Alert Logic announced the industry’s first network intrusion detection for containers on July 17 at the AWS Summit in New York City. Alert Logic has “cracked the code” and offers customers the ability to inspect network traffic for malicious activity targeting containers, providing them with faster detection of compromises and reduced risk of attacks to their cloud workloads on Amazon Web Services. This is a great addition to our already impressive set of AWS security technologies. We’re excited to tell you more about this unique approach in container security solutions.
[Related Article: What is Container Security and How Does It Work?]
Why did the team at Alert Logic decided to undertake a network-based approach to its container security solutions?
We’ve made a number of remarkable advancements in the past, and we have a core set of capabilities that we have developed into the Alert Logic solutions over a number of years. And we’ve gotten very good at that core set of capabilities over time. As we examined those strengths and thought about the container security problem, we saw a way to do something differently from other players in the space. Teasing things out a bit more, we discovered that we had an opportunity to focus on a network-based approach to examining traffic in and between containers and across the host. That innovation helped solve the container security problem in a way that made sense for our customers and extended our core capabilities.
It just so happens that we support intrusion detection in a way that is unique when compared to the rest of the market. For some reason, this approach hadn’t been explored. In all actuality, it’s probably because it is a very difficult problem to solve. A lot of people feel that they can get some level of coverage from a single point solution or a couple of solutions operating in a layered security model, but what we found is that the need for defense in depth is as true in the container world as anywhere else. That means that a holistic approach that provides visibility and context is needed.
Alert Logic’s infrastructure has a rather large, containerized workload. We can have anywhere between 120 to 150 nodes in our container clusters with between 2,000 and 4,500 containers running at any given time. We saw the security challenges of this environment right away. That’s when we decided that had to have a streamlined approach to security and work to avoid adding additional operational burdens. By streamlining our effort to secure our container deployments, we felt we could avoid impediments to our continuous deployment model. As we began thinking about how we would solve this challenge for ourselves, it became very evident by solving this for us meant we could solve this problem for our customers as well.
When we looked out at the market and examined similar players in the container security space, we determined that what everyone was doing (for the most part) was process monitoring. While process monitoring is interesting, it can’t tell the entire story if a security concern arises. After further research, we also found that a lot of the solutions were only local to the container cluster, had no real centralized way of viewing security concerns across a large fleet, and required someone to spend time assessing whether or not a spawned process was really a security concern. After we discussed all the findings internally with our engineering and security teams, we decided to explore the possibility of extending Alert Logic’s existing network intrusion detection capabilities to containers. Alert Logic has provided a leading network intrusion detection system for years, so it seemed like a viable solution.
We determined that if we could take the existing capabilities available in Alert Logic’s products, we could leverage our network intrusion detection capabilities and expertise to provide something meaningful for our customers. As we worked to extend that to containers, we were confident we would have an easy way to implement a security solution that could tell the complete network level security story. This was the exact level of security inspection we needed and that our customers could really benefit from these capabilities.
During development, we focused heavily on network level inspection and ensuring our container security system was extremely easy to deploy using common automated container deployment workflows. The outcome was the solution we have today which is simple to deploy and begins inspecting network level traffic immediately. It also transfers that network traffic data to Alert Logic’s SaaS platform for analysis. So not only are you getting network level traffic inspection, but you are also taking advantage of our advanced analytics platform, 24×7 Security Operations experts, remediation advice on security incidents – all by just deploying one simple solution.
Ultimately, this lead to our current solution—our containerized agent solution. By optimizing for security and focusing on deployment simplicity, we came up with a way that customers can get started easily, deploy our security solution using their existing automated processes available today, and make the entire process quick and easy.
How is the Alert Logic approach different from container process monitoring?
Process monitoring is interesting. It provides you the here and now and will tell you things like “hey, this process just spawned”; however, what it doesn’t tell you is whether that is really a security issue. Furthermore, if it is a security issue, it doesn’t tell you what led up to it, where it came from or what potentially happened afterwards (like data exfiltration). By contrast, our approach can tell you those things — and more. It’s that context, especially when combined with our managed security services, that make our approach so different.
Another advantage of our approach is the rich information that we collect allows us to see the attacks on containers. We are able to understand where the attack came from and even analyze what other containers were impacted by the attack in any way, shape, or form. We can provide this level of visibility because we collect all the available container metadata that is in the cluster as well as all the network traffic to and between containers.
When you use our solution, we pull all that data back to our SaaS platform. So, if you use other Alert Logic security products, all that data starts to come together. When combined, our solutions start to paint a picture of what’s happening in real-time. We get a more holistic picture because we can see everything that our products have scope for. This context combined with our SOC analysts and 24/7 expertise results in better security outcomes for our clients.
For companies that don’t have a container security solution in place, why should they choose a NIDS based approach over a more traditional host-based system?
With a host-based product, you’re probably going to get a deep look at what’s going on in that host, but quite honestly that view is also pretty isolated. The biggest difference between some of the host-based products that play in this space and what we are doing is much more focused on the big picture of the environment. For example, you might have an attack that is focused on one particular container or maybe a particular cluster but if that propagates, but you need a good way to see all of that in the same view.
When we build incidents for these types of attacks, if it is an aggressive, wide-spread type of attack, you will have a lot of different data going into a lot of different containers that we can build from that single incident because we have that big picture view that tends to get lost when you are dealing with host-based products or things that are just local to the cluster.
What’s Next for Container Security?
As you can see, we believe the Alert Logic approach to container security is unique to the market, and that it is absolutely critical to protecting containerized environments. Stay tuned for the next two editions of this blog series, which will be coming over the next several days. The rest of the interview will feature topics including NIDS vs. HIDS, why it is critical to have metadata access, and what is next for Alert Logic’s container security initiatives.
In the meantime, if want to know more about what it takes to stay ahead of container-based attacks, I invite you to download our Container Security Workbook: A Best Practices Guide. This guide walks through some of the best practices to leverage while building your container security strategy and provides a useful workbook to put some of these ideas into practice in your organization.
