Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Six runtime threat detection and response tips for container security

By Ben Bernstein, CEO, Twistlock | Feb. 2, 2017
No matter how good a job you do with vulnerability scanning and container hardening, there are unknown bugs and vulnerabilities that may manifest in the runtime

shipping containers cargo containers harbor industry commerce

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Security for containers has evolved quite substantially over the past year, but there is still a lot of education that needs to be done. The key point being that the biggest difference in this new paradigm is that everything is based on continuously delivered, micro-service based, applications. The fact that the technology enabler for that paradigm is containers is really less of an issue.

When it comes to containerized applications, everyone seems to be in agreement - statically analyzing what an application can do inside a container and rejecting non-security compliant images and/or vulnerable images is a must. However, no matter how good a job you do with vulnerability scanning and container hardening, there are unknown bugs and vulnerabilities that may manifest in the runtime and cause intrusions or compromises. That is why it’s so important to outfit your system with real-time threat detection and incident response capabilities.

One might point out rightfully that there are good tools for limiting what an application can do in the form of SELinux and AppArmor. While these are really good tools for some tasks, and limit several aspects of what an application does at runtime, expecting your development team to create deep and thoughtful security manifests for all micro-services they create is not realistic and does not scale. I’ve yet to see a large development team adopt this type of security solution for containers at scale.

Here we find ourselves back at the core of the problem - as more and more critical applications move to the container environment, organizations need a scalable and proactive defense layer that allows them to get ahead of the threat curve. At the same time, this defense layer should enable innovation and the adoption of container technologies. The following six tips outline how runtime threat detection and response should be designed to detect real-time threats, anomalies, and active compromises, with a lower false-positive rate than what is seen with traditional anomaly detection:

* Use the declarative nature of the new stack. While developers don’t have the bandwidth to care much about security, they are now required to provide more information as part of the development process. They know which processes are going to run, they know which binaries are going to be used, and they implicitly tell the system about the interactions between containers. That information might exist in the Dockerfile, or it might be in the one of the YAML files that describes how the system is to be orchestrated. One should take that information and automatically translate that into a security profile of what the endpoint should and shouldn’t do.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.