Next Wave of Runtime Security: Revolution or Reinvention?

It’s interesting how trends in cybersecurity have a way of circling back around. While there have always been solutions securing runtime environments, our Innovation team is noticing an uptick in investments labeling themselves “runtime security” – so much so that we included this as a 2024 Enterprise Technology Theme. As we started evaluating the investments in runtime, it brought us down a path of asking questions like “how is this new and why now,” “how did we get here,” “what will this mean for enterprise adoption”.. and here we are- attempting to share our uncovered knowledge with you. Let’s step inside the brain of an Innovation Researcher to walk through how we’ve been digesting this resurgence in runtime security.

Why is runtime security coming back around?

Before we get too deep into this topic, let’s uncover how this use case is coming back on our radar and why now. There are plenty of examples of what our team would consider “emerged use cases” providing security in runtime- EDR, NDR, WAF, to name a few. Each provide a variety of real-time monitoring, detection, and response capabilities, which are crucial for maintaining security in dynamic and distributed IT landscapes. So, we asked ourselves- “if there is already security in runtime, then why are we seeing a handful of technologies pop up across different use cases calling themselves ‘runtime security?’ What is emerging here or is this just a marketing refresh?”

Well, what we uncovered is it tracks back to challenges traditional runtime security solutions have had. These solutions typically produce so many alerts, creating data overload for busy analysts attempting to sift through and prioritize. Even after alerts have been prioritized, it can be challenging to piece through the environment to understand how to remediate. These challenges, along with the evolving sophistication of attacks and the widespread adoption of modern architectures (such as microservices, containerization and cloud-native environments), bring us to the “why now” question. They point to why the market is calling for a new approach to runtime and why we are seeing a surge in investments.

How is the tech evolving? 

If the challenge with more traditional runtime security is data overload, then there are plenty of opportunities to resolve this in runtime. When we started this research, we assumed that the enhancements would focus on the response and resolution capabilities. However, where we are actually seeing the market lean is in contextualizing the data in a way that is easy to digest. Solutions are creating a more customized way to understand an environment by establishing a baseline of how the environment normally operates, and continuously prioritizing any alerts or deviations from normal activity- monitoring 2.0, if you will. To report on findings in a digestible manner, some solutions are creating graphs to visually show the relationship between different resources, while others are focusing on other types of vulnerability reporting capabilities. In summary, they are giving context on where problems are, the source of the problems, and the adjacent resources.

“Now, how are these solutions able to gather this level of context?” The magic in many of these runtime solutions comes in just 4 letters- eBPF. I know, another acronym for you. This one stands for extended Berkeley Packet Filter. While not new, it is an agent situated within the kernel that is gaining more widespread adoption because of its ability to contextualize events going on without putting much strain on the environment. It goes beyond monitoring file activities by enriching data with information about an event’s context.

Now, not every solution is leveraging eBPF, it’s not necessarily a requirement for to be considered emerging runtime security, but it is a technique for continuously gathering context into these environments. Regardless of how the context is gathered, the important takeaway is that it is and it is represented in a manner that is digestible to understand and track.

After uncovering this, our question became “but if the market is leaning into monitoring- what about the response?” So, while the market is really leaning into enhanced monitoring, the challenge still lies with solutions needing to solve for the response in runtime. Organizations need better processes for detecting and prioritizing anomalies- which appears to be leading to the next phase that some of these solutions are tackling. Given the context that was gathered in with monitoring, some solutions are natively blocking any traffic that is identified as anomalous. Additionally, some are leveraging the context gathered to create a cheat sheet, if you will, to map all the areas impacted, what needs to be remediated, and how this will adjust your environment. Now, each solution has a different capability set on this remediation, and depending on the use case, this may look very different.

Where is this popping up in the market?

Since it is difficult to be an expert in every runtime scenario, these runtime solutions are taking shape in many flavors, providing a much-needed lens on specific resources throughout the runtime environment. They are spanning many domains of enterprise security and popping up in existing use cases.

• Solutions, such as Raven and Oligo, are spanning different layers of application security.

• Emerging API security solutions, such as Ghost Security, are shifting their priorities on providing much needed context to posture management in production.

• Cloud-native security is seeing vendors providing context to the infrastructure, like UpWind, or to Kubernetes and workloads, like Rad Security or Spyderbat.

• Our team is even seeing vendors across more niche areas emerging with runtime offerings, like in IoT security with Exein, and hypervisor security with ValiCyber.

While I only listed out a handful of vendors as examples for now, it feels like every day our team is coming across a new website singing this runtime security tune. At this point, the trend is still too emerging to provide a thorough market landscape but rest assured, our team will continue to track this trend and the players as they emerge.

What lies ahead?

This is a question we are asking ourselves on the Innovation team. The short answer is- many of these context-based runtime security solutions are best-of-breed emerging technologies. They sit alongside other runtime and SOC solutions you have in your environment, providing you the additional context to act on prioritized vulnerabilities. When considering the maturity of this market, it has left our team with some questions that we are exploring. These are questions including:

• Will this runtime security market continue to take off with new directions and use cases?

• Will response become a more prominent feature?

• Over the next decade, will this change the way that security leaders and analysts expect to receive information from their tooling?

While we continue to explore these questions and the future of runtime security, it is likely this approach will continue to branch off into different security domains from the ones we listed above, and across different use cases. It is also likely that we will continue to see an expansion of capabilities- starting with providing the contextual visibility into the environment, expanding into remediation, and who knows, maybe even be folded into larger platforms, like many other best-of-breed vs. platforms have. Regardless of where it goes, our Innovation team finds this investment trend in runtime security to be intriguing. It has the potential to provide the much-needed balance in security throughout the SDLC, and may even kick off the expectation in security leaders and analyst to receive information that is as easy to understand and digest as possible, without having to search through the data points.

If your interested in diving into what this new wave of runtime security could mean for your organization, feel free to reach out to us at innovation@trace3.com