It seems like there really aren’t that many run-time security tools available for containers yet, why is that?
FH: Until last year there weren’t many production deployments using Docker containers and orchestration tools, so all container deployments were highly customized. But, as more projects move toward production deployments, security teams are being asked to provide security and visibility into the run-time environment – including network connections. This is not an easy task, with the constant evolution and change in network overlays and orchestration tools. Run-time security tools need to take the best of proven technologies – like distributed application firewalls – and apply them to the entirely new environment of containerized applications, which constantly scale up and down. This requires expertise in security, virtualization, systems, and devops, which most companies don’t have.
What do you see as the most common container security issues right now?
FH: Enterprises have no way to inspect container networks and determine legitimate and suspicious activity. There are no real-time visibility tools to capture and characterize application behavior from a networking perspective. This makes it difficult to debug applications during testing, and of course it’s impossible to monitor them in production. Most companies are shocked to learn how much open source software is being used in their applications, and the critical vulnerabilities that exist in them. But even worse is that it’s not even possible to determine if any of the containers are generating or receiving suspicious connections.
What about some other potential vulnerabilities that are more under-the-radar?
FH: Hackers have always found ways around defenses, so it’s critical to monitor a container environment for suspicious activity. This could happen if a backdoor is found that enables an infected container to run, or a misconfiguration allows a hacker to gain control of a container or host. Most threats will include some type of communication activity, either a phone home to download a virus or a lateral spread to other containers or hosts to find other vulnerabilities. With containers being used in a microservices-based architecture, there is a tremendous amount of east-west, or lateral internal traffic, and this type of traffic traditionally has not needed to be monitored and secured. But that’s no longer the case.
Are Docker’s security tools enough for enterprises?
FH: Docker has improved its built-in security a good deal recently, which is a good thing. Vulnerability scanning of images, access controls, encryption, and secrets management all help to improve security. But as we all know, the real environment is much more complicated, and a layered security strategy is required to adequately protect against as many threat vectors as possible. The platform security layer is being addressed well by Docker, but other layers are also very critical. For example we can’t imagine a traditional data center without a gateway firewall. In a Dockerized environment, one bad container could damage the entire data center from the inside. But today, by leveraging new virtualization and security technologies, run-time security for internal container traffic is possible. This enables an advanced firewall like NeuVector to prevent container attacks within the data center as well as from the outside.
What’s unique about NeuVector’s approach to container security? When and why is it needed?
FH: NeuVector focuses on run-time security. Specifically, NeuVector inspects all network connections in real-time to detect suspicious activity and block unauthorized connections if desired. NeuVector’s technology is behavioral learning based, so it requires zero-configuration to create and maintain the whitelist security policy. This is critical in a constantly changing containerized environment. We believe that the network is, and has proven historically to be, the most critical place to detect exploits, breakouts, virus spreading, and other hacker activity, so we’ve built the best container network security tool. However, we have also rounded out our container security solution with host security features such as privilege escalation detection and Docker Bench for Security auditing. We also scan all running containers and host for vulnerabilities.