How Containers Change the Security Paradigm

Transcript

1. Confidential How to Build, Deploy, & Protect at Scale Application

   Modernization Skills:

2. Confidential About me James Jones Principal Solutions Architect, Twistlock IT

   leader with experience from Google, Puppet, Oracle and HP Based in Chicago, IL

3. Confidential About me Matthew Barker Principal Solutions Architect, Twistlock DevSecOps

   evangelist helping Twistlock customers integrate security into their cloud native pipelines Based in Albuquerque, NM

4. Confidential About me Neil Carpenter Principal Solutions Architect, Twistlock 20+

   years at Microsoft specializing in incident response. Also an active street photographer. Based in New York, NY

5. Confidential How Containers Change the Security Paradigm

6. Confidential Minimal Typically single process entities Declarative Built from images

   that are machine readable Predictable Do exactly the same thing from run to kill Container Characteristics

7. Confidential Many more entities High rate of change, much more

   ephemeral Security is largely in the hands of the developer Security must be as portable as the containers What’s Different About Securing Containers?

8. TWISTLOCK Confidential Full Lifecycle Security with AWS, CloudBees, and Twistlock

   Integrate Twistlock with CloudBees Core to provide vulnerability and compliance scanning and enforcement for your container images, hosts, and serverless functions. Continuously monitor your registry to ensure you are always shipping secure code into production. Protect your running applications on AWS with layer 3 and layer 7 cloud native firewalls, powerful runtime defense, and access control — providing defense in depth to prevent next generation attacks. BUILD SHIP RUN

9. Confidential Example Scan Results with CloudBees Core + Twistlock •

   Identify any vulnerabilities along with Severity (Low, Medium, High) • Scan for CIS Benchmarks • Set specific Pass / Fail thresholds • Results shown within developer tooling as well as within central Console

10. Confidential The Twistlock Approach

11. Confidential For hosts, containers, and serverless Across the DevSecOps lifecycle

    Cloud Native Cybersecurity Platform

12. Confidential Automatic learning of normal app behavior and communication with

    other cloud services Automated creation of ‘allow list’ runtime models for every version of every app Everything is API enabled, programmable, and easily integrated with existing tools and services for your automation pipelines Automation Dynamically displays your environments with live, interactive, multilayered maps of every app component and security health Clear insights beyond generic vulnerability ratings to rank risks based on your unique use cases Flight data recorders for every host and container; real time event stream processing of activity across your clusters Visibility Runtime prevention and automatic active blocking of anomalous activity and explicitly blocked processes, network traffic, and file activity Only allow known-good apps that meet your compliance and vulnerability requirements from trusted sources Enforce least privilege networking and micro-segmentation across your environments preventing service account sprawl Prevention Vulnerability Management Cloud Native Firewalling Runtime Defense Access Control Compliance CI/CD Integration The Twistlock Platform

13. Confidential Industry leading precision across hosts, images, containers, and serverless

    functions Automated prioritization of vulnerabilities based on your unique environment Prevent running vulnerable software across your environment Vulnerability Management Automation Visibility Prevention

14. Confidential Layer 3 and Layer 7 firewalls tuned for cloud

    native environments True Intrusion Detection and Intrusion Prevention Fully automated mesh discovery and microsegmentation Cloud Native Firewalling Automation Visibility Prevention

15. Confidential Automatic modeling of explicit ‘allow lists’ every app Automated

    incident detection and prevention based on model and threat indicators Continuous forensics for every container and host in your environment Runtime Defense Automation Visibility Prevention

16. Confidential Secrets management integrated with all popular providers Central monitoring

    of docker, sshd, and sudo events Real time stream processing of Kubernetes AuditSink Access Control Automation Visibility Prevention

17. Confidential One-click enforcement for CIS, PCI-DSS, HIPAA, GDPR, NIST SP

    800-190, and FISMA Centrally discover and monitor cloud native services across all your providers, accounts, and regions Custom checks using OpenSCAP, PowerShell, and Bash scripts Compliance Automation Visibility Prevention

18. Confidential Native plugins and standalone scanner for integration into any

    CI/CD workflow or tool “Shift left” quality gates with compliance and vulnerability thresholds in every build Scan hosts, container images, serverless functions, and PCF blob stores CI/CD Integration Automation Visibility Prevention

19. Confidential • Scan and fail early! Reduce the security ->

    dev round trip • Automated policy creation that adapts as the application changes • No manual steps! • Include security as part of the application scaffolding and fabric. Don’t wait until the application is ready for production to think about security Defining Scalable Security

20. Confidential • Scan for CVEs/Compliance issues in all stages •

    Automated runtime model generation ◦ Process, Network, File system activity • Automated firewall rules (Layer 3, Layer 7) • Secrets Management • Access Control Key Elements of Container Security

21. Confidential How Twistlock protects these new architectures What about AWS

    Fargate and AWS Lambda?

22. Confidential • Why do I need security? It is a

    managed service! • Different security approaches ◦ Embedding Defender ◦ Loading Defender from a sidecar Security for On-Demand Containers & Serverless

23. Confidential • Embedding an Agent • Include everything you need

    in the container image to make it available when running • Downsides ◦ Anyone can modify the image ◦ Trusting the developers to embed the proper security • You need to employ a trusted images approach Embedding an agent

24. Confidential • Load the agent at runtime from a sidecar

    container • Sidecar approach does not require modifying any of the application images • Security is decided by the security team and deployed by the team deploying the applications, the same way you do things today Loading from a sidecar

25. Confidential • Security is mostly the same as you would

    do for other containers and images • Vulnerabilities, Compliance and runtime • What is different? ◦ Deployment of Defender via sidecar ◦ Modify only the task definition, don’t modify the image! ◦ Policies are dynamic Securing Fargate with Twistlock

26. Confidential • Scan functions during the CI process • Continuously

    monitor your serverless repos • Identify vulnerability and compliance issues at runtime • Runtime protection against process and network manipulation • Architecture components: deployment of Defender as part of the function Securing Lambda with Twistlock

27. Confidential Questions?

28. Confidential twistlock.com @TwistlockTeam [email protected]