Twistlock - Cybersecurity Serverless Radar

•

2.1 Twistlock Overview

Twistlock was founded in December of 2015. It was the first container cybersecurity platform. The company was acquired by Palo Alto Networks in July 2019 for almost half a billion dollars. This case study focuses on the Cloud Serverless Radar.

2.2 Case Study Overview
The serverless architecture was created as a way to allow developers to focus on the application layer, without having to be concerned with the servers or runtimes underneath. It continues to become an increasingly popular option for cloud workloads. This radar is focused primarily on ingress and egress to other cloud platform services.

2.3 Problem Statement
In order to help users understand the big picture, we continued to develop radar visualization. Serverless technology facilitates faster development, but the lack of visibility into the underlying infrastructure means that security has taken a back seat. This radar goal is to fill this gap by providing security and visibility to protect serverless functions.

2.4 Users & Audience
Users can be divided into two types. DevOps and SecOps. Usually, the Sec-Ops get alerts about a specific vulnerability, then they check it on the radar, and then they ask the Dev-Ops to fix it.

2.5 Scope & Constraints
We were a three-person team. VP Product, front-end engineer, and I. This was part of a 3-month release we had. Since then, we have continued to improve it.

2.6 Outcomes & Lessons

The Twistlock product was changed. The SecOps loved the radar. Four different radars were now available. A revolution had begun.

Serverless architecture was created as a way to allow developers to focus on the application layer, without having to be concerned with the servers or runtimes underneath. It continues to become an increasingly popular option for cloud workloads

The left-most column shows how functions are invoked. The middle column shows all the functions in your environment. Functions are colored maroon, red, orange, yellow, or green to let you quickly assess their security posture. The right-most column shows the services with which each function interfaces. Lines connect triggers to functions to services, letting security teams to visualize the entire connectivity flow and access rights.

Clicking on individual functions highlights their interconnects in the radar, and opens a pop-up that lets you drill into the details.

Main functionality wireframe. This wireframe was created using Axure. Discussions included developers, product, and me. Main goal was to show all the services that can trigger a function on the left side, all the functions in the middle, and all the services they push data to on the right. Support only Lambda (AWS), colorize Lambdas based on vulnerability state, enable filtering by account and region.

Clicking on individual functions highlights their interconnects in the radar, and opens a pop-up that lets you drill into the details. On click of Lambda, show popup with details on specific invocation and services it interacts with. Also on click popup, show any relevant metadata about the function available from the underlying platform.

The challenge was to create value for the user, whether it is the dev-ops or the CISO. The radar allows you zoom in / zoom out. Nodes are color coded based on the highest severity vulnerability or compliance issue they contain, and reflect the currently defined vulnerability and compliance policies. Color coding lets you quickly spot trouble areas in your deployment.