Feature Announcement: Enhancing ARMO Platform’s Threat Detection and Response

Jan 7, 2025

Yossi Ben Naim
VP of Product Management

We are excited to announce the upcoming enhancement of ARMO Platform’s Threat Detection and Response feature, designed to provide more robust, real-time security protection for your cloud and Kubernetes environments. While the existing feature effectively detects anomalies, suspicious behavior, and active threats, we recognize the need for additional critical components: Policies, Response, and notifications.

These additions will transform ARMO’s Threat Detection into a comprehensive, automated security solution that empowers security teams to act faster and more effectively.

1. Tailored Security Enforcement Policies

With ARMO enforcement policies you can define and enforce security policies that are fully customized to their environments, ensuring that security measures align with specific operational needs.

Key Features

Policy Definition Interface: A user-friendly interface for creating and managing runtime security policies, with predefined templates and custom policy options.
Policy Evaluation: A robust policy engine that assesses activities and configurations against defined policies.
Policy Enforcement: Automated responses and notifications triggered by policy violations, streamlining security management.

2. Real-Time Threat Notifications

With real-time threat notifications, you can ensure that security teams are instantly notified about threats through their preferred communication channels, enabling immediate response.

Key Features

Configurable Notifications: Customizable notifications based on severity, threat type, or resource impact.
Notification Channels: Integrations with Slack and Microsoft Teams.
Severity-Based Alerts: Prioritized alerts based on threat severity to focus on the most critical incidents.
Centralized Alert Dashboard: A single pane of glass to manage, view, and acknowledge alerts for easy incident oversight.

3. Immediate Threat Mitigation

With ARMO threat mitigation you can take instant action against detected threats—automatically or manually—minimizing damage and ensuring swift resolution.

Key Features

Automated Response Actions: Define automated actions like Kill, Stop, or Pause for policy violations or detected threats.
Custom Playbooks: Users can create response playbooks to automate actions in response to specific threats.

4. Posture based Policy

ARMO Platform allows security teams to easily establish response policies based on the risks associated with their workloads. This simplifies the process of configuring these policies, eliminating the need for resource enumeration or label management, and avoids the constant updates required with every new version or vulnerability. You can set policies based on various risk factors, including external exposure, privilege levels, secret access, data access, and host access.

5. Vulnerabilities based Policy

Proactive risk management – Implementing a CVE-based threat detection policy allows for early identification of potential vulnerabilities, enabling preemptive action before exploitation occurs.
Improved incident response – By leveraging CVE data, organizations can develop more targeted and effective incident response strategies, reducing potential damage and recovery time.

6. Quarantine: Isolating Threats Proactively

Empower users to respond to threats in real-time by implementing network policies or seccomp profiles, thereby effectively reducing the impact of a security incident on the wider environment.

Key Features

Network Policy Enforcement: Automatically apply network policies to isolate suspicious workloads, control network communication, and contain potential risks.
Seccomp Profile Application: Restrict system calls by applying seccomp profiles to suspicious containers, limiting their ability to interact with the system.
Automated and Manual Quarantine: Users can automate quarantine actions based on specific incident types or apply them manually through the response interface.

7. Reducing False Positives with exclusions

Manage exclusions, to ensure that unnecessary or repetitive alerts do not distract from genuine security threats.

Why This Matters

With these critical updates, ARMO’s Threat Detection and Response will offer unparalleled control, automation, and precision to handle Kubernetes security at scale. Whether it’s defining tailored security policies, receiving real-time alerts, executing automated responses, or applying quarantine measures, your security team will be better equipped to safeguard your cloud-native infrastructure.

Stay tuned for more details about the release date and further updates. As always, our commitment to providing best-in-class Kubernetes security drives every enhancement we bring to ARMO platform.