Using Machine Learning to Connect the Dots in Container Security
There is a weird, virtually universal truth about the relationship between technology and security. There is often an inverse relationship in which the more powerful, useful or convenient a technology is for the end user, the larger the risk it poses from a security perspective. The things that make it a great technology also expose it to potential exploit and compromise. This is definitely true when it comes to containers.
Containers provide an alternative to virtual machines and allow organizations to streamline development and deployment of applications. Containers let developers virtualize a single application and break it into smaller, more manageable components. Containers enable applications that are more agile and more scalable and can be spread potentially across servers and throughout the infrastructure.
Wei Lien Dang, VP of Product for StackRox, explains, “The highly distributed, rapidly changing attack surfaces that containers present pose unique challenges for security operators. Effective threat detection requires identifying indicators of attack and compromise that may be spread out across the environment, and intelligently relating them to each other to discover potential threat vectors.”
The reality is that most runtime attack patterns are specific to different applications, which means understanding application behavior is crucial. Additionally, because containers are highly scalable and ephemeral, it can be difficult to capture the data required to identify the root cause of security incidents.
These challenges cannot be addressed with traditional security infrastructure because it is not container-aware. Machine learning helps connect the dots to recognize those indicators of attack or compromise and provide the context necessary to trace the root cause of an incident.
Container technologies such as Docker or Kubernetes have a variety of security capabilities built in, such as vulnerability scanning, image signing and secrets management. These container platforms are positioned to ensure hardening, prevention and overall security throughout the build and deploy phases of the container life cycle. Where they fall short, however, is the ability to monitor or provide security during runtime.
“Customers are concerned about threats at runtime due to the emerging threat landscape not yet being well-defined,” Dang says. In addition to the security foundation provided by the container platforms themselves, there must be a focus on detecting intrusions and active compromise to provide security teams with comprehensive detection and response capabilities and provide the tools necessary to mitigate threats and investigate the root cause of attacks since, he notes, prevention alone will never be sufficient.
Actively monitoring and defending a dynamic, ephemeral environment such as containers, though, requires container-aware tools that are capable of operating at the same speed and scale. Machine learning enables the container security solution to keep up with the pace of the container environment.
Dang says the latest release of StackRox, StackRox 1.3, enhances its capabilities with a variety of features and updates, including new detection rules that allow organizations to detect persistent or long-lived threats in the environment.
One of the trends in attacks over the past few years has been an increased level of patience—and persistence—on the part of attackers. Threat actors often bide their time after they infiltrate your network, waiting days or weeks before taking subsequent action. StackRox modified the way it correlates data over time to detect long-lived attack patterns throughout the container environment. Recurring events also are tracked and collated as part of existing alerts to reduce noise.
Leveraging containers is essentially a business imperative at this point. The benefits are too big to ignore, and failing to embrace containers puts a company at a strategic disadvantage to its container-using competitors. Companies using containers also must make sure they have container-aware security that utilizes machine learning to keep up with the rapid pace of the container environment and connect the security dots.
