Traceable Defense AI M6 and M7 Released
Traceable development is on a 6 week release cycle. We call those milestones and they roll up features and fixes that have been completed over that 6 week timeframe. This blog series will focus on describing the big and medium rocks that are included in each milestone release.
For this first in the series, we’ve got some catching up to do, so I’ll be covering the last two milestone releases, M6 and M7.
Together M6 and M7 brought several large advances across the product including support for observing and detecting security events for 2 popular protocols (GraphQL and gRPC), adding agent support to increase where we can collect tracing data from, moving agents to align with the new OpenTelemetry standard, helping security analysts better manage their business risk through better visibility and risk scoring, improvements in protection abilities such as immediate blocking based on IP address ranges and known bad patterns, improvements in API discovered data, such as whether each API endpoint handles sensitive PII data and if it requires authentication or not, improvements in enterprise readiness such as SAML authentication integration and usage monitoring, and more! Let’s take a closer look. . .
New Protocol support for GraphQL and GRPC
GraphQL is a popular protocol optimized for data, with queries which smoothly follow references between multiple resources, getting all the data your app needs in a single request. gRPC is a high-performance open-source RPC framework that can run anywhere. It is a CNCF project with wide usage by companies such as Google, Netflix, Docker, and other prominent organizations.
Traceable can now observe deep tracing details and detect and act on security events for both GraphQL and gRPC.
More and better agent coverage
Traceable agents are the lightweight worker bees of the system which sit inside, next to, and around your applications to capture the tracing details of your app transactions. This rich data enables the Traceable Defense AI system to continually discover, observe, and protect your applications, services, and APIs. The more places the agents can be, the better clarity into the inner workings, and protection, of your applications you’ll have.
In these last two milestones we enhanced agent support in multiple ways:
Agent compatibility
- Converted the Java agent to be 100% compatible with OpenTelemetry, which will enable interoperability with other distributed tracing and performance monitoring tools.
- Added agent support for Go(lang), a language popular for making it easy to write highly concurrent, networked programs. This new agent is also OpenTelemetry compatible.
- Added NGINX Ingress controller support. NGINX Ingress is a popular technology for routing inbound calls within K8s environments, so now adding Traceable on Kubernetes is even easier.
- Added NGINX plugin module compatibility for Alpine Linux, enabling the ability to add Traceable directly to your Alpine native NGINX installation via it’s plugin architecture.
Agent functionality
- Added blocking through NGINX sidecar installations leveraging the inline Open Policy Agent (OPA)
- Added regular expression based exclusion of URLs from detection, which allows you to reduce your processing and licensing usage by filtering out low risk / high volume endpoints.
Making Business Risk Management Easier
Overloaded security analysts and the responsible engineering teams they are working with, all need the ability to focus their activities on the most risky assets first. This means helping them to narrow down all the security insights into the top priorities. The latest release of Traceable accomplishes that in a few ways.
Calculated API endpoint risk score (Beta)
Traceable Defense AI now takes several data points from API discovery and calculates a risk score for every endpoint in every API. This risk score is calculated using two overall sets of data points: the likelihood of being targeted by attackers, and the potential impact of an attack to be critical for the business. These data sets include information such as if the endpoint is properly authenticated, if it handles sensitive data, if it is an internal vs external facing endpoint, if it is tagged as a critical endpoint, if the endpoint has parameters, and other checks.
Risk tags on services and AI endpoints
Traceable now allows security analysts and engineering teams to directly tag their services and API endpoints as “Critical”, “Sensitive”, and/or “External”. These tags will be used in the assessment of the new risk score to help draw attention to the more important endpoints to pay attention to.
Daily report in threat status change
The large number of the threats and the underlying security events can be overwhelming for busy teams and tasks frequently get preempted by emergencies. Because of this, certain threats or events can be overlooked and high severity threats can get buried behind lower activity threats or lost in the shuffle.
