What You Should Know About Effective Container Security

As organizations race to embrace and adopt containers, the issue of effective container security is growing exponentially as well. Container environments are dynamic and volatile and introduce unique challenges that can’t be addressed by traditional cybersecurity tools. I sat down with Mark Brooks, Global VP of Solution Engineering for Alert Logic, to discuss some of the container security concerns, and Alert Logic’s approach to addressing them and delivering an effective cloud security solution.

Q: What sets Alert Logic’s approach apart from other container security solutions?

MB: Most container security solutions only focus on log output from the platform and associated applications. While logs are a great source of information, there can be gaps in visibility that could lead to container and application compromise. Alert Logic deploys container security in a traditional IDS mode – listening to intra-container traffic and leveraging a detection set that will identify pre and post compromise activity. Depending on configuration and deployment, there can be any number of dark corners where bad actors can hide behaviors. Log output relies primarily on events being written to the system after the event has already occurred. IDS will give visibility to attacks against the container host or application in near real time, even if the activity is not logged by the system.

Q: How is Alert Logic container security implemented?

MB: Customers are required to deploy an agent to the container host that’s been specifically designed to monitor network traffic between containers as well as traffic between the container and the local network. The Alert Logic agent is in listen-only mode, so there is no bottleneck to communications or container performance. In the event that IOCs are found, they are processed through the Alert Logic analytics platform that correlates IOCs into incidents which are reviewed by a 24×7 SOC analyst before being escalated (when appropriate). Alert Logic provides a 15-minute SLA for incident escalations and is responsible for maintaining the detection ruleset for the container as well as the correlation logic to protect our customers from attack.

Q: What impact does Alert Logic container security have on performance?

MB: Alert Logic provides capabilities to ensure that security does not impede progress – especially for dynamic cloud workloads. Customers can streamline and simplify delivery with a single workload security solution that uses APIs to integrate with deployments running on public cloud platforms such as AWS, Azure and Google Cloud Platform and in on-premises and hybrid environments. Vulnerability scan results integrate with DevOps tools such as Jira and Jenkins while detection agents and virtual appliances can be automatically deployed through a library of templates for Chef, Puppet, Ansible and AWS CloudFormation. Once a customer has deployed the Alert Logic container agent into their environment, any new or expanded container workloads are automatically discovered. In the event that a customer’s container use is expanding to multiple hosts, the Alert Logic container agent can be baked into the deployment orchestration process to eliminate gaps in security visibility.

Q: How can developers address the increased attack surface of components from a public repository?

MB: Public repositories tend to introduce a long tail of inherited vulnerabilities that increase a customer’s attack surface. Alert Logic provides SaaS solutions for DevOps and security teams to run internal and external vulnerability scans and reports for on-premises, hosted and cloud environments with continuous updates to more than 92,000 Common Vulnerabilities and Exposures (CVEs) in software and certain network components.

In AWS environments, CVE scanning is an integral part of Alert Logic Cloud Insight.  Cloud Insight consumes APIs including CloudTrail and IAM to run agentless scans.  Unlike most solutions that require manual requests for permission to scan, Cloud Insight is pre-authorized by AWS to scan any time. Cloud Insight adapts to the customer’s dynamic environment with automatic asset discovery and scanning of new instances within minutes of being added to the environment.  Cloud Insight also helps customers understand where to take action by maintaining a current visual topology map that can pivot by AMI, Instance ID & Type, IP range, Availability Zone, tags, and keywords.

Q: How will containers and containerized apps affect the threat landscape?

MB: We have already witnessed customers being impacted by bot-net activity as well as cryptojacking.  There is also the age-old issue of patching. As new vulnerabilities are discovered in any container platform or containerized workload, patches are released to mitigate the vulnerability risks. If developers are not updating to the latest version, unpatched systems become an entry point for command and control as well as data exfiltration.

Alert Logic solutions combine cloud-based software and innovative analytics with expert services to assess, detect and block threats to applications and other workloads. Protection extends to all layers of a customer’s Web application and infrastructure stack to defend against a broad range of server-side and container threats — including hard-to-detect Web application attacks such as SQL injection, path traversal and cross-site scripting as well as advanced malware, command to control, brute force and many others. Designed for cloud and hybrid environments, Alert Logic solutions use API-driven automation and integration with cloud platforms and DevOps tools.

To learn more about effective container security, download the Container Security Workbook: A Best Practices Guide.