LeakSignal IRMTM
When a service mesh grows, developers don’t know who owns a service or how to get access for legitimate uses – oftentimes forcing service-to-service access with a shared secret or other means.
Installs in Minutes
Installs as a lightweight WebAsembly module into existing ingress, sidecar, and ambient mesh proxies, giving engineering and security teams instant visibility to assess the data plane security posture.
Agentless
LeakSignal’s Inline Response Manager (IRM™) is built to process all outbound content, which allows for unique data protection and audit capabilities that identify exactly what sensitive data was accessed.
Instant Outcomes
Automatically maps all services and sensitive data in real-time, giving an understanding of where data is being accessed across geographies, cloud environments,
and clusters.
You can’t Protect what you can’t see
Traditional Solutions
-
Source code agent or
SDK -
Offline Analysis - SPAN/TAP port or
traffic mirror -
Built for non-mesh
architecture -
API Security
(visibility on API traffic only) -
Existing edge protections WAF, Bot,
CDN -
Legacy DLP is static
in nature -
Only operate on
HTTP protocol
LeakSignal
- Natively installed with simple config change
- Inline with traffic with immediate mitigation capabilities
- Scales with 1000’s of services through native insertion
- Service security (visibility on all traffic emitted from a service. APIs, protocols, and others)
- Additional mitigation capabilities after edge bypass
-
Aligned to DLP and InfoSec covering
what existing solutions can’t see - Support for all L4-7 mesh-based protocols. (API, gRPC, kafka, redis, binary)
How it Works
Traditional perimeter defenses can’t keep up with the speed of business and scalable microservice applications. LeakSignal priorities, assesses, and protects data exfiltration and abuse across all web and API traffic. Alerts can be set and immediate action can be taken to ensure your sensitive data is protected.
Use a production-ready Layer 7 policy to observe sensitive data (or build your own).
Service-based Access Control (SBAC)
Solutions
The Leakwall improves upon traditional API Security solutions by analyzing the API response traffic and learning what is normal. For example, a normal response only contains one PII element. When a response contains more than expected, alert or redact the data.
Sensitive Data Observer provides visibility into how regulated data is traversing single or multi-cloud and jurisdictional boundaries. Know which services are sending sensitive data and put controls in place to keep the mesh secure.
Not your typical WAF, the MicroWAF capability is lightweight and serves as a tactical defense mechanism when attackers have bypassed perimeter/edge-based protections. Block or rate-limit traffic based on SPIFFE ID and other newer mesh signals.
Installation Details
No Helm charts, Operators, CRDs or other dependencies. LeakSignal is purpose-built to be lightweight and pluggable into any microservice environment.
LeakSignal deploys to Istio, K8s, or Envoy with a few lines of config and emits native Envoy statistics to support data collection platforms like Prometheus.
The LeakSignal COMMAND dashboard is completely free to use and configurable to run in the cloud or privately, on-prem.
LeakSignal provides the only Service-based Access Control capabilities through Inline response analysis of Layer 7 Sensitive Data.
GDPR
PII
HIPAA
FERPA
Custom
API
HTTP
gRPC
Kafka
(all mesh protocols)
Data Leak
Exploit
Exfiltration
Unknown Disclosure
Lateral Movement
Want to see us in action? Deploy LeakSignal Today.
It’s completely free and takes 10 seconds.