Shulou(Shulou.com)05/31 Report--

This article introduces you how to analyze the similarities and differences between container safety and EDR, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Abstract

Combined with the construction idea of container safety, the editor will briefly analyze some similarities and differences between it and EDR.

1. Overview

In the past two years, with more and more container technology being favored by everyone, container safety has gradually received widespread attention and attention. NeuVector, Aqua, Twistlock and other start-ups have launched their container security products and solutions one after another. In China, the security manufacturers represented by Green League Technology are also constantly exploring and trying in the field of container safety.

For container environment, or container cloud, it is essentially an implementation of cloud computing, which we can call PaaS or CaaS. Therefore, its overall security construction idea follows the cloud computing security architecture.

Figure 1 Cloud Computing Security Framework

If the physical security is put aside for the time being, the security construction of the container cloud environment can be roughly divided into two main aspects: on the one hand, the security construction within the container cloud, which includes the security of basic equipment, the security of the east-west network, the security of the management platform, the security of virtualization, and the security of data; on the other hand, the security of network communication between inside and outside the container cloud, that is, the security of the north-south network.

Fig. 2 Container cloud security construction

In this way, the security scheme of container cloud can be designed from these two aspects: for north-south network security, the corresponding security detection and protection can be realized by means of security resource pool drainage. This is also the main way for many security vendors to implement cloud security solutions. Security within the container cloud can be achieved through specific container security products. Finally, these two parts are connected to the centralized management system of cloud security for unified security management and operation.

two。 Core issues of Container Security

As early as November 2018, we issued the Green League Science and Technology Container Safety Technical report [1], which detailed the possible security threats to the container environment and the corresponding disposal methods. Here we will make a brief review and summary of the core issues of container security.

In a nutshell, container / container cloud security can include the following four categories:

The first is the security of the infrastructure of the container environment, such as whether the security configuration on the host will affect the container running on it, whether the security vulnerabilities on the host will affect the container, whether the malicious processes on the host will affect the container, and whether the processes in the container can take advantage of the security vulnerabilities on the host.

The second is the image security of the container, including whether there are security vulnerabilities in the software in the image, whether there are security risks in the construction process of the image, and whether the image has been maliciously tampered with in the process of transmission.

Third, the runtime security of the container, such as whether the isolation between the running containers is sufficient, whether the communication between the containers is secure, whether the malicious programs in the container will affect the host or other containers, whether the resource usage of the container is secure, and so on.

Fourth, the security of the entire container ecology, such as the security of Docker/Kubernetes itself, the impact of ServiceMesh/Serverless on container security, the difference between the management of security keys in the container and the traditional environment, and whether the containerized data privacy protection is consistent with the traditional data privacy protection.

Fig. 3 Core issues of container security

Judging from the above core issues of container security, the concept of image is relatively unique to the container, so EDR will not cover the image security of the container. The other is the ecological security of the container, which is more about the security opportunities and challenges brought by the container-related technology stack, so the typical EDR products must be powerless.

At the end of the article, the question raised at the beginning is "can host security solutions such as EDR directly solve the problem of container security?" There is already a preliminary answer: definitely not.

First of all, let's take a look at what kind of security capabilities can be provided by some manufacturers specifically for the security products and services provided in the container environment, as well as what the technical architecture is.

3. Container Security products / Services

First of all, taking the container security (Container Security) service capability provided on Google GCP (Google Cloud Platform) [2] as an example, this paper analyzes what kind of security capability is mainly realized by the current container security products / services.

3.1 GoogleContainer Security

When Google ensures the security of the container environment on its GCP, it is mainly divided into three aspects:

(1) Infrastructure security. It mainly refers to the basic security functions that the container management platform can provide to ensure that developers have the necessary tools to safely build containerized services. These functions are usually built into container orchestration systems such as Kubernetes. Examples include using IAM to manage access to projects, role-based access control (RBAC) to manage access to clusters and namespaces, log auditing, network isolation, infrastructure ISO compliance, and so on.

