Docker Security - Continuous Container Security

Docker Security - Continuous Container Security

• 1.
  DOCKER SECURITY
 CONTINUOUS CONTAINERSECURITY Container Threat Landscape & Network Security Dieter Reuter [email protected] @Quintus23M
• 2.
  Container Threat Landscape North-South East-West Host ContainersContainers Host Ransomware DDoS Kernel ‘Dirty Cow’ Privilege Escalations Breakouts DNS AttacksApplication Attacks Docker daemon attack Port scanning Virus injection Data stealing Lateral movement XSS, SQL injection Container phone home Resource consumption Heap corruption Buffer overflow Zero-day attacks Malware Unauthorized access Image back doors
• 3.
  Continuous Container Security BuildShip Run Pre-Deployment Run-Time✓ Image Signing, e.g. Content Trust ✓ User Access Controls, e.g. Docker Trusted Registry ✓ Code Analysis ✓ Container Hardening ✓ Image Scanning ✓ Host OS Security ✓ Kernel Security ✓ SELinux ✓ AppArmour ✓ Seccomp ✓ Access Controls ✓ Secrets Management ✓ Container Network Security Inspect - Protect - Monitor - Scale
• 4.
  Security Rules Can’tKeep Up
• 5.
  Container Network Security ▪Inspect Network
 ▪ Protect - Containers - Container Hosts
 ▪ Monitor & Visualize
 ▪ Automate & Scale
• 6.
  Inspect Network Traffic ▪Best Security Detection Point ▪ North-South and East-West ▪ Container Connections and Packets - Layer 7, Application Protocol and Payload ▪ Traffic between Containers - Intra-Host, Inter-Host Challenge – Dynamic Workloads Containers Host
• 7.
  Protect Application Containers ▪Detect Violations ▪ Detect Threats - DDoS, XSS, DNS, SSL ▪ Scan for Vulnerabilities ▪ Respond - Connection Blocking - Container Quarantine - Alert & Log Challenge – Accuracy, False Positives Containers Host Breakout AttackPhone Home Lateral Spread Vulnerable Container
• 8.
  Protect Container Hosts ▪Implement Pre-Deployment Security - Kernel, Docker Engine ▪ Scan for Vulnerabilities ▪ Detect Privilege Escalations ▪ Perform Security Auditing - CIS Benchmark Challenge – Real-Time Host Monitoring Containers Host Vulnerable Host Host Breakout
• 9.
  Monitor & Visualize ▪Container Network Connections ▪ Application ‘Stacks’ ▪ Security Policy and Violations ▪ Detailed Event Logging ▪ Packet Capture Challenge – Large & Complex Deployments
• 10.
  Automate & Scale ▪Security Must Be Container Native - Integrated with Orchestration Platforms - Compatible (Agnostic) to Network Overlays & Plug-Ins ▪ Swarm, Flannel, Calico, Rancher, Weave, … ▪ Then Automate - Security Policy, Visualization ▪ And Scale - Constant Adaptation Challenge – Rapid Network/Platform Evolution
• 11.
  Demo ▪ Deploy NeuVectoronto running apps ▪ Discover application behaviour ▪ Auto-create security policy ▪ Detect violations ▪ Protect containers ▪ Scan for vulnerabilities
• 12.
  Demo: Micro-Segmentation ▪ App#1:3 tier Node.js web application (5 containers) ▪ App#2: 2 tier WordPress application (2 containers) - Automatic segmentation: Discover ! Monitor ! Protect Host #2 NeuVectorEnforcer (SecurityService ) Node .js #1 (webserver ) Node .js #2 (webserver ) Node .js #3 (webserver ) Host #1 NeuVectorAllInOne (SecurityService ) Nginx (LoadBalancer ) Redis (DatabaseService ) Wordpress (webserver ) MySQL (DatabaseService ) ExternalorInternet
• 13.
  Continuous Container SecurityReference Build Ship Run Pre-Deployment Run-Time✓ Image Signing, e.g. Content Trust ✓ User Access Controls, e.g. Docker Trusted Registry ✓ Code Analysis ✓ Container Hardening ✓ Image Scanning ✓ Host OS Security ✓ CIS Benchmark ✓ Kernel security ✓ SELinux ✓ AppArmour ✓ Seccomp ✓ Secure Docker Engine ✓ Access Controls ✓ Secrets Management ✓ TLS Encryption ✓ Auditing w/ Docker Bench ✓ Orchestration – Network, Security, Containers ✓ Network Inspection & Visualization ✓ Run-Time Vulnerability Scanning ✓ Process Monitoring ✓ Threat Detection ✓ Privilege Escalation Detection ✓ Container Quarantine ✓ Layer 7-based Application Isolation ✓ Packet Capture & Event Logging Container Security GUIDE
• 14.
  THANK YOU For moreinformation contact me 
 via Email [email protected], or Twitter @Quintus23M Slides kindly borrowed from https://neuvector.com