Container Security Vendor NeuVector Zeroes in on the Network
Docker container security vendor NeuVector emerged from stealth last month, announcing general availability of its network-centric approach to securing containers.
“Coming from a traditional network security background, we quickly realized that existing approaches are not adaptable to container environments – they don’t transfer well, and other solutions are slow and incomplete,” said Fei Huang, NeuVector CEO.
Huang said he became fascinated with containers while working at VMware and could see a major shift coming in IT operations, but found security lacking. To create a better approach, he teamed up with Gary Duan who has managed development teams at Fortinet, Cisco and Altigen. The two hold several patents in security, virtualization and other technology.
They wanted to figure out how to protect containers at runtime, without any loss in speed or scale.
Their solution is three-pronged, according to Glen Kosaka, NeuVector vice president of product management and marketing: One is Detection of abnormal connections. The second is runtime vulnerability scanning. And the third is threat protection, so if there are any application-layer attacks through the network, such as DDoS, DNS attacks or exploitation of SSL vulnerabilities, they are detected in real time.
NeuVector’s technology is a container itself – there’s no coding or agents involved. This container deployed alongside yours automatically learns and whitelists normal behavior for containers in that IT environment to be able to alert on abnormal behaviors. NeuVector automatically creates segmentation for isolation at the container, application, and service level. Blacklist rules also can be added.
Behavior baselining, where a security mechanism focuses on understanding an application or system’s normal behavior in order to detect anomalies, was one of the hottest trends at the Blackhat 2016 conference, Container Solutions’ Adrian Mouat reported previously in The New Stack.
This most typically is done manually combined with data science, he said, but because of containers’ transient nature, needs to be automated.
In its report on integrating security into DevOps practices, Gartner describes whitelisting as “one of the most powerful information security controls for a running workload” and also advocates automating as much as possible.
It also notes a basic limitation of containers: Since they share the same operating system, without other tools, network traffic is visible to all hosted containers. So a successful attack on the OS kernel layer exposes all containers.
With its application layer segmentation, abnormal connections can then be automatically detected and blocked before they causing harm, according to NeuVector. It can block a specific network connection that’s not allowed and still allow the “good” traffic to reach that container without having to kill the container or quarantine it.
When large applications are broken into pieces for containers, the only way they can communicate is through the network, such as a REST API, Huang explained. So to protect containers, the network is the first place you need security.
He maintains that traditional network security products were designed for virtual machines and the startups in container security are too focused on image scanning.
“You can scan the file system later, but if there’s something in your network, in memory, it’s too late. Runtime threats don’t go to the file system at all; they go to the network. Attackers hack into the image, they run in the memory, so the scanning solutions don’t work,” he said.
An array of vendors offers image vulnerability scanning, including Atomic Scan from Red Hat, Bluemix Vulnerability Advisor from IBM, Clair from CoreOS, Docker Security Scanning from Docker Inc., Peekr from Aqua Security, and Twistlock Trust.
But with containers, there’s an extra layer of networking involved, Huang said.
“With VMs, you can only see part of the communications. If I have two containers running on the same host, they talk to each other, what we call east-west traffic. It doesn’t go through the VM at all. It’s totally another layer of virtualization. That’s why if you’re looking at VMs, you won’t see the big picture, you won’t see the details,” he said.
NeuVector can be used with popular CI/CD tools and is integrated with Splunk, Nginx and orchestration tools such as Kubernetes, Docker Swarm, Rancher and Red Hat OpenShift.
The company, based in Milpitas, Calif., has a team of 10 and is growing rapidly.
It’s been working closely with enterprises including Web companies, banks and other financial institutions that have pilot projects “that are close to going into production,” Kosaka said. These proof of concepts typically involve a handful of nodes with 100 or fewer containers.
It’s found enterprises are driving the move to Docker, Huang said, and though these companies are cautious, they often have a new feature or module they want to launch in containers.
“Container networking can get complicated, so we use NeuVector for our container security audits to determine what is really happening at the application and network layers. We also use it to monitor and secure all the east-west traffic that results from microservices. The automated whitelist-based policy makes it simple to manage,” said Sergii Gorpynich, chief technology officer of Cogniance, a software design, development and consulting firm.
CoreOS, Red Hat and Twistlock are sponsors of The New Stack.
Feature Image: “Escher” (detail) by bertknot, licensed under CC BY-SA 2.0.