As container security becomes a higher priority, more organizations are starting to pay attention to not just segmentation of services using, for example, firewalls, but also security fundamentals such as intrusion detection. To address that issue, Alert Logic has extended its network intrusion detection system (NIDS) to include support for containers deployed on Amazon Web Services (AWS) and Microsoft Azure public clouds.
In addition, Alert Logic has embedded a container log management tool directly within its NIDS. Chris Noell, senior vice president of engineering at Alert Logic, says that approach makes it possible to employ the same container to collect logs and analyze network traffic.
Alert Logic delivers NIDS using a software-as-a-service (SaaS) application as part of a set of managed security services it provides. The Alert Logic service analyzes the signature of data packets as they traverse the container environment to detect cyberattacks in real time. That data is used to create a graphical representation of the compromised container and its relationships. Once a threat is detected, the Alert Logic security team working in a security operations center prioritizes and escalates the threat within 15 minutes and offers remediation advice.
Specifically, the Alert Logic NIDS is made available within Alert Logic Cloud Defender and Alert Logic Threat Manager service, which provides a single interface to manage container security for those running on multiple platforms, track events and incidents, examine metadata, determine what containers and hosts might be compromised and gain visibility into the container attack surface that needs to be defended. Those capabilities now span Docker, Kubernetes, Elastic Beanstalk, Docker Swarm, CoreOS, Azure Kubernetes Service, Amazon Elastic Container Service and Amazon Elastic Container Service for Kubernetes.
Noell says the goal is to increase container security by creating a closed DevSecOps loop within most organizations by making it easier and faster to discover vulnerabilities that can be quickly addressed by replacing one set of containers for another.
Naturally, it’s still early days when it comes to DevSecOps in the enterprise. Most organizations have not mastered the fundamentals of DevOps to the point where they could extend them to include programmatically embedding security controls within applications. But as containers continue to proliferate across the enterprise, many organizations are about to discover that being able to rip and replace containers eliminates dependencies on a complex patch management processes that result in known vulnerabilities failing to be addressed for months on end.
In the meantime, Alert Logic is betting that all the interest in developing applications faster will drive organizations to rely more on managed security services. Not only is cybersecurity talent hard to find and retain these days, many organizations increasingly prefer to allocate whatever full-time employee headcount they can afford to developing applications. Before too long many of them will craft a closed-loop approach to DevSecOps that spans external managed security service providers that discover issues and the internal application development team that remediates them in a few minutes by ripping and replacing containers.
Obviously, that state of DevSecOps nirvana is still quite far away. But it’s clear most organizations are not going to be able to achieve it without some external help.