Detect Threats with Runtime Security
With the increasing use of multi-cloud infrastructure services security has become more complex. You need simplified security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection.
Although containerisation provides a reliable and lightweight runtime environment that is consistent from host to host, it only adds to the complexity that stems from multi-cloud infrastructure services and the need to maintain legacy servers and virtualised data centres. This opens up a new range of security risks coming from the nature of the environment. A common example of this environment is a container running on a host with a specific network setup, and in many cases, hosted in a cloud.
As a result, containers running in production environments handle requests from different sources and are the subject of never-ending scans or attacks.
Conventional solutions often target the network or endpoint part of the problem, but not both. In addition, they lack the required visibility to examine all connections and processes happening inside containers or between more connected containers.
That’s why it’s critical to protect all containers against malware, vulnerabilities.
Modern-day container security
The process of securing containers is continuous. It should be integrated into your development process, automated to remove the number of manual touch points, and extended into the maintenance and operation of the underlying infrastructure. This includes protecting your build pipeline container images and runtime host, platform, and application layers. Implementing security as part of the continuous delivery life cycle enables your team to mitigate risk and reduce vulnerabilities across an ever-growing attack surface.
When securing containers, many organisations share the following concerns:
- The security of the container host
- Container network traffic
- The security of your application within the container
- Malicious behaviour within your application
- Securing your container management stack
- The foundation layers of your application
- The integrity of your build pipeline
Trend Micro Cloud One™ - Container Security provides active defence
Runtime security provides visibility into any activity of your running containers that violates a customisable set of rules. Currently, runtime security includes a set of pre-defined rules that provide visibility into MITRE ATT&CK framework tactics for containers and container drift detection.
Trend Micro Cloud One - Container Security mitigates issues detected by the runtime visibility and control feature, based on a policy that you define. If a container violates any rule during runtime, the issue is mitigated by terminating or isolating the container based on the runtime ruleset in the policy.
As your team requires a cloud solution that can continuously deliver production-ready applications and meet the needs of the business, Container Security provides the following:
Detects security issues early, enforces admission policies, and provides assurance that only compliant containers run in production.
- Build a security policy based on container image scanning and detection of secrets, keys, malware, and vulnerabilities
- Allow images that only meet specific application or organisation security policies to proceed through the pipeline
- Select from advanced policies, such as disallowing images set as privileged containers, or allow exceptions based on names or tags
- Run powerful enforcement and compliance checks, and extend Kubernetes admission control
- Get support for leading cloud service providers — Amazon Elastic Kubernetes Service (Amazon EKS), and Azure Kubernetes Service (AKS)
Uncovers vulnerabilities, malware, and sensitive data, such as API keys and passwords, within your container images, including source-code analysis powered by Snyk.
- Invoke unlimited, detailed scans with recommended fixes at any stage of your pipeline
- Minimise false positives by correlating patch layers with packages that are vulnerable in the same image
- Address vulnerabilities before they can be exploited at runtime
- Enable developers to address security bugs before deployment
Enables runtime protection for all your containerised applications.
- A software-as-a-service (SaaS) platform for cloud-native security, including host, container, and serverless container requirements
- Runtime protection deployed within the cluster, for all containerised applications within each node
- Greater visibility into attempts to run disallowed commands or illegally access files
- Runtime protection builds a model of expected behaviour via Learning Mode
- Automated management tasks and policy via code, as part of a CI/CD pipeline
Pwnkit use case
Security researchers disclosed PwnKit as a memory corruption vulnerability in polkit’s pkexec, assigned with the ID CVE-2021-4034 (rated “High” at 7.8). The gap allows a low-privileged user to escalate privileges to the root of the host. Various proofs of concept (PoCs) have been disclosed, written in different languages (such as several in C, Python, Bash, and Go), and the vulnerability has been there for over 13 years, affecting all versions of the pkexec since its first distribution in 2009.
How Container Security utilised admission control and image scanning to detect the threat
- Notified or blocked images containing malware, critical severity findings, or other harmful criteria
How Container Security utilised runtime protection to detect the threat
- After PoC execution, detections were captured based on how the exploit was executed and how the commands were run in the container
Images below show clear indication of suspicious activity.
New executable (chmod)
Tools like Trend Micro Cloud One – Container Security enable you to incorporate and automate admission control policy, threat detection, and runtime protection into your system. Trend Micro helps secure your existing containers, enabling you to incorporate new container orchestration into your infrastructure. To start protecting your cloud infrastructure from attack, try Trend Micro Cloud One free for 30 days.