Aqua Blog

Combat Zero-Day Threats with Aqua’s New eBPF Lightning Enforcer

Combat Zero-Day Threats with Aqua’s New eBPF Lightning Enforcer

We are excited to announce the latest addition to our portfolio, our eBPF-based Aqua Lightning Enforcer. It’s designed for busy security professionals to detect zero-day attacks and sophisticated threats that occur in runtime. It utilizes eBPF technology, making it more effective, safer, and faster. The new Lightning Enforcer and our Runtime Protection solution is an integral part of the Aqua Cloud Native Security platform, offering the best protection possible across the complete application development lifecycle.

What is eBPF Technology?

Extended Berkeley Packet Filter (eBPF) is an innovative technology derived from Linux that allows sandboxed programs to run within the operating system kernel. It can safely and efficiently extend the kernel’s functionality without loading kernel modules or changing the kernel code.
Visit the Aqua Security Wiki to learn more about eBPF

Why is eBPF Critical for Runtime Protection?

eBPF programs execute in kernel space, which is the optimal location for security agents as they can oversee and control the entire system such as network, files, memory, and more. This is a critical capability for runtime protection. Since the apps run in a sandbox, eBPF-based runtime protection is safer to implement and results in better system stability. eBPF also provides a single framework for protection across system calls, files, networks, and more, making it a natural choice for supporting multiple system architectures. eBPF has become widely adopted as the main technology to develop both Linux and cloud native monitoring tools, network infrastructure, and security tools.

Effective, Safe, and Fast Runtime Protection

Aqua’s Lightning Enforcer begins protecting production workloads on day one, catching known exploit attempts and identifying unknown ones like zero days, using drift and behavior-based detection methods. The patented drift detection technology immediately sends a detailed alert if a new binary is created or if a bad actor attempts to create a new object that was not part of the original build. The detection visibility is complemented by threat intelligence research powered by Aqua’s Nautilus research team. They observe sophisticated attacks in live production environments and honeypots and turn that intelligence into signatures used by the Enforcer to identify indicators of an attack and protect against emerging threats.

The Lightning Enforcer enables effective incident management, as it provides a deep view into exactly what is happening in production. Immediately after the agent is deployed, it scans the running containers and hosts for vulnerabilities and risks in order to provide visibility to the runtime attack surface. The runtime protection controls detect and remove malicious files the moment the file is dropped in the workload or just before it executes removing the threat immediately.

The Lightning Enforcer’s behavioral monitoring and drift prevention controls alert you of any suspicious behavior such as a fileless execution in containers, new binaries dropped to an immutable workload, container escape event, and more. Detections generated by the Lightning Enforcer yield a security timeline with granular details of the attack in the Aqua platform user interface, allowing Incident Response teams to quickly investigate and mitigate threats.

Stability is a key component of the Lightning Enforcer. The eBPF technology introduces a more modern approach to runtime protection, eliminating the friction and resource burden of traditional agents. When implementing a runtime solution, a big concern for security professionals is the performance tax the tool places on the workload. Performance issues can drive up CPU utilization which ties up resources and fundamentally impacts bottom-line revenue in a cloud native application setting. Most importantly, implementing new runtime security measures should not compromise normal application operations and resilience. With the Lightning Enforcer, you can feel confident that you are deploying powerful security defenses without disrupting the normal operation of your running workloads.

The Aqua Lightning Enforcer is lightweight and reduces the overhead on the system. In fact, internal testing has demonstrated a 65% reduction in load as compared to a non-eBPF agent. The eBPF technology provides a single framework for detection functionality, which results in a simplified, more compatible agent. The Lightning Enforcer can be deployed on clusters or hosts in a matter of minutes with little risk or impact on the running applications. It is designed for scalability across the entire environment, making time to detection, fast.

Behavioral detection is automatic and does not require manual policy configurations, saving time and resources. The Lightning Enforcer’s pre-populated runtime security policies are curated from in-the-wild threats discovered by Team Nautilus, thus providing immediate detection of sophisticated attacks. In fact, deploying the Lightning Enforcer for immediate visibility is a best practice to ensure comprehensive runtime protection. It’s the first step in monitoring for attacks on potential unknown vulnerabilities that were not discovered with shift-left security methods.

The Aqua Lightning Enforcer enables the Aqua platform to offer out-of-the-box CNDR (Cloud Native Detection and Response). It is powerful and lightweight runtime protection that is designed for the overworked security professional. It delivers clear, actionable insights so that Incident Response teams are alerted the moment a malicious security event is detected. With Aqua you can develop a robust runtime security program and feel confident that your production environment is protected against sophisticated attacks.

Shift Everywhere for Complete Protection

While “shift-left” scanning and hardening cloud environments are critical elements of a full-lifecycle cloud native security strategy, all those efforts are moot without a way to protect in runtime against attackers who have evaded detection and are attempting to gain access to the production environment. In fact, Google Project Zero states that in H1 2022 at least half of zero-day issues exploited in attacks were related to not properly fixed old flaws. This makes runtime security key to protecting production environments from both known and unknown threats.

Aqua’s new Lightning Enforcer is available now as part of Aqua’s Runtime Protection offering and can be deployed across your environment in minutes. Aqua Security is the only cloud native security solution provider that offers a fully integrated Cloud Native Application Protection Platform, the Aqua Platform.

To learn more about the Aqua Platform and how Aqua’s Cloud Native Detection and Response (CNDR) detected and stopped a Log4j attack, check out this short demo video.


Erin Stephan
Erin Stephan is the Director of Product Marketing for Aqua's Cloud Security portfolio. Erin has more than 10 years of product marketing experience in data protection and cybersecurity. She enjoys connecting with people, helping to articulate their challenges, and bringing products and solutions to the market that help solve those challenges. In her free time, you can find her catching a flight to a new city, shopping for new home décor, or taking a spin class.