* [Blog](https://www.paloaltonetworks.com/blog) * [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/) * [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/) * Creating a Secure 5G Serv... # Creating a Secure 5G Service-Based Architecture: Part 3 - Runtime Defense [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fseo-5g-sba-runtime-defense%2F) [](https://twitter.com/share?text=Creating+a+Secure+5G+Service-Based+Architecture%3A+Part+3+%EF%BC%8D+Runtime+Defense&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fseo-5g-sba-runtime-defense%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fseo-5g-sba-runtime-defense%2F&title=Creating+a+Secure+5G+Service-Based+Architecture%3A+Part+3+%EF%BC%8D+Runtime+Defense&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/seo-5g-sba-runtime-defense/&ts=markdown) \[\](mailto:?subject=Creating a Secure 5G Service-Based Architecture: Part 3 - Runtime Defense) Link copied By [Mitch Rappard](https://www.paloaltonetworks.com/blog/author/mitch-rappard/?ts=markdown "Posts by Mitch Rappard") Jun 22, 2022 7 minutes [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown) [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown) [5G](https://www.paloaltonetworks.com/blog/tag/5g/?ts=markdown) [5G Core](https://www.paloaltonetworks.com/blog/tag/5g-core/?ts=markdown) [API](https://www.paloaltonetworks.com/blog/tag/api/?ts=markdown) [Containers](https://www.paloaltonetworks.com/blog/tag/containers/?ts=markdown) [Kubernetes](https://www.paloaltonetworks.com/blog/tag/kubernetes/?ts=markdown) [Network Functions](https://www.paloaltonetworks.com/blog/tag/network-functions/?ts=markdown) [NF](https://www.paloaltonetworks.com/blog/tag/nf/?ts=markdown) [SBA](https://www.paloaltonetworks.com/blog/tag/sba/?ts=markdown) [Service Based Architecture](https://www.paloaltonetworks.com/blog/tag/service-based-architecture/?ts=markdown) [VNF](https://www.paloaltonetworks.com/blog/tag/vnf/?ts=markdown) In my previous blogs on [vulnerabilities](https://paloaltonetworks.com/blog/prisma-cloud/seo-5G-SBA-vulnerability) in 5G Service Based Architecture (SBA) security and on [API security](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security?ts=markdown), we looked at the key capabilities for effective 5G security and examined what this means for vulnerability management and API security. In this blog, we'll look at [runtime defense](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runtime_defense), a form of autonomous learning to detect and prevent activity outside the learned model of a running container. As a reminder, in the [first 5G SBA blog](https://paloaltonetworks.com/blog/prisma-cloud/seo-5G-SBA-vulnerability), we identified the key capabilities for effective 5G security, which include: 1. [Vulnerability management](https://www.paloaltonetworks.com/cyberpedia/what-Is-vulnerability-management?ts=markdown) for comprehensive coverage and monitoring, identifying, and preventing risks to all the hosts, images, and functions in your environment. 2. [Layer 7](https://www.paloaltonetworks.com/cyberpedia/what-is-layer-7?ts=markdown) visibility and security for web applications and APIs on any cloud native architecture. 3. Powerful runtime defenses that apply automated protection against unwanted activity and threats. 4. Compliance enforcement with pre-built compliance checks for centrally viewing and enforcing your own or industry compliance standards. 5. [Shift left security](https://www.paloaltonetworks.com/cyberpedia/shift-left-security?ts=markdown) with CI/CD, repository, registry, and Open Policy Agent integrations to secure workloads across the [software development lifecycle (SDLC)](https://www.paloaltonetworks.com/cyberpedia/sdlc-software-development-lifecycle?ts=markdown). Runtime defense is a critical feature to ensure the security of running hosts, containers and even serverless functions. Palo Alto Network's definition sums it up nicely: *"Runtime defense is the set of features that provide both predictive and threat-based active protection for running containers. For example, predictive protection includes capabilities like determining when a container runs a process not included in the origin image or creates an unexpected network socket. Threat-based protection includes capabilities like detecting when malware is added to a container or when a container connects to a botnet."