All news with #runtime security tag

🔐 Cloudflare has added outbound Workers to its Sandboxes and Containers, providing programmable egress proxies that let sandboxed workloads connect, add observability, and perform safe authentication. Handlers such as outboundByHost and global outbound functions can inject headers, block requests, or log traffic without exposing secrets to the guest. The proxy runs locally beside the sandbox with minimal latency and integrates with platform bindings like KV and R2 for identity‑aware, dynamic controls.

🔒 CrowdStrike announced it is a founding member of Project Glasswing, partnering with Anthropic to secure execution of frontier models like Mythos Preview where they run inside enterprises. CrowdStrike emphasizes its sensor-level visibility across endpoints, real-time AI Detection and Response, and Falcon Data Security to govern data and agent behavior at runtime. The company frames deployment governance as distinct from model safety and highlights regulatory and operational requirements for enterprise adoption.

🛡️ Amazon Elastic Container Service (ECS) introduces Managed Daemons for ECS Managed Instances, enabling platform teams to centrally deploy and manage security, observability, and networking agents independently of application tasks. ECS guarantees exactly one daemon task per managed instance and ensures daemons are running before application placement, improving coverage and resource efficiency. Updates are handled by draining and replacing instances with circuit breaker and rollback protections; the feature is available in all AWS Regions with no additional service cost beyond compute.

🛡️ CrowdStrike's Falcon Linux sensor now offers enhanced visibility and detection for PHP web shells, improving discovery of both pre-existing and obfuscated variants. The On write script file visibility capability captures script content and context as files are written, while Enhance PHP visibility surfaces dynamically evaluated PHP (eval/assert/create_function) as PhpEvalString events. These features have already supported OverWatch in identifying hundreds of web shells and provide richer telemetry for faster investigations and hunting.

🔒 This post demonstrates a serverless file integrity monitoring (FIM) pattern using AWS Systems Manager Inventory, Amazon S3, Lambda, and Amazon Security Lake. It collects file metadata from EC2 instances, exports versioned inventory objects to S3, and uses S3 Put events to trigger a Lambda that compares current and previous inventory versions to detect created, modified, or deleted files. When unauthorized changes are found, the function generates ASFF findings in AWS Security Hub, which Security Lake ingests and normalizes for query and visualization via Athena, QuickSight, or OpenSearch.

🔒 Microsoft describes runtime protections that let organizations inspect and control AI agent behavior in real time by integrating Microsoft Defender with Copilot Studio. Webhook-based checks evaluate planned tool invocations, intent, context, and previous orchestration outputs before execution, enabling precise allow/block decisions without changing agent logic. The post demonstrates three attack scenarios—malicious invoice-triggered instructions, SharePoint prompt injection, and capability reconnaissance—and shows how runtime blocking, logging, and XDR alerts prevent data exposure.

🛡️ FortiGuard Labs reports new Linux-focused eBPF malware updates in 2025, including 151 new BPFDoor samples and three new Symbiote samples. Both families abuse eBPF to install kernel-level packet filters that enable stealthy C2 channels; Symbiote is using UDP port-hopping across high ports while BPFDoor has added IPv6 and DNS-based filtering. Detection is difficult but Fortinet provides AV and IPS protections.

🔒 Ringfencing, or granular application containment, enforces least privilege for authorized software by restricting file, registry, network, and interprocess access. It complements allowlisting by preventing misuse of trusted tools that attackers commonly weaponize, such as scripting engines and archivers. Effective rollout uses a monitoring agent, simulated denies, and phased enforcement to minimize operational disruption. Properly applied, containment reduces lateral movement, blocks mass exfiltration and ransomware encryption while preserving business workflows.

🛡️ Kaspersky developed a machine-learning model to detect DLL hijacking, a technique where attackers replace or sideload dynamic-link libraries so legitimate processes execute malicious code. The model inspects metadata such as file paths, renaming, size, structure and digital signatures, trained on internal analysis and anonymized KSN telemetry. Implemented in the Kaspersky Unified Monitoring and Analysis Platform, it flags suspicious loads and cross-checks cloud reputation to reduce false positives and support retrospective hunting.

🔒 Cloudflare describes recent security hardening applied to Cloudflare Workers, combining V8 runtime changes with CPU features to strengthen isolation of customer scripts. The post highlights use of memory protection keys (PKU) assigned per-isolate, adoption of V8's sandbox and compressed pointers to confine heap corruption, and custom memory placement to pack sandboxes efficiently. Together these mitigations improve defense-in-depth and reduce opportunities for cross-isolate data leaks.

🛡️ The shift to containers, Kubernetes, and serverless has made runtime visibility the new center of gravity for cloud-native security. CNAPPs that consolidate detection, posture, and response are essential, but observing active workloads distinguishes theoretical risk from live exposure. AI-driven correlation and automated triage reduce false positives and accelerate remediation. Vendors such as Sysdig stress mapping findings back to ownership and source code to drive accountable fixes.