Container Security Essentials

Information about Container Security Essentials

Published on August 21, 2019

Author: DNIFHQ

Source: slideshare.net

Content

1. Container Security Essentials Basics of Containers and Container Security Ankit Wasnik Solution Architect, Qualys, Inc.

2. Qualys, Inc. Confidential Presentation. Internal Only. 2 Agenda Introduction to Containers Container Security Overview

3. Qualys, Inc. Confidential Presentation. Internal Only. 3 Introduction to Containers

4. Qualys, Inc. Confidential Presentation. Internal Only. 4 Let’s take a poll Poll-1

5. Qualys, Inc. Confidential Presentation. Internal Only. 5 Containers are changing the IT landscape Source: Datadog Dockers hosts run an average of 7 containers, 25% of companies run 14+ containers

6. Qualys, Inc. Confidential Presentation. Internal Only. 6 Why Containers • Less overhead • Run Anywhere • Isolation • More consistent operation • Greater efficiency 08 आगसट 2019

7. Qualys, Inc. Confidential Presentation. Internal Only. 7 What are Containers? Logical packaging mechanism for your Applications A methodology that decouples applications from operating systems Containers are often compared with virtual machines but containers offer a far more lightweight unit for developers and IT Ops teams to work with, carrying a myriad of benefits Host Operating System Hypervisor Guest OS Guest OS Guest OS Infrastructure Bins/Lib s Bins/Lib s Bins/Lib s App 1 App 2 App 3 Host Operating System Docker Engine Infrastructure Bins/Lib s Bins/Lib s Bins/Lib s App 1 App 2 App 3

8. Qualys, Inc. Confidential Presentation. Internal Only. 8 Let’s take a poll Poll-2

9. Qualys, Inc. Confidential Presentation. Internal Only. 9 On Virtual Machines Container Deployment Models 9 Docker Engine Libraries App D App E App F Linux Docker Engine Libraries App A App B App C Linux Server Host Operating System VM Hypervisor Virtual Machine Virtual Machine On Bare Metal Server App D App E App F App A App B App C Server Host Operating System Docker Engine Libraries

10. Qualys, Inc. Confidential Presentation. Internal Only. 10 Let’s take a poll Poll-3, 4

11. Qualys, Inc. Confidential Presentation. Internal Only. 11 Container Components & Lifecycle AWS EC2 Instance Docker Engine Image #Apace Image FROM Ubuntu:12.04 RUN apt-get update RUN apt-get install –y apache2 ENV APACHE RUN_USER www-dat. Docker File Image Registry Containers AWS ECS Elastic Container Service myApache:2.2:Latest On Premises Public Clouds Host / VM Docker Engine 08 आगसट 2019 11

12. Qualys, Inc. Confidential Presentation. Internal Only. 12 Container Security Challenge, Threats and Goals

13. Qualys, Inc. Confidential Presentation. Internal Only. 13 Containers Bring Unique Security Challenges Unlike traditional environments 08 आगसट 2019 13 Deployed in hyperscale (large scale x ‘n’ microservice per application) Open development practices (docker pull centos:latest) Network communications are also host independent, with container-to-container communication. Traditional HIDS&HIPS doesn’t work Deployments are highly elastic and can be extremely ephemeral No patching – Update source definition and swap out

14. Qualys, Inc. Confidential Presentation. Internal Only. 14 Container Risks/Threats Impacts security program 1. Un-validated external software 2. Non-standard configurations 3. Lack of deployment hygiene 4. Unmonitored Container to Container communication (East – West traffic) 5. Untracked ephemeral instances 6. Unauthorized access (lack of proper governance) 08 आगसट 2019 14 Vulnerability Mgmt. Compliance Container Firewall (Layer 3) GRC Asset Mgmt. + GRC

15. Qualys, Inc. Confidential Presentation. Internal Only. 15 Let’s take a poll Poll-5

16. Qualys, Inc. Confidential Presentation. Internal Only. 16 • Deploy static binary code analysis for any custom code components as they are integrated into the build • Detect vulnerabilities and harden images in the automated build pipeline process using image scanning solutions • Set up private image repositories Container Threat Vector - 1 Un-validated external software 08/08/2019

17. Qualys, Inc. Confidential Presentation. Internal Only. 17 • Run CIS standard compliance checks for Docker environments • Upgrade Docker engine to latest version possible to avoid known security vulnerabilities • Only allow approved Host OS’s by creating Gold Builds which are pre- hardened with up-front compliance checks Container Threat Vector - 2 Non-standard configurations 08/08/2019

18. Qualys, Inc. Confidential Presentation. Internal Only. 18 • Require Container specific intrusion monitoring tools - that analyze traffic between Containers • Utilize updated IDS to detect for anomalies and process them through the approved SOC exception handling process • Maintain a whitelist of container actions to allow approved applications and services, extend the solution to be able to Quarantine/ Block un-approved containers from spinning up Container Threat Vector – 3 Container to Container traffic 08/08/2019

19. Qualys, Inc. Confidential Presentation. Internal Only. 19 • Containers’ average lifetimes are much shorter than Virtual Machines (few hours/days vs. weeks/months/years) • Deploy tools to track events on Docker hosts • Collect and review container, parent image and orchestration tool information like Kubernetes, Mesos • Effective Incident Response requires this data for reviewing past activity, identifying who did what and setting up forensic actions Container Threat Vector – 4 Untracked ephemeral instances 08/08/2019

20. Qualys, Inc. Confidential Presentation. Internal Only. 20 • Restrict access to public code repositories and re-direct available source libraries to private registries with pre-trusted images • Validate trust when pulling down new images • Segment users to specific environments and libraries with RBAC • Deploy Container specific IPS solutions to monitor behavior in staging environments and populate a white list to pass to IDS Container Threat Vector – 5 Unauthorized access 08/08/2019

21. Qualys, Inc. Confidential Presentation. Internal Only. 21 Container Security Goals “101” Discovery & tracking across scale and sprawl Effective vulnerability management, compliance and container-native intrusion detection, prevention and firewall program Adaptive security that integrates into modern practices and platforms (DevSecOps) Update Operational Monitoring, Patching and Incident Response 08 आगसट 2019 21

22. Qualys, Inc. Confidential Presentation. Internal Only. 22 Container Security Solutions

23. Qualys, Inc. Confidential Presentation. Internal Only. 23 23 Container Security Sensor Options from the Industry

24. Qualys, Inc. Confidential Presentation. Internal Only. 24 Let’s take a poll Poll-6

25. Qualys, Inc. Confidential Presentation. Internal Only. 25 25 Container Security – Different Tool Form Factors

26. Qualys, Inc. Confidential Presentation. Internal Only. 26 26 Run Time Security Container Application Visibility + Defense

27. Qualys, Inc. Confidential Presentation. Internal Only. 27 Thank You Ankit Wasnik [email protected]

Related presentations


Other presentations created by DNIFHQ