Upwind’s Microsoft Alliance: Why Runtime Security is the New Battleground for Azure Workloads + Video

Listen to this Post

Featured Image

Introduction:

The modern cloud attack surface is no longer defined by static configurations but by the dynamic, often unpredictable behavior of running workloads. Traditional vulnerability management generates noise by focusing on dormant flaws, leaving security teams unable to distinguish between a theoretical risk and an active breach. The recent partnership between Upwind Security and Microsoft Azure marks a strategic shift toward “runtime-powered security,” a model that leverages real-time telemetry to prioritize only the threats that matter. This integration signifies a move from infrastructure-centric protection to workload-aware defense, forcing a reevaluation of how DevSecOps teams approach cloud native application protection platforms (CNAPPs).

Learning Objectives:

  • Understand the architectural difference between static cloud security posture management (CSPM) and runtime-powered CNAPP.
  • Learn how to leverage Azure audit logs and telemetry to map active attack surfaces.
  • Identify commands and configurations to implement runtime context for vulnerability prioritization in multi-cloud environments.

You Should Know:

1. The Runtime Revolution: Moving Beyond “Shift-Left”

The core premise of the Upwind and Microsoft collaboration is that security must exist everywhere, but it should only alert on what is actually exploitable. While “shift-left” practices help developers write secure code, they fail to protect the “shift-right” reality of production environments. Attackers don’t exploit vulnerabilities in dormant code; they exploit running processes with excessive privileges.

This integration uses Azure’s native cloud telemetry and audit logs to create a real-time inventory of how workloads communicate. For example, a critical vulnerability (CVE) in a container library is irrelevant if that library is never loaded or called by a running application. Upwind utilizes eBPF (Extended Berkeley Packet Filter) technology to gain deep visibility into the Linux kernel on Azure VMs and AKS (Azure Kubernetes Service) nodes without impacting performance.

Step‑by‑step guide to understanding runtime visibility:

To appreciate what Upwind does, one must understand the data source. Azure provides activity logs, but runtime security requires process-level telemetry.
– On an Azure Linux VM (using eBPF conceptually): To see running processes and network connections (similar to what a runtime tool collects), you would traditionally use:

 List all active network connections with associated processes (requires root)
sudo netstat -tunap
 Monitor real-time process creation
sudo auditctl -w /usr/bin/ -p wa -k process-monitoring
 View live system calls (simplified view of what eBPF captures)
sudo strace -c -p <PID>

– On Windows Azure VM: Runtime security relies on Event Tracing for Windows (ETW).

 Get running processes and their connections
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Format-Table
 Query security events for process creation (Event ID 4688)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} -MaxEvents 10 | Format-List

These commands represent the raw data that platforms like Upwind aggregate to build a “runtime graph,” instantly showing you which assets are live and communicating, rather than just which assets are deployed.

2. Mapping the Azure Environment with Cloud Telemetry

Upwind’s partnership leverages Microsoft’s own data streams to build the asset inventory. Instead of agents polling APIs constantly, the solution ingests continuous audit logs. This allows for the detection of “drift”—unauthorized changes to cloud resources.

Step‑by‑step guide to manual Azure environment mapping:

To manually audit your Azure footprint (the static way), you would use the Azure CLI. This helps understand the volume of data a tool like Upwind processes automatically.

1. Install Azure CLI and login:

az login

2. List all Virtual Machines and their power state (Static View):

az vm list --output table

3. Query Network Security Groups (NSG) for over-permissive rules (Static View):

az network nsg list --query "[].{Name:name, Rules:securityRules[?access=='Allow' && direction=='Inbound' && sourceAddressPrefix=='']}" --output table

4. Check Azure Kubernetes Service (AKS) audit logs (Dynamic Context):
While static CLI shows the cluster exists, runtime security looks at the pods.

 Get AKS credentials
az aks get-credentials --resource-group <RG> --name <ClusterName>
 See actual running containers
kubectl get pods --all-namespaces
 See network policies (or lack thereof) - critical for runtime micro-segmentation
kubectl get networkpolicies --all-namespaces

Upwind automates this, correlating the static NSG rules with the dynamic `kubectl get pods` output to tell you if a pod exposed to the internet actually has a vulnerability that is currently loaded in memory.

3. Runtime Context for Vulnerability Prioritization

The “killer feature” of this integration is the reduction of alert fatigue. By combining the National Vulnerability Database (NVD) feeds with runtime data, the platform filters out the noise. If a vulnerability exists in a container image, but the container isn’t running, or the vulnerable binary isn’t executing, the alert is deprioritized.

Step‑by‑step guide to simulated vulnerability prioritization:

Imagine you have a server with two critical vulnerabilities: one in OpenSSL and one in a legacy PHP module. You must decide which to patch first.