* Palo Alto Network's runtime defense feature uses [machine learning](https://www.paloaltonetworks.com/cyberpedia/machine-learning-ml?ts=markdown) to create models for each and every running container in your cluster. In a 5G network where hundreds or more [containers](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container?ts=markdown) are running, relying on human engineers to create these models is not the right approach. These models need to be created quickly and accurately via machine learning. Prisma Cloud leverages [AI](https://www.paloaltonetworks.com/cyberpedia/artificial-intelligence-ai?ts=markdown) and machine learning to create these automatically, greatly offloading the operational burdens of securely running a 5G network. If we go into the [Prisma Cloud UI](https://www.paloaltonetworks.com/resources/datasheets/prisma-cloud-at-a-glance?ts=markdown), we can actually see the runtime model that was automatically created for a given container. For the fun of it, we will pick on the Session Mobility Function (SMF) and examine its runtime model. ![The Prisma Cloud UI will automatically create a runtime defense model for any container that is selected](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-application-description-5.png) The Prisma Cloud UI will automatically create a runtime defense model for any container that is selected Once we start looking at the container model, we can see that there are categories like Process, Networking and Filesystem which show what was discovered statically as well as dynamically during the learning period. Below are some of the things Prisma Cloud has in its model for the SMF in my environment. ![The runtime defense model has provided a list of processes that are running](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-text-application-descr-2.png) The runtime defense model has provided a list of processes that are running ![The networking tab provides a display of the ports in use](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-application-description-6.png) The networking tab provides a display of the ports in use. ![The file system tab shows learned file behavior. Prisma Cloud automatically observes and learns from behavioral anomalies](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-application-description-7.png) The file system tab shows learned file behavior. Prisma Cloud automatically observes and learns from behavioral anomalies We see a list of the processes that have been observed running within the container, the ports being used (80 is for HTTP and 9090 is for HTTP/2), as well as learned file system behavior. It is important to emphasize that an admin did not have to enter this in, it was learned by the system. Going forward, Prisma Cloud will watch for any [behavioral anomalies](https://www.paloaltonetworks.com/blog/prisma-cloud/compute-provisioning-anomaly-detection/?ts=markdown) outside of this model. These models are extremely important, as often attackers will take a "low and slow" approach which is hard to detect via network security alone. With runtime defense, we can catch anomalies that act as warning signs that something is not right. To see runtime security in action, we will simulate an attacker who has gained access to one of our containers and is doing some reconnaissance. We will watch Prisma Cloud flag this activity as outside the normal model (we could have it blocked, but in this example we will just alert). To do this, we will exec into the running container and issue some commands. Once in we will have root access to the pod and can do whatever we want. Perhaps the first thing we want to do is see which processes are running. From the CLI of the container we can make sure the ps command is supported (using "which"), and then run "ps -ef", which shows us the running processes. # which ps /bin/ps # ps -ef UID PID PPID C STIME TTY TIME CMD root 1 0 0 Apr05 ? 00:02:10 /openair-smf/bin/oai\_smf -c /openair-smf/etc/smf.conf -o root 7118 0 0 16:06 pts/0 00:00:00 sh root 12395 7118 0 16:19 pts/0 00:00:00 ps -ef *Modeling the "openair-smf" process in this example, triggering various runtime alerts.* We can see that the oai\_smf process is running, and as an attacker we might start to look more closely at this and the directory it is running in. However, this act of running the "which" and "ps" command has triggered several runtime alerts. The "which" and "ps" processes are both **not** a part of the runtime model and were therefore flagged. Below we can see the detailed information Prisma Cloud provides for us, including the [cluster](https://www.paloaltonetworks.com/blog/prisma-cloud/container-security-kubernetes-cluster-awareness/?ts=markdown), [image](https://www.paloaltonetworks.com/blog/prisma-cloud/image-analysis-sandbox/?ts=markdown), [container](https://www.paloaltonetworks.com/blog/prisma-cloud/cloud-workload-protection/?ts=markdown), and specifics of the command. ## Aggregated Events ![Prisma Cloud identifies the unexpected process, detailing the cluster, image, container, and specifics of the command](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-text-application-email-9.png) Prisma Cloud identifies the unexpected process, detailing the