Twistlock 19.07 Builds on Automation, Visibility, Prevention
Cloud native security provider Twistlock unveiled the latest version of its cloud-focused security platform, debuting the updates at the AWS re:Inforce cloud security conference this week in Boston.
Like many of the sessions and talks at the conference this week, Twistlock 19.07 aims its sights intently on the areas of serverless, containers, and cloud-native computing, though where the company goes after this release remains undetermined. Late last month, enterprise security provider Palo Alto Networks announced its intent to purchase Twistlock for approximately $410 million along with serverless security provider PureSec. Nonetheless, Palo Alto Networks and Twistlock both have their own booths at the conference, and Twistlock is here to talk about the continued advances it’s made since first launching back in 2015.
Acquisitions aside, Twistlock 19.07 breaks down into six distinct updates to the platform, and Twistlock CTO John Morello characterizes the release as building on three key areas of focus, offering a quick summary of the release.
“19.07 builds on our pillars of automation, visibility, and prevention,” said Morello. The new versions of Trusted Images and Cloud Native Network Firewall, he explained, automatically learn normal good baselines and behaviors in end-user environments and automatically prevent anomalies. Radar helps users conceptualize complex technology stacks and visualize risk across them. Updates to forensics provide clear understanding of events before, during, and after a breach and combine with the runtime defense to prevent those breaches from ever occurring, he summarized.
In an interview with The New Stack, Twistlock senior product marketing manager Keith Mokris further identified the intentions of 19.07, offering some insight in a walk-through of each feature update and release.
“In 19.07, we really want to provide complete security for hosts, containers and serverless, as we see a lot of customers using a combination of various compute options for running their cloud native workloads and applications,” said Mokris. “We’ve always aimed and continue to be full life-cycle, integrating at the build, registry, and production, and Twistlock 190.7 really improves on a handful of features across all of these different areas.”
Here’s a deep-dive of what’s new in Twistlock 19.07.
Cloud Native Firewall
Twistlock’s Cloud Native Network Firewall (CNNF) has been around since 2017, and with version 3, several new features are introduced.
“CNNF is our layer four firewall that provides automatic learning of your network topology to essentially isolate a host to host or a pod to pod or container to container traffic. This is certainly a huge challenge for organizations leveraging docker and Kubernetes at scale,” said Mokris. “How do you secure and provide microsegmentation specifically for these large cloud native environments? You certainly want to secure your perimeter, but you also want to secure your applications and all of their various connected components.”
CNNF now offers a Radar visualization of both learned and administratively configured connectivity, as well as a combined policy view of all connection rules, both learned and administratively configured.
In addition to these new visibility enhancements, CNNF v3 also provides the ability to import and export rules, and to create, name, and re-use external network objects across rules.
“Forensics builds on this notion that we’ve had for several releases of what we call a ‘flight data recorder.’ We’re constantly spooling data that we can gather when a security incident occurs. This really helps security architects, incident responders or SOC team members identify what happened in an anomalous incident or compromise,” said Mokris. “One of the things that we’re doing with Twistlock 1907 is not just surfacing all of the things around the incident like we have in the past — the kill chain, the type of incident, or a raw forensic data dump — we’re actually providing a timeline view so you can select different types of data and see it in a really cool format over time.”
Forensics v2 brings about an expanded scope of monitored data, which now includes detailed information around host hardware (or virtual hardware), operating system, container runtime environment, and the containers themselves, including the image running and its runtime model. As Mokris pointed out, a new core feature of Forensics is the timeline-based view of data, which makes it easier to visualize and jump to relevant events
Twistlock 19.07 introduces Serverless Radar, providing visibility into serverless environments, which are commonly lacking in this regard. Mokris explained that, while this sort of visibility is provided already for hosts and containers, visibility into serverless functions required a slightly different approach.
“Serverless security is different because you need to build a new architecture that can scan functions to identify vulnerabilities and compliance issues. Scanning the code is different, because you don’t have the ability, like you do for virtual machines or a normal containerized stack, to run any sort of agent on the host where you’re running your serverless workloads,” said Mokris. “So, you need to have a new method to deploy any sort of security protocol at runtime. From a framework perspective, serverless functions can be incredibly short-lived, so it can also be a challenge. It’s still part of this cloud native paradigm, but there’s definitely some new ways of thinking about serverless.”
According to the release notes, Serverless Radar “uses existing provider APIs to discover the invocation methods for each function and the services they communicate with and draws them in a three-pane view,” showing invocation methods, color-coded functions according to vulnerability, compliance and runtime state, and finally the backend services the functions communicate with, such as Amazon Web Services’ S3.
In late April, the Docker Hub container image repository was hacked, compromising nearly 200,000 accounts. With Twistlock 19.07, Trusted Images version 2 arrives to further protect organizations against this sort of attack.
“One of the challenges that organizations have today is how they’re going to secure their development pipelines. Security teams might be tasked with securing a cloud native environment where they don’t always know the source of the images that are being used to build the containers running in that environment. Another challenge is that even the developers might not know all of the building blocks that they have, as they build their container images layer by layer,” explained Mokris. “Trusted Images allows organizations to specify a specific registry or repository that’s considered trustworthy and then alert on or block images from outside locations. It prevents a developer from going out to Docker Hub and just pulling down images that they’ll run on an environment that needs to be compliant or an environment that might be in production and have really stringent vulnerability standards.”
In addition to letting users create their own rules, Trusted Images version 2 automatically learns and creates flexible, rule-based policies by examining the origins of all the images already in use, ensuring that future versions will be allowed, and ensuring only trusted sources are used, whether internal or external.
Cloud Platform Radar
Using the Cloud Discovery open source project originally released in 2018, Twistlock’s Cloud Platform Radar is meant to give organizations visibility into their sometimes sprawling multicloud environments. Mokris explains that you can’t protect what you don’t know about, so Cloud Platform Radar lets you see exactly what you’re running and where.
“A lot of security teams are challenged to just identify all of the cloud native services in use at an organization. We surface all of those various services, with some data about them and then whether they’re secure or not based on whether or not you’ve deployed Twistlock,” said Mokris. “We’re adding this new type of radar where we surface that protection or unprotected status on top of a global world map. This is another easy way to visually see where all these services, what public cloud are they running on and then what region or what location is each node running on.”
As with all Radars on Twistlock, Cloud Platform Radar also lets users employ various filters to customize the information shown.
Finally, Twistlock 19.07 commits itself to a deeper support of Windows after having noticed an increased use of the operating system in cloud-native environments.
“A a lot of customers re-architect and run applications on cloud native infrastructure and Windows is a part of those scenarios. So we’ve improved and added to all of our existing Windows capabilities, integrating with some existing Windows features to provide compliance checks around automatic updates, Windows Firewall, and Windows Defender configurations. Some folks want to run Jenkins on Windows because that’s what they’re used to, so we now support that.”
With this latest update, Windows users can now enjoy a production version of CNNF, compliance checks for Windows covering Automatic Updates, Windows Firewall, and Windows Defender configuration, support for Jenkins, enhanced risk scoring for Windows vulnerabilities, and Windows Server 2019 support.