Capsule8 Launches Zero-Day Threat Detection Platform for Linux

More than a year after first emerging from stealth, container security startup Capsule8 launches the 1.0 version of its zero-day threat detection platform.

Capsule 8 1.0 Dashboard

Security startup Capsule8 officially launched the 1.0 release of its zero-day threat detection platform on April 11, after more than a year of active development.

Capsule8 1.0 is intended to help secure both container as well as non-container based Linux workloads from unknown zero-day threats. Among the risks that Capsule8 aims to help mitigate are side-channel memory attacks, like the recently disclosed Meltdown and Spectre vulnerabilities.

"The Capsule8 1.0 product is really focused on real-time security detection for production systems,"John Viega, Capsule8 co-founder and CEO, told eWEEK. "So that includes any production Linux servers, as well as containerized cloud native environments, providing zero-day protection and detection in real time at scale, that enables our customers to disrupt attacks."

Viega and his co-founder Dino dai Zovi first revealed the company in February 2017 and detailed Capsule8's early ambitions in an April 2017 eWEEK video. At the time, Dai Zovi explained that Capsule8 is container-aware, real-time threat protection for Linux-based production environments. The company has raised a total of $8.5 million in venture funding, including a $6 million Series A round announced in September 2017.

Detection Landmines

Viega explained that Capsule8's zero-day detection involves having a very high signal to low noise ratio for evidence of exploitation in a production environment. Rather than simply scanning for known vulnerabilities (CVEs), he noted that Capsule8 looks for signals that some form of exploitation is in progress.

"We are looking generically if an attacker has got a zero day vulnerability, what are the things that they are going to have to do go around ASLR (Address Space Layout Randomization) and other system level protections," Viega said.

Capsule8 has a concept called "kernel landmines" which are triggers that Viega said his company's platform can place in a running Linux kernel. The kernel landmine is placed in an area that is associated with a process that shouldn't normally be touched by regular authorized processes and application usage.

Viega noted that the Capsule8 kernel landmines are not a deception technique. Deception technologies place "false flags" for hackers to follow in an attempt to trick them into taking a certain path where they can be contained.

"A landmine is not really a deception technique. We're not really changing the Linux kernel. We're just being really strategic about monitoring places in the kernel that are possible windows into exploit behavior," Viega said.

Spectre and Meltdown

Among the classes of zero-day attacks that Capsule8 aims to help mitigate are side-channel memory attacks like the Spectre and Meltdown issue that were first disclosed in January. Capsule8 was among the first vendor to provide a freely available open-source detection tool for Spectre and Meltdown. In the Capsule8 1.0 release, Viega said that his company is providing enhanced side-channel attack detection capabilities that also benefits from some machine learning capabilities in the platform.

Viega said that what he heard from many large enterprises that he visited was that in their production environments they had no visibility for the meltdown and spectre threats. Additionally, given that patches for those flaws are not easily implemented by all organizations, the need for visibility into potential attacks is important.

Looking forward, Viega said that Capsule8 will continue to develop its' namesake platform, providing integrations with other enterprise IT tools to make it easier for security professional to investigate incidents.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.