3 Tips for Scaling Container Security

Container adoption continues to grow as enterprises large and small look to increase the efficiency of their software delivery with hybrid production environments. According to recent research we sponsored with ESG, more than half (56%) of those surveyed already having deployed containerized production applications and 80% indicating they would have them in production in the next 12-24 months.

By definition, containers are an OS-level virtualization method for running multiple isolated Linux workloads on a single host using a single Linux kernel. Effectively, everything outside the kernel is virtualized—applications and files in one container are isolated from each other.  Since they share an underlying kernel, it makes them far more lightweight than virtual machines. It’s this ability to be so lightweight that enables them to create massive, scalable environments.

It’s also this very scale that makes securing containerized environments so difficult. Container security needs to scale with the same ease as creating these environments in the first place. In a previous post, we explained why security appliances aren’t a viable solution because they can’t see inside containers, and the inability to scale is one of the main reasons platforms such as Endpoint Detection & Response (EDR) fail in large-scale production environments.

However, even with all the challenges, there are some main areas you can focus on as you work to secure containerized environments at scale. Here are three things to consider when scaling container security in your production environment:

1. Practice Good Hygiene

This is true in life and in your production environment. A phrase commonly used in the DevOps community is “cattle, not pets.” When something fails, cull it from the herd. A failure should not impact the system. And note, something will fail. You have to plan for that. This is incredibly important when it comes to scaling security. You should be able to take stuff out of service, patch or fix it, and redeploy quickly. Ideally, systems should be prepared to route around brokenness and put themselves back together without human intervention.

You also need to notice when one group of cattle is different from another one. Driving home the importance of this step, Netflix recently released Diffy, which is “a triage tool to help digital forensics and incident response (DFIR) teams quickly identify compromised hosts on which to focus their response, during a security incident on cloud architectures.” The ability to identify and focus on the problem and fix it quickly is a critical step in scaling security.

2. Make as Much of Your Environment Immutable as Possible

Microsoft has beaten the drum of immutability for years, and it’s just as applicable and important within new containerized environments. Thankfully, by default, changes in a Docker container don’t persist without operator intervention. By making a container immutable, it can’t be modified or changed. You can set an immutable flag so when it’s triggered the container restarts, which makes it easier to detect when someone is attempting to modify or attack your containerized environment. This again helps you focus on the real issues instead of the thousands of potential issues and also helps keep attackers on their toes. Even if you don’t catch an attacker right away, you’re not letting them set up a basecamp. They have to constantly start over and try to get onto your system. If you continually shift the ground underneath them, they have to keep moving, increasing your chances of catching them.

3. Standing Ovation for Container Security Automation

Automation is the holy grail in the SOC Hierarchy of Needs. You cannot be hands-on with each and every alert if you want security that scales to massive containerized environments. A common security practice is to always have a playbook for how to deal with alerts. You need that playbook because you should be planning for failure at all times. The more you can automate out of that playbook, the better. As we hear in many aspects of technology, if you find yourself repeating something over and over, you should automate it.

APIs, for example, are incredibly easy to use and if you figure out how to tie APIs together for purposes of automation, it can help you scale very quickly. For example, this could mean automating a security alert with a Slack bot and also tying in multi-factor authentication. This alert goes directly to a user to notify them of a potential account takeover or compromise with an automated response depending on their answer, taking one more alert and task away from your security team.

Scaling container security to massive environments is an extensive undertaking in itself but it’s not impossible. Learn more about how you can scale security using a SOCless, automated approach by reading our article “Is it Time to Blow Up the Security Operations Center?”

Time to Blow Up the Security Operations Center