Profile Risk with Vulnerability Management
Throughout the Build, Ship, and Run Pipeline
NeuVector scans for vulnerabilities during the entire CI/CD pipeline, from Build to Ship to Run. Use the Jenkins plug-in to scan during build, monitor images in registries and run automated tests for security compliance. Prevent deployment of vulnerable images with admission control, but also monitor production containers. Blazing fast, highly scalable image vulnerability analysis scans thousands or hundreds of thousands of images.
NeuVector easily deploys as a container onto virtual machines or bare metal OS environments. The Enforcer container is deployed on each node to protect containers running on it. A Controller container manages the cluster of Enforcers. NeuVector can be managed through the Console, REST API, or CLI.
- End-to-End Vulnerability Management: Scanning and admission control during build, test and deployment
- Run-time Scanning: Scans containers, hosts, and orchestration platforms during run-time
- CIS Benchmarks: Audits host and container security with Docker Bench and Kubernetes CIS Benchmark for security tests
- Risk Scores and Compliance Reports
Protect Data in Production
Go Beyond Scanning with Deep Network Inspection and the only Layer 7 Container Firewall
NeuVector discovers normal connections and application container behavior and automatically builds a security policy to protect container based services. Using process and file system monitoring with Layer 7 network inspection, unauthorized container activity or connections from containers can be blocked without disrupting normal container sessions.
- Protect containers against attacks from internal and external networks
- Deep Packet Inspection: the only real-time identification and blocking of network, packet, zero-day and application attacks like DDoS and DNS.
- Detect and Mitigate Application Threats with a Container Firewall: identify and block at Layer 7 between container and pod pairs
Automated Prevention and Policy
Security as Code for DevOps and DevSecOps
As DevOps teams integrate their toolchain to enable automated deployment of container-based applications, one aspect has always slowed down a modern cloud-native pipeline: security. And while automated vulnerability scanning is now standard practice, creating the security policies to protect application workloads in production has largely been a manual process. The use of Kubernetes custom resources to capture and declare an application security policy early in the pipeline now solves this problem.
In order to ‘shift left’ security, developers can take the initial task of creating not only the application deployment manifest but the security manifest. The images are built and automated vulnerability scanning is completed and reviewed by DevOps. Once those steps are passed, DevOps can test both the deployment manifest and the security manifest and provide feedback to developers on the results.
The DevOps team can then deploy new apps together with the security policy for the apps into the production environment, ensuring that apps are secured as soon as they start running in production.
- Behavioral learning: discover application behavior and services to isolate them from attacks
- Security Policy as Code: integrate security policy throughout the CI/CD pipeline
- Streamline communication between security and development
Integrations and Platforms
DevOps, Orchestration, and Reporting Tools + Enterprise Infrastructure
NeuVector simplifies deployment and management with the most extensive integration with orchestration and other enterprise tools. Enforce RBACs for NeuVector access with Kubernetes namespaces or automatically integrate with Red Hat OpenShift RBACs. Use existing SIEM and monitoring tools with NeuVector.
- Integrates into the CI/CD and production monitoring pipeline
- Runs all major cloud platforms including AWS, Azure and Google Cloud Platform
- Supports SYSLOG and webhooks for notifications into SIEM, Slack and other alerting systems
- Map user roles with LDAP integration and single sign-on (SSO) with SAML support