How to Achieve Continuous Container Security
Integrate and Automate Security in Your Build, Ship, & Run Processes
As enterprises move quickly to deploy containers and microservices with a continuous integration and delivery (CI/CD) pipeline, security often becomes an afterthought. DevOps and security teams should also strive to achieve continuous container security in the pipeline. The starting point for container security is during the Build phase, making sure applications don’t introduce vulnerabilities and containers are hardened to reduce the attack surface. But by far the most critical phase is Run-time, where securing the production environment and doing real-time monitoring and security is required.
Security has traditionally been a separate process implemented by a different team. But as application delivery becomes more automated and faster paced, security processes will also need to become integrated with the CI/CD pipeline. As security continues to “shift-left” to DevOps and development teams, security technology will need to have more application intelligence built-in.
With automation tools and the declarative nature of container deployment, many requirements for security testing and policy configuration can also be automated. When container intelligence is combined with traditional network and application intelligence, continuous container security becomes possible. Container security automation can also help to ensure that enterprises maintain compliance by auditing security settings and maintaining required controls.
Containers and the evolution to microservices dramatically change traffic direction and volumes. There is an increase in East-West (internal) traffic between containers, hosts, and even clouds. All this traffic should be monitored and secured, but perimeter firewalls and IDS/IPS systems are not designed for this. While perimeter defenses are still required, we can’t assume that hackers and thieves won’t find a way in.
That is why all security for defense in depth or layered security includes real-time, run time detection of threats and violations. It’s no different for containers except that all the traffic between containers must be secured. This is no easy feat since containers can be constantly starting, stopping, and moving between hosts.
Container Threats and Attacks
A container environment is vulnerable to most of the same exploits which threaten any application environment. Many of the recent ransomware attacks and linux vulnerabilities can affect containers and their hosts.
- The Dirty Cow exploit on the linux kernel allowing root privilege escalation on a host or container;
- MongoDB and ElasticSearch ransomware attacks against vulnerable application containers
- Port scanning frequently seen on public cloud container instances, which can be the first step in the kill chain
- OpenSSL heap corruption caused by malformed key header and a crash caused by the presence of a specific extension
- The Stack Clash vulnerability allowing linux user space escalation to root.
Containers offer a convenient way to package and deploy applications and their dependencies and libraries. They are vulnerable to typical application exploits as well as any threats to the infrastructure they run on or that manages them, but require specialized technology to monitor and secure them.
Continuous Container Security for Build, Ship, Run
Here are some of the recommended security requirements for each of the phases. You can download the complete guide here. The guide includes a checklist and downloadable Excel tool.
- Code Analysis. Analyze code for application specific vulnerabilities.
- Container Hardening. Remove unneeded libraries and packages; restrict functions.
- Image Scanning. Scan images for vulnerabilities at build; regularly in registries.
- Image Signing, e.g. Content Trust. Ensure trust with signing and author / publisher verification.
- User Access Controls, e.g. Registries. Restrict and monitor access to trusted registries and deployment tools.
Run – Preparation
- Host and Kernel Security. Use SECCOMP, AppArmor, or SELinux or equivalent host security settings.
- Access Controls. Enable restricted access to system and Docker daemon.
- Auditing, e.g. Docker Bench. Perform security audit using Docker CIS benchmark.
Run – Production
- Network Inspection & Visualization. Inspect all container to container connections and build visualization for application stack behavior.
- Threat Detection. Monitor applications for DDoS, DNS attacks and other network based application attacks.
- Host & Container Privilege Escalation Detection. Detect privilege escalations on hosts and containers to predict break outs and attacks.
- Packet Capture & Event Logging. Capture packets and event logs to enable forensics.
Automation should be applied where ever possible to ensure security tests are performed. Security configurations can be automatically created and updated even as applications and deployment policies are constantly changed. Security automation examples for containers include:
- Code analysis for application security flaws
- Image scanning for known vulnerabilities (e.g. CVEs) in applications and libraries
- Image signing, tagging, and access controls
- Docker Bench security testing for images, Docker daemon, hosts, and containers
- Orchestration policies requiring deployment of monitoring and security containers
- Host and kernel security settings when deploying new nodes
- Security policy enforcement adapting as containers scale up, down and across
- Logging, packet capturing, and integration with SIEM systems
As more tools and resources support integration through REST APIs more of these security processes can be automated. It’s likely that today some will still need to be manually triggered or scripted.
DOWNLOAD: How to Achieve Continuous Container Security
You can download a helpful guide and tool here. The guide contains additional information and tips and the tool can be customized for your own deployment. You can download the infographic images and Excel tool from the guide as well.
Real-time Visibility and Security for Containers
It’s very difficult to maintain network visibility and security in the constantly changing world of containers. But running containers blindly is not an option. New exploits emerge constantly and there may be unknown back doors or vulnerabilities in hosts, systems, or applications.
The first challenge is finding a solution that integrates with orchestration and networking plug-ins and builds in intelligence about container deployment. The second is finding one with behavioral learning and real-time application layer network inspection so that security policies are automatically updated and unauthorized connections are reliably detected. As the final protection for when all other security precautions have failed, deploy a run-time container visibility and security solution that knows what to look for and can catch attacks early.
Let us know if you’d like to try out NeuVector on your own. It deploys just like any other container in minutes and is compatible with tools such as docker-compose, Kubernetes, Docker EE/DataCenter, OpenShift, Mesos, AWS and Rancher.