“Security is a particularly challenging issue for production container deployments,” Gartner stated in a piece on keys to container platform strategy, advising ongoing monitoring of containers to ensure a trusted service delivery.
An array of security vendors, both incumbents and upstarts, are taking on that challenge, attacking it with different approaches.
In a presentation at RSA Conference in April, Doug Cahill, senior analyst at Enterprise Strategy Group, outlined runtime security requirements including topology mapping to view and verify relationships, auditing of access requests, system activity, and API calls as well as intrusion detection, access controls and segmentation.
Houston-based managed service provider Alert Logic has applied its long history (relatively) in cloud security to provide a network intrusion detection system to container workloads running on the AWS Cloud.
In the security business since 2002, and considered a major player in the segment, it’s turning its focus to the mid-market.
“These companies have a small IT department — Three to five people looking to upgrade their security environment,” explained Christine Meyers, Alert Logic vice president of product marketing. “They can’t go out and buy the latest tool every time. They’re looking for a managed security stack and tools, and the expertise to manage it.”
While most of the container security products were process-inspection-based or host-based solutions, Alert Logic has taken a different approach.
Its agent software runs in a privileged container that runs alongside application containers. It’s bound to the Docker zero-bridge interface, the network interface that all the traffic traverses between containers and between containers and host. It feeds data back into the company’s Threat Manager and Cloud Defender products, which monitor and alert on incident activity through machine learning and human security pros.
Those products also run on VM-based and bare-metal infrastructure, giving customers with hybrid environments a “single throat to choke” with a single managed security vendor.
Alert Logic’s approach is the only way to get bi-directional visibility into traffic between containers and between containers and the host, according to Jose Malacara, Alert Logic senior manager of cloud security practice.
“All the other approaches are going to give you sort of a one-sided view,” he said. It inspects real-time network traffic at the packet level.
The Alert Logic network IDS capability supports containers deployed on AWS including Docker, Amazon Elastic Container Service, Kubernetes, CoreOS, and AWS Elastic Beanstalk. The company has about 99 customers using the technology on 21,000 clusters.
The IDS provides a bi-directional view of requests and responses related to an incident. A visualization of the deployment shows which individual assets were affected, with the ability to drill down into tags and relationships. It provides attack details, context and links to supporting reference material, as well as recommended actions to take.
“We help customers understand not only threats, but what to do next,” Meyers said. “When reaching out to a customer that has remediation advice, we’ll say, ‘Here’s a process you might think about improving.’ As we partner with our customers, they become better over time.”
IDS also provides an audit log of the incident and packet capture files are available for further analysis.
Aqua Security recently teamed up with Amazon on its new AWS Fargate service. Serverless remains on the Aqua Logic roadmap.
Aqua Security’s latest version makes it possible to whitelist the permissible system calls a container can make to an underlying operating system. It also added CRI-O and containerd specifications, adding to its support for Docker container formats. And it added a Jenkins plug-in.
Aqua Security and Twistlock are sponsors of The New Stack.
Feature image via Pixabay