Container Security: Definition, Best Practices, and Examples
How Do Containers Work?
Containers represent the next generation of virtualization technology for cloud environments. They can best be described as a self-contained unit of software—including application code plus its libraries, system tools, and dependencies—all the necessary elements needed to run in an environment. However, they have a smaller scope and footprint than virtual machines (VMs) and leverage the features of a host OS rather than having the guest OS run inside each container. As such, they're quick and easy to deploy across multiple cloud environments with container orchestration services, making them increasingly popular with DevOps teams.
What is a Container Orchestration Service?
Because of their lightweight, ephemeral nature, containers need specialized tooling to manage effectively in production. Orchestration tools automate the deployment, management, scaling, and networking of containers. This enables organizations to deploy microservices-based apps for things like storage, networking, and security across multiple cloud environments, without needing to redesign them. The same orchestration tools empower DevOps teams to integrate containers into CI/CD workflows. Popular examples include Amazon Elastic Kubernetes Service (Amazon EKS), Google Kubernetes Engine (GKE), Azure Kubernetes Service (AKS), Docker, OpenShift, and Nomad.
Why is Securing Containers a Challenge?
The ephemeral nature of containers makes them difficult to protect. Because they can be deployed and destroyed multiple times in a single day, security teams have trouble gaining continuous visibility and understanding what constitutes the anomalous or malicious behaviors. Threat actors are getting wise to this: probing the coverage gaps that result from these challenges to launch attacks on the software supply chain. In an attempt to close those gaps, organizations often create tool sprawl and friction.
How do I Secure Containers?
Two popular approaches to cloud container security are cloud workload protection platforms (CWPP) and network detection and response (NDR) solutions.
CWPP tools are favored for their ability to secure workloads across container-based platforms and cloud environments in a consistent manner, reducing the complexity of container security. They check for vulnerabilities in static code, perform system hardening, and identify workload misconfiguration, all of which can help to reduce security risk. However, CWPP tools can be challenging to configure, especially in ephemeral environments. They only provide security at a workload level, not at the data or application layer. And they usually exclude runtime security for containers, which is crucial to identifying advanced threats and responding to successful attacks.
Most containers have a network interface, which enables container networking and allows tools like NDR to monitor and analyze traffic flowing between containers. Many organizations prefer this option to CWPP tools as NDR offers many of the same benefits plus enhanced visibility, threat detection, and response across cloud workloads. NDR also offers container runtime security and application layer visibility.
A Common Container Attack
As the SolarWinds and Kaseya campaigns have shown, threat actors are increasingly looking to launch attacks on the software supply chain. By focusing their efforts upstream, they hope to impact more targets. Containers are an increasingly popular target for such tactics.
In this type of attack, a threat actor will upload a compromised container image to a Docker image repository. When the container management service automatically updates, it will replace the real image with the malicious imposter. It looks like the real thing, and without the right tools, developers will happily install it. One analysis of Docker images claimed there are thousands of images on Docker Hub that are actually malicious.
How ExtraHop can Help
Fortunately, best-of-breed NDR like ExtraHop's Reveal(x) 360 platform detects in real time the malicious activity associated with container-based supply chain attacks and provides richer context into an attack than is available in log or agent data.
Reveal(x) 360 uses cloud-scale machine learning to analyze container behavior, establishing a baseline for what "normal" looks like via peer group analysis. That means even if the container is new, Reveal(x) 360 can detect if it's behaving suspiciously as that behavior occurs. The platform's high-fidelity alerting also provides context about the attack—empowering security teams to quickly respond with confidence via manual intervention or automated workflows. No other NDR vendor learns and understands the behavior of services from a network perspective as effectively as ExtraHop.
Comprehensive Container Security from Reveal(x) 360
Reveal(x) 360 offers cloud-scale visibility, advanced threat detection, and intelligent response across all your containers and services. That means:
Visibility to discover containers and services as soon as they communicate across the network and map any dependencies. Activity maps with timestamps also enable analysts to understand containerized environments at any point in time.
Threat detection combining rules with behavioral analysis for a full spectrum approach. Reveal(x) 360 analyzes container traffic across the network with cloud-scale machine learning to identify any and all malicious activity as soon as it occurs.
Complete coverage from a SaaS-based platform that monitors traffic in containerized, IaaS, PaaS, and SaaS environments in a single pane of glass.
Versatile deployment for maximum coverage with the smallest footprint:
A virtual tap deployed in the container or as a sidecar for visibility and analysis at the microservices level
Dynamic service-layer object (custom device) automatically updated via integration with CI/CD pipeline for visibility and analysis at the service level
For many organizations, containers are increasingly the fuel used to power innovation and business growth. However, the organizations best placed to capitalize will be those who first mitigate security risks at this layer by leveraging best-in-class NDR.