In addition, for the management, it is helpful to have a periodic activity summary to understand the trends in the overall aggressiveness level of the environment and how effective the team is addressing the detected threats.
To help both of these situations, Traceable can now be configured to send a daily threat status change report highlighting key summary information such as total of active threats, new threats, recurring threats, and threats with most recent activity.
Customized column lists and simplified search & filtering
The more efficiently you can narrow in on what you are looking for the easier it is to stay on top of what’s going on. To help security analysts and application engineers further focus in on the threats and risks they are managing, Traceable now has customizable column views and easier searching and filtering across the user interface.
Improved Protection
The latest two releases have focused on continuing to add to the different ways Traceable can protect your web applications and APIs, including adding the ability to enable/disable the OWASP ModSecurity CRS (Core Rule Set) rules, which are designed to protect web applications from common vulnerabilities and exploits with minimal false positives. Additionally, the latest Traceable releases enhance the way in which you can manage .
Immediate blocking rules (CRS and IP based)
Immediate blocking reduces attack response latency by enabling the blocking of attackers before full learning is complete. We’ve added the ability to immediately block application activity from IP address ranges and known bad patterns from the OWASP ModSecurity Core Rule Set, which are designed to protect web applications from common vulnerabilities and exploits We/ve also added the ability to define which of those rules are enabled and disabled.
Detect possible scanners
Detecting possible scanners helps eliminate noise and focus on important issues. The latest Traceable release now identifies possible scanners and makes it easy to filter for them or filter them out.
Manage Security Events More Efficiently
The M6 and M7 releases have also added more abilities around managing security events and threats such as grouping similar security events, for a cleaner view:
allowing you to exclude the further tracking of similar events right from the event (for example, if you get a false positive):
and including location information with traces and security events (or IP if location can not be derived).
Enhanced Information and Better Visibility of Discovered API Details
Traceable’s continuous observation and security event detection enables it to derive API specifications from stateless traffic, showing more details than what you typically see from OpenAPI or Swagger specs. In these releases we’ve added even richer information about each API and API endpoint, as well as made it easier to view that data, and to know when it has changed.
Deeper Insights Into Each API Endpoint
Traceable discovers and makes visible such important information about each API endpoint as it’s usage characteristics, what service is the predominant user, what the typical status codes on each endpoint are, if it is authenticated, and if it handles sensitive data. To do this Traceable also learns the entire end point definition, including details on all the parameters of each API endpoint, and makes them browseable in a Simplified tabulated API definition view.
Easy Access to API Endpoint Definitions from Everywhere
We’ve added a float out API definition sheet to make it easy to access the detailed definition of your API endpoints from anywhere that your endpoints are listed. This makes it more efficient to explore and analyze all the details which Traceable knows about your APIs and their endpoints.
API Change Management
This latest release adds the ability for Traceable to track and flag any new or updated parameters in the requests or responses or API endpoints. The flags show for a configurable 7 day window. API change management helps security and engineering teams to focus on the potential risk associated with new or changed API endpoints.
Enterprise Readiness
The M6 and M7 releases of Traceable Defense AI also included several enhancements for enterprise readiness, including improvements to authentication, usage monitoring, and plans and verifications to help meet customer compliance needs.
SAML integration
Security Assertion Markup Language (SAML) is an open industry standard which allows identity providers (such as Okta, ADFS, and other enterprise SSO tools) to pass authorization credentials to service providers, such as Traceable. With this integration now in place, Enterprises can use their existing authentication systems to connect their employees to Traceable.
Usage monitoring
With the addition of usage monitoring, customers are able to view information on the number of system calls they have used to help them determine if their current usage is in line with their Traceable license.
Compliance Requirements
A business continuity plan has been developed and put in place to ensure that Traceable will be able to restore critical business functions in the event of unplanned disasters. Traceable has also conducted and passed a third party security assessment. Reports are available on request.
For details on caveats to some of these additions please see the release notes, either in-product or on-line.
Interested to see more?
Watch our recorded demo and see Traceable Defense AI in action!