Intrusion Detection for Containers A Critical Part of the Container Security Landscape

As you may have heard, Alert Logic announced the industry’s first network intrusion detection for containers on July 17th at the AWS Summit in New York City. Alert Logic has “cracked the code” and offers customers the ability to inspect network traffic for malicious activity targeting containers, providing them with faster detection of compromises and reduced risk of attacks to their cloud workloads on Amazon Web Services (AWS). This is a great addition to our already impressive set of AWS security technologies. We’re excited to tell you more about this unique approach in container security solutions.

There are a lot of vendors talking about container security solutions right now, and we wanted to give you some insight into why the introduction of network IDS is so critical to the container security landscape. To do that, we went right to the source… the architects of the solution! 

We are pleased to share with you an interview with Matthew Harkrider (one of Alert Logic’s founders & Senior Technical Product Manager) along with John Norden (Distinguished Engineer & Director of Product and Release Management). The two of them provided so much great insight, that we decided to break this into a three-part blog series. We trust you will find their thoughts on container security as valuable as we did!

Q: Can you tell us why the team at Alert Logic decided to undertake a network-based approach to its container security solutions?

MATT: Interesting question. I think it goes back to our DNA as a company. We’ve made a number of remarkable advancements in the past, and we have a core set of capabilities that we have developed into the Alert Logic solutions over a number of years. And we’ve gotten very good at that core set of capabilities over time. As we examined those strengths and thought about the container security problem, we saw a way to do something differently from other players in the space. Teasing things out a bit more, we discovered that we had an opportunity to focus on a network-based approach to examining traffic in and between containers and across the host. That innovation helped solve the container security problem in a way that made sense for our customers and extended our core capabilities.

It just so happens that we support intrusion detection in a way that is unique when compared to the rest of the market. For some reason, this approach hadn’t been explored. In all actuality, it’s probably because it is a very difficult problem to solve. A lot of people feel that they can get some level of coverage from a single point solution or a couple of solutions operating in a layered security model, but what we found is that the need for defense in depth is as true in the container world as anywhere else. That means that a holistic approach that provides visibility and context is needed.

JOHN: As Matt said, starting down the path to extend our network intrusion detection capabilities to address these container security solutions was a relatively easy decision for us. We started assessing the market by looking inwardly and asking ourselves what we needed to secure our own containerized environment.

Alert Logic’s infrastructure has a rather large containerized workload. We can have anywhere between 120 to 150 nodes in our container clusters with between 2,000 and 4,500 containers running at any given time. We saw the security challenges of this environment right away. That’s when we decided that had to have a streamlined approach to security and work to avoid adding additional operational burdens. By streamlining our effort to secure our container deployments, we felt we could avoid impediments to our continuous deployment model. As we began thinking about how we would solve this challenge for ourselves, it became very evident by solving this for us meant we could solve this problem for our customers as well.

When we looked out at the market and examined similar players in the container security space, we determined that what everyone was doing (for the most part) was process monitoring. While process monitoring is interesting, it can’t tell the entire story if a security concern arises. After further research, we also found that a lot of the solutions were only local to the container cluster, had no real centralized way of viewing security concerns across a large fleet, and required someone to spend time assessing whether or not a spawned process was really a security concern. After we discussed all the findings internally with our engineering and security teams, we decided to explore the possibility of extending Alert Logic’s existing network intrusion detection capabilities to containers. Alert Logic has provided a leading network intrusion detection system for years, so it seemed like a viable solution.

We determined that if we could take the existing capabilities available in Alert Logic’s products, we could leverage our network intrusion detection capabilities and expertise to provide something meaningful for our customers. As we worked to extend that to containers, we were confident we would have an easy way to implement a security solution that could tell the complete network level security story. This was the exact level of security inspection we needed and that our customers could really benefit from these capabilities.

During development, we focused heavily on network level inspection and ensuring our container security system was extremely easy to deploy using common automated container deployment workflows. The outcome was the solution we have today which is simple to deploy and begins inspecting network level traffic immediately. It also transfers that network traffic data to Alert Logic’s SaaS platform for analysis. So not only are you getting network level traffic inspection, but you are also taking advantage of our advanced analytics platform, 24×7 Security Operations Center experts, remediation advice on security incidents – all by just deploying one simple solution.