(2) Software supply chain security. It mainly refers to the container image security mentioned earlier, including secure basic image maintenance, CVE vulnerability scanning, image admission detection and so on.

(3) run-time security. Ensure that the security response team can detect and respond to security threats to containers running in the environment. These features are usually built into security operations tools. For example, Google integrates Stackdriver to achieve log analysis, integrates partners such as AquaSecurity, Capsule8, StackRox, Sysdig Secure, Twistlock and other security products to detect abnormal activities and use sandboxie gVisor to better isolate containers when the container is running.

The following is a brief analysis of its security capabilities and technical architecture, taking its runtime security partner AquaSecurity as an example.

3.2 AquaSecurity

Aqua Security [3] is an Israeli container security platform manufacturer established in 2015, providing advanced security solutions for containerized environments in business platforms such as DevOps and micro-services.

3.2.1 key security capabilities

(1) vulnerability management. Scan container images and serverless features for known vulnerabilities, embedded keys, configuration and permission issues, malware, and open source licenses.

(2) runtime protection. Through the admission control of the mirror, prevent the untrusted mirror from running, and ensure that the container remains the same, preventing any changes to the running container. The activities of containers can be monitored and controlled in real time based on custom policies and machine learning behavior profiles.

(3) key management. Keys can be safely passed to containers at run time, encrypted during transmission and storage, and loaded into memory without the need for persistent storage on disk, where they are only visible to the containers that need them.

(4) Container firewall. Automatically discover network connections between containers and get referenced contextual firewall rules to determine legitimate connections through whitelist to prevent or warn unauthorized network activity. Can seamlessly connect with popular network plug-ins (such as Weave or Flannel) and service grids (such as Istio).

(5) Compliance and audit. Regulatory compliance testing such as PCI-DSS and HIPAA, and best practice testing of NIST and CIS. Provide fine-grained event logging, and integrate a variety of log analysis and SIEM tools, such as Splunk, ArcSight, etc., you can centrally manage audit logs.

3.2.2 implementation Architecture

The following figure shows the system reference architecture diagram provided by AquaSecurity officially. Combined with the reference architecture of another container security product (figure 5), you can see that the whole system is basically composed of platform and probe.

On the platform side, on the one hand, it realizes the related security management and control capabilities, on the other hand, it realizes the data-related analysis and intelligence capabilities.

On the probe side, it is mainly through the deployment of a security probe on the host running in each container, through which the relevant security policy enforcement and related data collection are carried out (Serverless is not discussed for the time being). As far as I know, this distributed probe usually has two forms: one is integrated into the management platform of the container environment in the way of privileged containers, and the other is the common way of deploying Agent in host security. In essence, the two forms are just different in deployment and management.

Figure 4 Aqua Security architecture diagram

Fig. 5 A container safety product architecture diagram

4. EDR

Since the existing EDR products can not be directly used to solve all the container security problems, can EDR solve some of the aforementioned security problems in the container environment?

Let's take a look at the definition of EDR. What can a typical EDR product do?

Gartner defines EDR as follows:

The EDR toolset provides the ability to analyze / retrieve more detailed / real-time / historical terminal data to detect traces of malicious activity, allowing security analysts to focus on high-risk data and respond positively if necessary.

This definition of Gartner seems to be somewhat abstract, and a simpler explanation is to collect all kinds of data on the terminal, analyze and find malicious activities in the data, and then take corresponding defense measures. So what kind of data will be collected? What kind of malicious behavior can be found after collecting these data?

Let's start with the typical design architecture of EDR and explain it in detail.

4.1 typical architecture

The following figure shows the typical EDR architecture given by Gartner, which mainly consists of two parts: one is the agent (Agent) deployed on the terminal to be protected, where the terminal can be either a virtualized CVM, a physical server host, an office PC, or even a lighter IoT terminal device (basically consistent with the operational environment of the container) The other part is the control platform, which can be deployed locally and centrally, or in the cloud, or in a mixture of cloud and localization. Different security capabilities are deployed in different locations.

