StackRox this week moved to make it easier to secure containers by integrating its container security software with multiple container orchestration platforms.
Company CTO Ali Golshan says StackRox Detect and Respond 2.0 software enables IT security teams to discover multiple types of threats by employing machine learning algorithms. Integrations with container orchestration software now makes it possible to automatically group services within applications to enhance overall visibility into the container environment, says Golshan. Previously, IT security teams needed to manually associate containers with application services.
In addition to expanding the types of threats that can be detected, version 2.0 adds baselines for security that are used to generate alerts when anomalies are detected.
In general, Golshan says, containerized applications are arguably more secure because anytime malware is detected, an IT organization can simply replace all the impacted containers. With containerized applications, the days when IT organizations had to fret over when and how to patch the application are now over, says Golshan.
The degree to which IT security teams understand that inherent capability of containers is unclear. Most developers understand how containers fundamentally transform the way applications are updated. But most IT security teams don’t fully appreciate how quickly security issues can now be remediated when applications are containerized.
Golshan says StackRox is focusing most of its efforts on global 2000 organizations where security is paramount. Rather than relying on virtual machines to deploy containers, many of these organizations are deploying containers on lightweight distributions of Linux to minimize the size of the attack surface that needs to be defended. At the same time, as the underlying infrastructure becomes more secure, Golshan notes it’s only a matter of time before cybercriminals focus more of their time and energy higher up the application stack. Once that shift starts to occur, the ability to detect containers that have been compromised as quickly as possible becomes critical, says Golshan.
To accelerate that detection, StackRox has expanded its Adversary Intent Model for identifying threats to include:
- Reverse shell invocation enabled by generic initial exploitation vectors
- Java-based code injection attacks
- Execution of setuid/setgid by non-root users
- Database persistence via post of database procedures
- User persistence via modification of configurations
- Anomalous network communication with a client followed by payload execution or unexpected process cloning
- Cryptocurrency mining; and
- Exfiltration of sensitive content via reading stored secrets or accessing confidential file paths.
Currently, StackRox is working with Google to extend the reach of its security detection model deeper into the public cloud. The idea is that IT organizations should be able to detect threats regardless of where and how containers are deployed.
Golshan says it will take a while for IT security teams to realize they need tools specifically designed for containers. In the meantime, StackRox continues to focus on helping IT security teams infuse containers security processes into their existing workflows, especially as organizations continue to embrace DevSecOps, says Golshan.
As is often the case with any emerging technology that number one inhibitor of adoption is always security. But when it comes to containers it’s now only a matter of time before IT security teams start to discover there’s a lot more to gain than potentially lose.