CrowdStrike to Acquire Flow Security to Expand Its Cloud Security Leadership with Data Security Posture Management Learn more

CrowdStrike to Acquire Flow Security to Expand Its Cloud Security Leadership with Data Security Posture Management Learn more

Runtime Analysis: A New Star Joins the Data Security Party

Jonathan Roizin

Cartographers used to fill empty spaces with mythical cities and monsters. These beautiful creations were a convenient way to cover up the unknown. 21st century CISOs cannot afford to follow this tradition. While a data flow map may seem complete on the surface, it may very well skip quietly over unchartered territory, such as shadow data, third-party services and unforeseen risk. How can we be certain there are no hidden blind spots beneath our seemingly perfect security posture? Now for the first time, we can give ourselves a straight answer with runtime analysis – a new player who has joined the playing field and is breathing new life into the data protection game.

Runtime analysis is the first and only method to observe and protect data directly. As opposed to scanning data at rest, or tracking it in motion with logs, this method classifies the payload in runtime, obliterating blind spots and revealing data leaks as they occur. In this blog post we discuss runtime’s deep advantages and explain how it can be leveraged across the major pillars of your data protection strategy – discovery, security posture and prevention of leaks and breaches. 

Why Do We Need Runtime Analysis?

Times are changing fast, and if we fail to change with them, precious data will continue to spiral out of our control. In recent years, architectures have changed beyond recognition, becoming increasingly distributed, chaotic and unpredictable: 

  • Complex and massive – the amount of data and architectural complexity have grown exponentially.
  • Dynamic – infrastructures undergo thousands of changes per day, with thousands of moving parts added and subtracted, including external services.
  • Broadly-shared – dozens of teams process the same data, leading to a proliferation of data copies and shadow DBs.

Standard security practices are no longer equipped to deal with challenges such as these – data is moving too fast and too unpredictably. Controlling data in this landscape requires something potent that can shake up the old way of thinking. And this is exactly where runtime analysis comes in.

What is Runtime Analysis?

Runtime analysis gives us a whole new way to approach data protection. Rather than scan infrastructure or patch together an in-motion data lineage with logs – runtime uncovers the data path as it unfolds. Its unique ability to observe and classify data directly provides a data map without blind spots and leaves no room for guesswork. This makes it indispensable, not just to achieve pitch-perfect visibility and a reliable security posture, but also crucial in preventing leaks and breaches before they occur. 

In the following sections, we dive into the value runtime analysis brings across the three major pillars of data security – discovery & classification, posture assessment and the prevention of data leaks and breaches.

#1 Discovery & Classification: Why Real Visibility Requires Runtime

Now that monolithic architectures have shattered into thousands of distributed entities, it is no longer possible to keep track of data with just an at-rest approach. With data moving so quickly and unpredictably, how can teams possibly know ahead of time which DBs to scan? One of the deep issues here is that at-rest scanning will only echo back to you what you already know of, leaving out unapproved or newly-added services, shadow data stores, processed data and unexpected data paths.

Adding in-motion technology to your security toolbox would seem like the obvious answer to this problem. However, as things stand today, in motion is typically achieved through log analysis, a method that has a few critical downsides. 

Logs look at the communication, not the data. Because they don’t observe the data itself, log analysis cannot classify data, meaning it is unable to detect sensitive information that may be lurking in unstructured or unexpected fields. Working only with network information leaves security teams with a very fuzzy notion of where sensitive data is and how to protect it. While log analysis can reveal that point A communicated with point B, it will not uncover where valuable data actually lies and whether the data transferred was a credit card number, a personal address or an insignificant piece of information. 

For this reason, companies that continue to use only at-rest or standard in-motion techniques will have partial visibility and continue to suffer constant data breaches and leaks.

Enter Runtime Analysis

Visibility, the first building block of any data security strategy, can no longer be achieved without runtime analysis. Rather than looking at where you think data is, runtime analysis allows you to discover data in real time, as it flows in and out of your environments. 

Because it reveals the data lineage as it unfolds, runtime analysis works just as well, whether data travels to expected or unexpected locations. This allows security teams to uncover shadow data and construct a dynamic flow map that provides full coverage and context of their data – including who owns the data, where it came from and where it’s going. 

But that’s not all. Runtime analysis also enables security to look at the data itself and classify it directly. This makes it the only method to accurately catalog a company’s data assets and pinpoint where sensitive data really lies.

This budding technology has turned the concept of visibility on its head. Rather than scan data at rest first and then try to construct an in-motion map – runtime-powered flow maps can illuminate where sensitive data is going and then scan data stores at rest where necessary.

#2 Is your Security Posture as Good as You Think it is?

There has been a lot of buzz around the concept of security posture. But not nearly enough energy has been put into asking how that posture is actually assessed and if it is true to reality. 

If you’re charged with securing company data, you don’t want a mirror that will flatter you – you want one that will give you the truth. But how can you tell if a DSPM tool is giving you a true reflection of your security posture? Once again – runtime plays a key role here.

Security posture is all about uncovering hidden risks and vulnerabilities. As discussed above, an at-rest methodology only scans known infrastructure and log analysis only covers expected data lineages without classification. Both these methods overlook the most vulnerable areas of all, where sensitive data may leak unprotected to third parties and services.