1. Identify running processes (Runtime context):

 List processes using specific libraries
sudo lsof | grep libssl.so
sudo lsof | grep php

2. Check network exposure (Attack Vector context):

 See what ports are listening
ss -tlnp

3. Simulated Decision:

  • If OpenSSL is used by Nginx (listening on port 443) -> High Priority.
  • If PHP module is loaded but no web server is listening, or the PHP-FPM pool is misconfigured and unreachable -> Lower Priority.
    Runtime security tools automate this correlation, presenting a “risk score” based on actual exposure and execution, allowing teams to patch the OpenSSL vulnerability first, regardless of its published CVSS score.

4. Seamless Multi-Cloud and Hybrid Coverage

The announcement highlights “Seamless multi-cloud coverage alongside Azure.” This implies that while the partnership is with Microsoft, the telemetry collection engine is agnostic. This is crucial for enterprises that are Azure-centric but have shadow IT on AWS or GCP.

Configuration best practice for multi-cloud runtime security:

To achieve a unified runtime view across clouds, organizations must standardize on a data collection layer.
– Standardize on eBPF for Linux workloads: Ensure your base OS images (whether in Azure, AWS, or on-prem) have kernel versions supporting eBPF (typically Linux kernel 4.14+).
– Unified Agent Deployment: Tools like Upwind deploy a lightweight agent. On Azure, this can be integrated into VM Scale Sets or AKS DaemonSets.

 Example Kubernetes DaemonSet snippet for deploying a runtime agent across all nodes (AKS, EKS, GKE)
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: runtime-security-agent
spec:
selector:
matchLabels:
name: security-agent
template:
metadata:
labels:
name: security-agent
spec:
hostPID: true  Required to see host processes
hostNetwork: true  Required to see network traffic
containers:
- name: agent
image: yourrepo/agent:latest
securityContext:
privileged: true  Often needed for eBPF

This configuration highlights the trade-off: deep visibility (hostPID, privileged) requires high trust in the security provider.

5. Responding to Runtime Threats

Identification is only half the battle. The integration allows for automated or manual response based on runtime context.

Step‑by‑step guide to a runtime incident response workflow:

If a runtime alert fires (e.g., “Crypto miner detected on Azure VM”):
1. Verify Runtime Context: Confirm the process is actually consuming high CPU and communicating with a known malicious pool.

top -b -n 1 | head -20
sudo netstat -tunap | grep <Suspicious_PID>

2. Cloud-Level Isolation (Azure Native): Instead of just killing the process (which may respawn), isolate the VM at the network level using Azure Firewall or NSG.

 Using Azure CLI to add a DENY ALL rule to the VM's NSG
az network nsg rule create --resource-group <RG> --nsg-name <NSG> --name "Emergency-Isolate" --priority 100 --direction Inbound --access Deny --protocol '' --source-address-prefixes '' --destination-port-ranges ''

3. Forensic Capture: Use Azure’s disk snapshots to capture the memory/disk state for later analysis.

az snapshot create --resource-group <RG> --name <VM>-snapshot --source <VM-OS-Disk-ID>

Runtime security platforms can orchestrate these steps automatically, triggering an isolation playbook the moment the malicious process is detected, reducing the Mean Time to Contain (MTTC).

What Undercode Say:

  • Context is King: The partnership confirms that the industry has reached “peak vulnerability.” Un-prioritized scanners are liabilities. The future of cloud security lies in filtering alerts through the lens of runtime behavior, ensuring security teams focus only on code that is actually executing and reachable.
  • Microsoft’s Strategic Embrace: By partnering with a runtime-native company like Upwind, Microsoft is implicitly acknowledging that native Azure security tools (like Defender for Cloud) benefit from a third-party eBPF-driven approach. This validates the “runtime-powered” architecture as the gold standard for CNAPPs in 2025 and beyond.
  • Operational Convergence: This move blurs the lines between DevOps (monitoring) and Security (hardening). Runtime security uses the same data streams (telemetry, audit logs) as site reliability engineering (SRE) teams, fostering a culture where security is an inherent property of operations, not a separate gate.

Prediction:

Within the next 18 months, “Runtime-powered prioritization” will become a mandatory checkbox for enterprise cloud security procurement. We will see a major consolidation wave where legacy CSPM vendors either build or acquire eBPF-based runtime capabilities to stay relevant. Furthermore, this partnership will pressure other cloud providers (Google Cloud, AWS) to deepen their native integrations with similar runtime security platforms, moving the entire industry away from snapshot-based scanning toward continuous, real-time workload protection.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Ariel Negrin – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky