications on containerized platforms due to its developer-friendly, efficient, and portable nature. Customers also choose AWS as their cloud service provider for stability, scalability, and performance. In fact, nearly 80 percent of all containers in the cloud run on AWS today. Kubernetes is a powerful container orchestration platform, however it can be challenging to manage at scale, though Amazon Elastic Kubernetes Service (Amazon EKS) reduces the operational complexity by handling cluster management. With the inherent complexity and dynamic nature of container workloads, securing a Kubernetes environment in real-time can be a challenge.

In this post, we will show how AWS customers can use SentinelOne Singularity Cloud Workload Security to simplify real-time threat protection and detection at runtime for Kubernetes workloads. We will also discuss how security events are collected and contextualized via behavioral AI to visualize the attack origination and progression, and how to actively mitigate the threat so security professionals can detect and resolve incidents in real-time.

SentinelOne is a leading independent software vendor in the AI-powered security space. SentinelOne provides a full Cloud Native Application Protection Platform (CNAPP), including agent based and agentless protection. As an AWS partner, SentinelOne has earned competencies in security and containers, and is an AWS Public Sector Partner.

Agent-based vs. Agentless Cloud Workload Protection Platforms

Cloud workload protection platforms (CWPP) provide security value by detecting and responding to runtime threats such as ransomware or zero-day exploits.

CWPP comes in two flavors:

  • Agentless: Agentless CWPP uses a technique called side-scanning, which periodically inspects snapshots of cloud compute storage for malware. This is typically done once daily due to the cost considerations of snapshot storage. While side-scanning does provide value, lack of real-time threat detection and visibility into security workload telemetry events are its primary limitations. The primary advantage of agentless CWPP is that there is no agent to deploy or manage.
  • Agent-based: In comparison, agent-based CWPP achieves two fundamental advantages: (1) real-time protection at runtime, and (2) a forensic data log of workload telemetry. Real-time detection and response are important because exploits can disrupt workloads in seconds. Additionally, more sophisticated threat actors will use techniques that agentless CWPP would miss entirely (fileless exploits, for example). A better approach would be to use agent-based CWPP as part of a robust cloud defense in-depth strategy which often includes agentless scanning.

With an agent-based CWPP, the security agent is installed directly on the server or virtual machine, giving it the ability to monitor system calls, file operations, and other low-level activities in real-time. This granular visibility allows the agent to detect and respond to suspicious behavior patterns that are indicative of a ransomware attack, such as the encryption of large numbers of files or attempts to access sensitive data, as an example. In contrast, an agentless CWPP typically relies on API-based integrations, which may not have the same level of depth and may miss certain malicious activities.

Agent-based approach allows a CWPP to respond swiftly, isolating affected workloads, limiting damage, and enabling recovery from clean backups. This rapid response is critical in containing the spread of ransomware and minimizing the overall impact on the organization.

While agentless CWPPs can provide some level of protection, the agent-based model is generally more effective at identifying and stopping ransomware threats in a timely and comprehensive manner.

Figure 1: Real-time threat detection and mitigation

Figure 1: Real-time Threat Detection and Mitigation

eBPF for Securing Modern Applications with Cloud Workload Protection

Some of the primary concerns with running an agent on cloud compute include resource utilization, management overhead, and the potential for kernel panics. These concerns are often borne from experience with older CWPP agent architectures which rely heavily on the use of kernel modules. This is what makes the eBPF approach especially attractive.

Several years ago, SentinelOne re-architected Singularity Cloud Workload Security, its agent-based CWPP, to use the eBPF framework. Doing so not only eliminated kernel modules and their potential kernel panics, but also optimized resource efficiency.

The incremental CPU and memory usage makes more resources available for application performance. Independent tests illustrate that SentinelOne’s CWPP agent consistently maintains high security efficacy, forensic visibility, real-time detection, and zero delays.

eBPF Simple Architecture

Figure 2: eBPF Simple Architecture Overview (modified from the original found at ebpf.io)

Behavioral AI for Detection, Correlation, and Response

SentinelOne’s CWPP agent uses five detection engines to gather telemetry and provide real-time response: static AI, behavioral AI, app control, cloud intelligence, and STAR rules.

