Lacework Resolves the Container Security Gap
August 23, 2019
Lacework was among the first cloud security vendors to highlight the need for rigorous container security. Lacework’s security solutions are designed for containerized environments with ephemeral entities. Lacework’s native container support is designed to reduce the attack surfaces.
By automatically discovering every container across a user’s environment, Lacework establishes a baseline of known good behavior, and clusters the containers based on different behaviors. Lacework continuously monitors communications, launches and other cloud runtime behaviors, and provides context-aware, process-level visibility. Anomalous behavior of container or container orchestration platforms like Docker/Kubernetes is alerted in real-time.
In addition to anomaly detection to expose unknown threats, Lacework combines container-aware file integrity monitoring (FIM), configuration compliance, and a new logging system that provide traceability of container, user, and application events over time as containers come and go.
Deep Visibility Improves Container Security Posture
Lacework’s context-aware host-IDS agent operates at process-level and provides deep visibility of what’s happening in the container environment. Lacework continuously monitors events, communication, new connections, images, etc. For the container orchestration layer, Lacework provides visibility into Kubernetes clusters and communication among the clusters, which can be further visualized at the namespace level, and pod-level. By applying machine learning against the behavioral baselines, Lacework identifies abnormalities in real-time, including publicly exposed and unsecured API servers and management consoles.
As shown in the figure below, Lacework visualizes all the containers in your cloud environment using a polygraph. In addition to providing a global, logical view of the containers, Lacework’s visualization also allows you to drill down into each active container to view process-level details.
Figure 1. Lacework Polygraph for active container process-level details
Lacework generates a global view of processes and their connections, along with charts showing the 4W’s (Who, What, Where, When) to quickly trace back to the origin of an attack or abnormal behavior (example: an open API server). Since the events are logged at a process level, the logs continue to persist even when the containers are torn down. Attackers usually delete their trail. But in this case, the logs cannot be wiped out. This fine-grain, persistent visibility distinguishes how Lacework secures containers.
Figure 2. List of active containers (partial view)
Real-time Alerting of Container Vulnerability
Behavior-based anomaly detection exposes threats due to deviations from the normalized behavior of various cloud entities. Lacework continuously monitors traffic and events across containers and uses unsupervised machine learning to detect and alert abnormal behavior in real-time. In a compromised container, for example, an application launches many new, unexpected API connections. Similarly, a user is seen to escalate privilege to root and perform an activity that may ultimately lead to a container breakout. Such connections and activity performed out of normal context and existing relationships trigger an anomaly and alerts in real-time before significant damage can happen.
Figure 3. Event details
Container-Aware File Integrity Monitoring (FIM)
Lacework solution identifies the instance of malicious files in container environments, as well as the actors who are involved and then delivers contextual alerts. This helps to keep ahead of malicious tampering of container configuration and management.
Lacework agent keeps track of new files and records file hashes for easy comparison as they change over time. The file hashes are regularly synced between Lacework’s agent and the cloud platform, and the checksum is compared against curated threat databases to ensure the file is not malicious. In events when the file is flagged as malicious, Lacework triggers a critical alert and provides you the information to trace all containers impacted by the file. This expedites the process of identifying files as well as the research needed to understand the impact of the malicious file.
Securing Containers with Continuous Configuration Compliance
Lacework integrates CIS benchmark scanning into container image development and container deployment. Additionally, Lacework includes supplemental checks based on industry best practices and common compliance frameworks like PCI-DSS, SOC 2, HIPAA, and others.
Lacework agent continuously tracks configuration changes and API activity for containers across AWS, Azure, and GCP platforms thereby bringing multi-cloud checks in one portal. Automated detection of misconfigurations and alerting is an essential function to secure containers during run-time. Some of the common configuration changes and activity includes:
- Identity and Access Management (IAM) vulnerabilities for containerized applications.
- Critical account activity such as unauthorized API calls and use of the management console for unauthorized purposes.
- Limiting access to vulnerable ports, enforcing “least access” privileges.
Lacework compliance dashboard provides continuous analysis and historical reporting so that security teams can not only get in-depth problem analysis but also take the steps needed to remediate the misconfiguration. Direct links to the affected container resources reduce the time to remediate.
Lacework’s compliance auditing is part of its broader security solution for containers. Unlike solutions that only identify non-conforming compliance rules, Lacework doesn’t stop at compliance. It alerts behavioral anomalies even when the associated configurations meet the required standards.