Déjàvu: Bringing black-box security analytics to cloud

Abstract

Emerging security solutions for cloud commonly operate in two phases, data collection and analytics. Data collection phase provides visibility into cloud resources (images, containers, VMs, etc.) and analytics derives insights built on data. Analytics phase is commonly decoupled from data collection and cloud resources as a separate, scalable pipeline. This enables cloud-scale operation via separation of concerns and overheads. Analytics focus on deriving high-value insights from data, and data collection focuses on efficient and minimally-intrusive inspection and introspection techniques. However, this model breaks traditional security solutions, such as endpoint managers, malware and compliance checkers, that are designed to run locally inside the systems they are securing. The common cloud strategy to address this problem has been to rewrite existing solutions to “work from data” instead of “working inside the system”. This requires huge amount of resources and effort, and has fueled a slew of new “cloud-native security” solutions in the field. In this paper we approach this problem from a different angle. Instead of rewriting security solutions to work from data, we explore how to reuse existing security solutions as black-box analytics in the cloud. We present DéjàVu, a framework that makes data accessible to traditional software by mimicking a system veneer over the data. We achieve this by re-building a standard native POSIX system interface over the data. We enable traditional security applications to run unmodified in a black-box fashion. We validate our framework with state of the art third party security solutions and demonstrate that they can be operated with modest overhead.