SentinelOne’s Behavioral AI is specifically designed to detect and mitigate previously unknown threats such as ransomware (including polymorphic ransomware), zero days, credential theft, privilege escalation, fileless threats, and malicious scripts. Signature-based detection tools are typically useless against these novel and/or sophisticated threats.

The Behavioral AI Engine is autonomous, meaning (1) it functions fully with or without an Internet connection to the SaaS management console, and (2) the intelligence is built into the agent. This ensures no data transfer latency for analysis. Because of the eBPF architecture, this engine can observe, evaluate, and respond to kernel-level processes as they are launched in real-time.

Figure 3: eBPF real-time monitoring

Figure 3: eBPF Real-Time Monitoring

With the Behavioral AI Engine, SentinelOne’s proprietary Storyline® technology streamlines incident response and reduces alert fatigue. Storyline provides actionable context for security analysts by identifying observing all system calls, and automatically visualizes relationships between related kernel processes.

The Behavioral AI Engine monitors any given process thread and measures it against thresholds of normalcy, which when crossed, triggers instantaneous protection against attacks occurring at machine speed. Storylines deemed by the AI to be suspicious or malicious will be automatically remediated by the solution based on the policy configuration.

 Figure 4: SentinelOne’s proprietary Storyline® technology

Figure 4: SentinelOne’s Proprietary Storyline® Technology

Every Storyline is stored in the SentinelOne Singularity Data Lake according to the data retention period the customer has selected. SentinelOne uses OCSF (Open Cybersecurity Schema Framework) to standardize the data and integrates with Amazon Security Lake, so customers can query, inspect, and provide additional context to the workload telemetry for advanced threat hunting and analytics.

By monitoring thousands of concurrent kernel process threads, the Behavioral AI Engine is able to recognize when a sequence of related events converts from benign activity to suspicious/malicious activity, and can quickly take action by using the eBPF framework.

Deployment Option

Singularity Cloud Workload Security offers a straightforward deployment and management experience, prioritizing both resource efficiency and robust security via its offering at AWS Marketplace.

Through a DaemonSet based deployment, a single, resource-optimized Kubernetes CWPP agent shields the EKS worker environment, including all its pods and containers, without the need for any intrusive container instrumentation that could impact performance.

In addition, SentinelOne’s CWPP agent (Singularity Cloud Workload Security for Servers/VM) with eBPF can be deployed directly to Amazon Elastic Compute Cloud (Amazon EC2) instances running Linux or by utilizing AWS Systems Manager to protect the EKS host machine and underlying nodes of your cluster.

Conclusion

The unique appeal of eBPF lies in its ability to directly observe and respond to application behavior within the kernel and without modifying kernel code, which is particularly important for ensuring the stability of the kernel for Kubernetes and EKS deployed workloads. This safety, in combination with the observability and response capability, make eBPF ideal for security use cases, particularly for applications like CWPP.

SentinelOne’s real-time CWPP solution, Singularity Cloud Workload Security, is built upon the eBPF framework to deliver real-time workload protection. Its runtime agent uses 5 detection engines, including SentinelOne’s proprietary Behavioral AI Engine and automated Storyline® incident visualization technology, to achieve AI-powered prevention and protection to workloads running on AWS. Whether you operate workloads on Amazon EC2, Amazon Elastic Container Service (Amazon ECS), or Amazon EKS, Singularity Cloud Workload Security delivers real-time threat detection and the forensic data visibility that security analysts need to streamline investigations and maximize workload integrity and uptime.

To learn more about SentinelOne’s Cloud Workload Security visit SentinelOne’s offerings or view SentinelOne at AWS Marketplace.

.Connect with SentinelOne

.


SentinelOne – AWS Partner Spotlight

SentinelOne is a global leader in AI powered security. SentinelOne’s Singularity Platform detects, prevents, and responds to cyber-attacks at machine speed, empowering organizations to secure endpoints, cloud workloads, containers, identities, and mobile and network-connected devices with speed, accuracy, and simplicity.

Contact SentinelOne | Partner Overview | AWS Marketplace