StackRox Offers a Fine-Grained View of Container Security
As DevOps teams build and deploy applications that are faster, distributed, scalable and portable, IT security tools need to mirror this pace of production, according to StackRox, a startup offering security technology focused on containers.
“Our view is that the protection needs to run the same way as applications. They need to use the same types of building blocks and deliver security in the same way as those applications,” said Wei Lien Dang, StackRox vice president of product, in an interview.
For nearly three years, its team has been working on a security platform for Docker and Kubernetes, machine learning and DevOps tools to provide a new approach to protect containers from threats.
Point solutions traditionally have been focused on one aspect of the stack — the network, the host or service calls to APIs. But because containers are so ephemeral, they can be long gone with no information left behind on which to do forensic analysis. StackRox looks at any type of container activity at the most granular level, according to the company.
“Whether components scale instantly by several orders of magnitude, move across clouds (public or private), or rely on a fully automated lifecycle, security needs to be applied continuously and consistently. This requires security to be built into the ‘connective tissue’ that glues applications together — it has to be part of the microservices fabric itself,” Dang wrote in a blog post about its new technology.
StackRox offers adaptive threat protection for containers, including endpoint detection and response (EDR), web application firewall (WAF) and intrusion defense system (IDS)/intrusion prevention system (IPS) protection all in the same product.
The StackRox software continuously monitors millions of signals including system calls, network traffic and Docker events. It allows users to organize and visualize their container environments and can automate actions to be taken or do so manually.
The technology is deployed and run as a set of container-based microservices alongside a customer’s containerized applications. It runs the same way you deploy any other application, Dang said.
The Mountain View, Calif.-based company was founded in 2014.
Co-founders Sameer Bhalotra, was chief operating officer of Impermium, which Google bought in 2014, and served as senior director for cybersecurity in the Obama White House, as well as technology and cybersecurity lead for the Senate Select Committee on Intelligence (SSCI). His partner Ali Golshan co-founded Cyphort, a Silicon Valley malware defense company, and led the company’s product strategy, research, and technical initiatives, including the Threat Research Lab.
It just raised $14 million in a Series A funding round led by Sequoia Capital.
“It’s a truism that developers will not change the way they write code to improve security. So security products create “control points,” where security policies can be applied. For Palo Alto, it’s network traffic; for Okta, it’s identity; for Skyhigh, it’s cloud traffic. What’s different today is that applications are being written as ‘microservices’…,” Aaref Hilaly, partner at Sequoia Capital, wrote in a post about why it’s investing in StackRox.
“That means, for the first time, it’s possible to move that control point to the application itself. By collecting data up front — system calls from containers, Docker event data, etc. — it’s now possible for security teams to get much greater visibility and control inside applications than was ever possible before. In a sense, security teams can now build security into the application environment by monitoring and regulating the flow of information between application components. If done right, it would take away the need for other control points — why have web application firewalls (WAFs) or intrusion detection systems (IDS), if you can layer security into the core of the application itself?”
Among the StackRox features:
- Container auto-discovery with fingerprinting: It automatically discovers every container across your environment and applies fingerprinting technology to make it easy to see both known and rogue containers.
- Advanced network visualizations: Real-time detailed, interactive, visualizations of the container network in real time display connections between containers, microservices and applications.
- Multiple machine learning models to detect various threats.
- Auto-tuning: As applications evolve over time, StackRox dynamically adjusts without user intervention based on application and environment changes.
- Preconfigured data filters make it easy to zero in on the most meaningful data. Or you can create your own.
- A library of attack types and techniques based on patterns of anomalous or malicious behaviors across a variety of threat vectors.
Security teams can control the specificity of alerts presented and the formats in which they’re presented to best suit their response workflow.
Users can set up automated actions such as blocking unauthorized Docker commands, quarantining or pausing compromised or rogue containers.
In a TechCrunch post, Michael Yamnitsky, venture partner at Work-Bench, a New York City-based enterprise technology VC fund, talked about a generational shift underway involving artificial intelligence.
He says transformative new companies will deliver value through systems of intelligence (SOI), which combine domain expertise with data combined from multiple sources and machine learning.
He cites new security startups, including Twistlock, Aqua Security, StackRox, Signal Sciences and tcell.io that are evolving into such territory.
Achieving this will require cross-platform intelligence and embracing an open platform architecture on which application developers can build out an ecosystem, he said.