Figure 6 typical architecture of EDR system

4.2 what kind of data does the agent collect?

(1) the basic metadata of the terminal device. Including CPU, memory, network card (IP, MAC), operating system, installation software, hardware data, Device data and so on.

(2) Network data. It includes DNS and ARP tables on the terminal equipment and other real-time network data, open ports and related process data, network connection data of the terminal, URL data of the accessible terminal, etc.

(3) runtime data. It includes the process / thread running on the terminal and its corresponding metadata, user login and logout data, interprocess communication (IPC) data, process behavior data (such as data read and write) and so on.

(4) storing data. Files (usually containing only specific files or executables) and file metadata (such as file name / size / type, checksum, etc.), file change information, syslog, master boot record (MBR) information, and so on.

(5) other data. Data such as loaded DLL, activated device drivers, loaded kernel modules, CMD or PowerShell history commands, etc.

4.3 what malicious behavior can EDR detect?

Based on the data collected above, EDR can usually be applied to the following security scenarios:

(1) Host risk detection. Combined with a variety of security baselines and specification requirements, through account, network, process, system configuration and other multi-dimensional risk detection, the system comprehensively finds hosts that do not meet the security management specifications.

(2) suspicious behavior detection. Through real-time monitoring of key risk entrances of the host, combined with threat intelligence and relevant security rules, port scanning attacks, brute force cracking attacks, malicious script attacks, system vulnerability attacks, Webshell attacks and other suspicious behaviors can be detected efficiently and quickly.

(3) threaten hunting. The various levels of data collected by the platform can provide a great deal of information about the health status of the host. Through correct screening and mining, more potential threat behaviors can be found and tracked by using these data, and threat capture can be carried out actively.

(4) stop malicious behavior. For example, the micro-isolation of the host realizes the isolation of the abnormal host by controlling the inbound and outbound traffic of the host.

4.4 Summary: compared with container security, what can not be satisfied?

According to the previous description of the core issues of container security and the functional overview of EDR, in addition to container image security and container ecological security, EDR can indeed provide relevant security detection and protection capabilities to varying degrees in terms of host security and container runtime security.

Similarities:

(1) from the functional level, both container security and EDR are required to achieve the security of their corresponding hosts, including resource level, permission level, network level and other aspects. Therefore, for container security, EDR products can reuse functions 100% to ensure the security of hosts in the container environment.

(2) from the technical level, in the implementation path of the two mainstream technologies, the technical architecture of "platform + probe" is adopted, which can realize the reuse and integration of security capabilities with minimum cost.

Differences:

The difference between the two mainly comes from the fact that the container environment uses namespace and cgroup to isolate a layer of resources, so:

(1) currently, the data monitored by EDR is limited to the host level, and the behaviors and activities inside the container are not covered, such as the monitoring of process behavior in the container, the monitoring of user permissions in the container, etc. (for details, please refer to the article "parsing Container process Management")

(2) in terms of network security, the current EDR pays more attention to the inbound and outbound network traffic of the host, that is, the traffic on the host's physical network card, but in the container environment, a considerable proportion of the network communication exists between the containers within the host. Therefore, this kind of east-west network security protection between containers cannot be realized by EDR at present.

(3) privilege management. Business applications based on micro-service architecture are usually run on the container environment, so they have complex permission management and access control policies. Although these are usually designed and implemented by the container business platform, as security services, it is necessary to have the ability to monitor and detect anomalies. In this respect, EDR almost only stays in the rights management of host resources, which is also unable to meet the demand.

(4) EDR is also unable to meet the strongly related security requirements of container business, such as key management and key hiding.

On how to analyze the similarities and differences between container security and EDR to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.