Behavioral Cloud Application Detection & Response (CDR / ADR)
Protect your cloud applications and workloads from cyberattacks before they happen and quickly respond to them, without being overwhelmed by alerts.
As opposed to other runtime security agents that require constant manual tuning of detection rules, generate lots of alerts without providing any context or flow and consume a lot of resources (CPU, Memory), ARMO Platform’s CDR is lean (60% less resource consumption), real-time risk-driven, and is based on application behavior.
A whole new way to protect cloud applications and workloads in {runtime}
By combining Cloud logs, API & Kubernetes data, and eBPF-based application runtime behavior data, ARMO Platform’s CDR & ADR creates a unique DNA profile of each application. Thus enabling effective detection and response to anomalous behavior, malicious activities and malware with the complete context of the attack, the application and the cloud.
Prevent cyber attacks, stop breaches
Minimal false positives
Low footprint, Low TCO
Threat spotlight
Low touch configuration
Focus on security events, not on managing alerts
With ARMO Platform, you can be confident that every alert is a real malicious event requiring
your full attention.
ARMO Platform provides protection against a broad spectrum of threats and malicious attacks targeting your cloud workloads and Kubernetes clusters - zero days, supply chain attacks, ransomware, crypto miners, data breaches, file-based or fileless attacks and more.
How it works
{Application Profile DNA - APD}
ARMO Platform uses an eBPF-based runtime sensor to record application behavior activities such as: process activities, file-based activities, network activities, system calls activities and more.
The recorded baseline is then enriched with relevant context from Kubernetes events, CICD data, cloud data and containers data, resulting in a holistic baseline for applications’ normal behavior and their profile DNA.
Anomaly detection
ARMO Platform alerts on application behavior inconsistent with the baseline Application Profile DNA.
When an application deviates from the benchmark profile, a real-time alert is triggered to flag the anomaly.
Malicious behavioral detection
ARMO Platform detects activities that are consistent with malicious behavior (e.g. in-memory fileless attack, reverse shell, etc.).
If malicious behavior is detected, your application may become compromised. A real-time alert is triggered to flag the threat.
Malware detection
ARMO Platform detects malware based on known properties of malicious software.
If malware is detected it can compromise all instances of your application or workload.
Bringing it all {together}
ARMO Platform combines anomaly detection with behavioral inspection to establish an advanced level of cloud workload security within Kubernetes clusters.
In this environment, every action undergoes analysis and review by ARMO Platform's runtime sensor.
Moreover, by integrating malicious behavior and malware detection, ARMO Platform addresses supply chain attacks as they happen.
These two components complement anomaly detection, ensuring that threats are identified even when they might not be apparent as standalone issues.
Threat Response
{Responding to a malicious incident, depends on the identified threat}
In the case of deviation from the expected behavior of the application, or the identification of other malicious behavior, ARMO Platform will flag them and kill the processes or containers associated with them (automatically or manually depending on system configuration). Thus, neutralizing the immediate threat to the workload and reducing the possible blast radius of an attack.
In the case of the identification of malware ARMO Platform will quarantine the infected workload or kill the pod all together to neutralize the threat as a whole.