Ultimately, this lead to our current solution—our containerized agent solution. By optimizing for security and focusing on deployment simplicity, we came up with a way that customers can get started easily, deploy our security solution using their existing automated processes available today, and make the entire process quick and easy.

Q: Tell us a little bit about the place Alert Logic holds in the market and some of the uniqueness of our approach. Why is this container security solution announcement important?

JOHN: Many vendors in this space are doing process monitoring and there are many that are now getting into network monitoring; however, none are diving deep into actual intrusion detection at the network level. Alert Logic decided to tackle the more challenging and differentiated path given that our extensive history with network intrusion detection. 

While taking the approach was difficult, we saw that addressing the problem this way ultimately led to better security outcomes because of the deep inspection and forensic value you get from an intrusion detection system. The greatest difference it this—process monitoring provides you a view of the “here and now” and can tell you when a process has spun up that should not have; however, it cannot provide you that low-level network traceability that lets you understand where the attack came from and whether or not the attack led to successful data exfiltration.

MATT: Yes, John is spot on here. I like the way Fernando Montenegro, the analyst with 451 Research explained the marketspace and the variety of technical approaches. In a recent article, he said “Everyone sees the same hill now, but they approach it from different viewpoints, more aligned with developers or more aligned with IT operations.”  His perspective is valuable because we are looking at different types of data to come to a security conclusion.

The container space is hot right now and our competitors are doing some very important things. In the end, a lot of these approaches are complementary. We just happened to prioritize security, visualization, threat context, and ease of deployment with our approach.  

Q: How is the Alert Logic approach different from container process monitoring?

JOHN: Process monitoring is interesting. It provides you the here and now and will tell you things like “hey, this process just spawned”; however, what it doesn’t tell you is whether that is really a security issue. Furthermore, if it is a security issue, it doesn’t tell you what led up to it, where it came from or what potentially happened afterwards (like data exfiltration). By contrast, our approach can tell you those things—and more. It’s that context, especially when combined with our managed security services, that make our approach so different.

Another advantage of our approach is the rich information that we collect allows us to see the attacks on containers. We are able to understand where the attack came from and even analyze what other containers were impacted by the attack in any way, shape, or form. We can provide this level of visibility because we collect all the available container metadata that is in the cluster as well as all the network traffic to and between containers. 

When you use our solution, we pull all that data back to our SaaS platform. So, if you use other Alert Logic security products, all that data starts to come together. When combined, our solutions start to paint a picture of what’s happening in real-time. We get a more holistic picture because we can see everything that our products have scope for. This context combined with our SOC analysts and 24×7 expertise results in better security outcomes for our clients.

Q: For companies that don’t have a container security solution in place, why should they choose a NIDS based approach over a more traditional host-based system?

MATT: With a host-based product, you’re probably going to get a deep look at what’s going on in that host, but quite honestly that view is also pretty isolated. The biggest difference between some of the host-based products that play in this space and what we are doing is much more focused on the big picture of the environment. For example, you might have an attack that is focused on one particular container or maybe a particular cluster but if that propagates, but you need a good way to see all of that in the same view. 

When we build incidents for these types of attacks, if it is an aggressive, wide-spread type of attack, you will have a lot of different data going into a lot of different containers that we can build from that single incident because we have that big picture view that tends to get lost when you are dealing with host-based products or things that are just local to the cluster.

What’s Next?

As you can see, we believe the Alert Logic approach to container security is unique to the market, and that it is absolutely critical to protecting containerized environments. Stay tuned for the next two editions of this blog series, which will be coming over the next several days. The rest of the interview will feature topics including NIDS vs. HIDS, why it is critical to have metadata access, and what is next for Alert Logic’s container security initiatives. 

In the meantime, if want to know more about what it takes to stay ahead of container-based attacks, I invite you to download our Container Security Workbook: A Best Practices Guide. This guide walks through some of the best practices to leverage while building your container security strategy and provides a useful workbook to put some of these ideas into practice in your organization. 

I’d also invite you to view this 3-minute video to see our network intrusion detection for containers capabilities in action.