cluster, image, container, and specifics of the command If we look again in Radar at my container, we can see the Runtime Process related events. ![Radar view of the container provides a risk summary of the process](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-application-description-8.png) Radar view of the container provides a risk summary of the processDigging deeper into the Forensics screen lets us see exactly what happened. Not only can we see the commands and processes that were spawned, but we see it on a timeline, so we know when each event happened relative to the others. Below you can see my activity while in the SMF (note, I also ran the "clear" command, which Prisma Cloud caught as well!). ![The Forensics screen displays the commands and processes that were spawned on a timeline](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/06/graphical-user-interface-text-application-descr-3.png) The Forensics screen displays the commands and processes that were spawned on a timeline It's worth noting that these alerts are available to you in numerous other channels as well, beyond just the user interface (UI). It's also possible (and recommended) to enable integration of key events (e.g., Container Runtime, WAAS, etc.) with backend tools used by your organization for monitoring. For instance, Prisma Cloud could send an email when it saw an event like the ones above, or send you a Slack notification, or even open a Jira ticket. Numerous options are supported to cater to each organization's preference. Running a 5G core network is not an easy task. Keeping tabs on the expected and valid behavior of all the running workloads is even harder. For effective security operators and enterprises will need to rely on ML and products like Prisma Cloud to offload these tasks and make the job of securing their environment an easier one. ### Summary As cloud native application development becomes the de-facto method for building and delivering 5G services and applications, organizations must adopt a modern cloud-native [application security](https://www.paloaltonetworks.com/cyberpedia/appsec-application-security?ts=markdown) solution that provides end-to-end security and defense-in-depth. Prisma Cloud is at the bleeding edge of [cloud native security](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cloud-native-security-platform?ts=markdown) and provides customers with the most comprehensive security capabilities necessary for protecting their entire 5G cloud native application stack. To test out all the great functionality and more with [Prisma Cloud's WAAS](https://www.paloaltonetworks.com/prisma/cloud/web-application-API-security?ts=markdown) module, [request a hands-on demo](https://www.paloaltonetworks.com/cortex/cloud/trial?ts=markdown). *** ** * ** *** ## Related Blogs ### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown) [#### Creating A Secure 5G Service Based Architecture: Part 2 - API Security](https://www.paloaltonetworks.com/blog/cloud-security/seo-5g-sba-api/) ### [Cloud Posture Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-posture-management/?ts=markdown), [Vulnerability Exposed](https://www.paloaltonetworks.com/blog/category/vulnerability-exposed/?ts=markdown) [#### Creating A Secure 5G Service Based Architecture: Part 1 - Vulnerability Management](https://www.paloaltonetworks.com/blog/cloud-security/seo-5g-sba-vulnerability/) ### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Compliance](https://www.paloaltonetworks.com/blog/cloud-security/category/compliance/?ts=markdown) [#### Reduce Your Risk with the Kubernetes CIS Benchmark and Prisma Cloud](https://www.paloaltonetworks.com/blog/cloud-security/secure-kubernetes-cis-benchmark/) ### [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Event](https://www.paloaltonetworks.com/blog/category/event/?ts=markdown) [#### Join Prisma Cloud at KubeCon North America in Chicago](https://www.paloaltonetworks.com/blog/cloud-security/kubecon-na-2023/) ### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Network Security](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-network-security/?ts=markdown), [Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [#### 6 Common Kubernetes and Container Attack Techniques and How to Prevent Them](https://www.paloaltonetworks.com/blog/cloud-security/6-common-kubernetes-attacks/) ### [Cloud Native Application Protection Platform](https://www.paloaltonetworks.com/blog/category/cloud-native-application-protection-platforms/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [#### Zero Trust for Applications Best Practices: Securing Cloud Workloads](https://www.paloaltonetworks.com/blog/cloud-security/zero-trust-cloud-workloads/) ### Subscribe to Cloud Security Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language