Consider the following scenarios:

  • Unexpected data flow – you scan the data in your known DBs, but miss out on data that leaks from an app to an unapproved third-party service.
  • Shadow data – you harden access to customer data to sensitive databases, but a shadow copy of is used by developers unprotected.
  • Hidden PII – using log analysis you protect locations where valuable data should be. Meanwhile, sensitive data lurking in unexpected fields or unstructured data goes unclassified and remains vulnerable.
  • Processed data – your compliance audit is coming up, but your evidence is incomplete, because logs only show you where data was and is, and cannot trace where it was processed along the way. As a result, you cannot account for processed data – a crucial part of meeting regulatory requirements.
  • Architectural changes – you protect all anticipated data transactions, but fail to catch sensitive data before it flows to a just-added and unapproved GenAI service.

Runtime Analysis Speaks the Truth 

If you want an honest security posture report, runtime is the unavoidable next step. Why is this?

First, with runtime analysis, the actual payload is classified in real time. This makes it the only method to analyze data as it flows, at rest, in use and in motion. This enables an accurate flow map that reveals shadow data and risky flows that would otherwise remain in the dark.

Second, runtime analysis analyzes the data itself, along with metadata – revealing what was sent, to whom, and why. This means sensitive data is detected even if it is hiding somewhere unexpected. Combine this with technology such as large language models, and security teams can classify data into industry and company-specific categories. This way, instead of protecting  possibly-vulnerable infrastructure, teams can secure definitely-sensitive data. 

A third and final point to consider is that risks develop quickly. As opposed to logs and at-rest scans that shine a light on the past, runtime is focused on the present. By mapping and classifying data in real time, runtime analysis can uncover risks that have just formed. For example, it can catch sensitive data before it leaks to a service just added by a developer, or detect a credit card number that has just been copied into an unstructured field and about to be shared with a GenAI service.

#3 Getting Proactive with Runtime: Preventing Data Leaks and Breaches

One of the biggest misconceptions in the security industry is that perfect posture equals perfect data protection. In truth, security posture alone will not prevent data leaks or breaches. Just like a glucose monitor won’t lower your blood sugar, measuring risk and improving posture won’t be enough to tackle all potential security incidents.

The last step in a solid security strategy cannot be passively assessing risk – it must also include active enforcement and prevention policies. Once more, at-rest solutions will not cut it here. At-rest approaches only scan known DBs and will not catch data leaking in the act. If data leaks somewhere outside the scope of our preexisting knowledge, the leak may go unnoticed for far too long. But even solutions that claim to do in-motion often miss the mark, if they are based in logs.

Because logs are data blind, rules will be based on communication and not on the actual data. The significance of this is twofold. First, it can result in alert fatigue. Imagine for example, a database that contains only PCI data. In this case, log analysis might mistakenly flag every single communication with that database as a PCI data transfer. Meanwhile, logs may completely miss sensitive PCI that is leaking to a third party, because that data happens to reside in an unstructured field or a low-risk database. Taken together, you could say that log-based policies run the risk of both crying wolf and getting eaten.   

Runtime Analysis is at the Heart of Policy Enforcement

Runtime analysis is central to preventing data leaks and breaches. It is that missing piece that can finally make our security strategies truly proactive.

Runtime analysis is the only technology where policies are enforced based on actual real-time data transfers. When you scan DBs at rest or even patch together an in-motion data flow with logs, you are confined to what is known. That is, you scan where you think there is risk and protect what you think is valuable. With runtime analysis, on the other hand, there is no more guesswork. By classifying the payload, you sit right on top of what you want to protect – watching and controlling data directly, as it moves. 

These runtime capabilities form the basis for policies that remain reliable across all environments and services, apply even to the most elusive shadow data, and continue to hold up in the face of unexpected and fast-paced architectural changes. Coupled with anomaly detection, runtime-powered policies can also instantly flag anomalous flow patterns as they occur.

Flow Brings Runtime Analysis to the Party

In a world full of shadow data, third parties and GenAI services, data security strategies must be prepared to handle the unanticipated, unplanned and unauthorized. But standard solutions, such as at-rest and in-motion methods, often do not pick up on unexpected data flow – the part of the data lineage where data is at its most vulnerable. As a result, your DSPM dashboard may give you the illusion of full visibility and perfect posture, while quietly letting sensitive data go where it shouldn’t.

This is why Flow Security developed the first ever runtime-based data protection platform. Powered by eBPF, LLM-powered classification and real-time enforcement, Flow enables security teams to ditch their hypothetical maps and deploy their troops on the actual territory. It is the only solution that tracks data as it flows – providing data flow maps that always zero in on where the action is. This forms the basis for highly targeted policies that detect anomalous flow patterns as they occur, integrate directly into existing workflows and nip any data breach or leak in the bud.

Embracing runtime represents a huge paradigm shift in the industry – rather than fortify the castle walls and hope for the best, Flow’s runtime analysis solution allows security teams to protect the treasure itself – controlling data from the inside no matter where it flows, and catching it before it slips out the back door.

Back to Blog
Be the first to know!

Subscribe to our blog

Related Posts
Demystifying Data Flow Mapping: The Roadmap to Data Security

Rom Ashkenazi

21 November 2023

Read More
Flow Unveils GenAI DLP: Data Loss Prevention for the AI Era

Natia Golan

30 November 2023

Read More
The Art Of Protecting Sensitive Data: Data Security Guide

Natia Golan

01 June 2023

Read More