Today’s most dynamic enterprises continue to quickly transform their business operations through software innovation — and containers have proved to be an increasingly must-do strategy. The momentum has been felt all across the developer community and IT space as container security solutions optimize the performance of data center resources and hasten application development and delivery. According to the 2018 Docker Usage Report by the container monitoring company Sysdig, modern enterprises are packing in 50% more containers per host this year compared to last year.
But with this rapid rise of container adoption comes the issue of security. Although containers and tools like Kubernetes provide tremendous benefits to businesses and their teams by automating various aspects of application development and deployment, these new solutions are just as vulnerable to exploits and attacks as more traditional environments. To help enterprises enhance container security and ensure a monitored operating environment, NeuVector, the leader in Kubernetes security, has the right strategy in place.
SourceForge recently caught up with Glen Kosaka, the VP of Product Management at NeuVector, to discuss container adoption and the importance of container security. Kosaka also highlights the ways to seamlessly adopt an enterprise-wide container strategy and shares with us how NeuVector 2.0 helps organizations across industries successfully deploy Kubernetes by automating security, as well as adding protection from new threat vectors.
Q: Give us a quick overview of NeuVector’s story. When was the company established? What is NeuVector’s mission (and vision)?
Glen Kosaka, the VP of Product Management at NeuVector
A: NeuVector was founded in 2015 with the mission of delivering a complete solution for Kubernetes, Docker, and OpenShift security – especially at run-time, where containers are most vulnerable. The founding team comes from the network security world and realized a market need for more robust security as container popularity rapidly scaled.
We’ve introduced the first and only multi-vector container firewall, which uniquely provides internal “east-west” traffic visibility and protection, a container process monitor, and a vulnerability scanner. The NeuVector security platform is a container itself, enabling it to serve as a highly integrated and automated solution that’s easily implemented within container environments. The vision here is to enable organizations to proceed with their container deployment strategies fully confident in the security of those deployments, and across both multi-cloud and on-prem platforms.
Q: What types of customers does NeuVector work with and who are some of your solution’s current adopters?
A: Today’s enterprises are rapidly adopting container-based application deployment strategies (and as well they should be). However, security concerns are a continuing obstacle to overcome for many making this transition. By adding the NeuVector solution to their containerized environments, our customers can pursue these strategies with the assurance that their deployments will be secure, even throughout the run-time of the application. Organizations using NeuVector have really come from all industries – financial services, IoT, healthcare, travel, publishing, government agencies, etc. Some of our customer references include Experian, the US Centers for Disease Control (CDC), Arvato/Bertelsman, and Zingbox.
Q: Containers are one of the fastest-growing trends right now – why do you think container strategies and deployments have become so popular? What are the factors that drive the rapidly increasing adoption of containers?
A: For many enterprises that may have been slower to embrace application development in the cloud, containers are allowing them to leapfrog straight to one of the cloud’s latest (and, I’d argue, greatest) technologies. Containers really offer organizations a slew of advantages, including accelerated application development, greater agility, DevOps capabilities, automation, and orchestration.
Containers are also well-suited to hosting continuous delivery pipelines, enabling developers to iterate applications rapidly. Portability is another significant advantage, allowing enterprises to use whichever frameworks and environments they prefer and then adjust as they see fit. It’s also a well-supported, open source technology: Docker and others provide resources that make transitioning legacy applications to a microservices architecture a relatively painless proposition. Finally, there’s a potential significant cost saving from infrastructure when running containers.
Q: Although containers and tools like Kubernetes offer tremendous business benefits in software and application development, they’re also vulnerable to attacks and exploits. What are some of the challenges and potential security threats that development teams must be aware of when deploying containers?
A: Within containerized environments, thousands of containers are constantly coming in and out of existence, and communicating with one another in a highly dynamic and automated fashion. This huge volume of east-west traffic many include communications that are part of malicious processes, which may be attempting to expand laterally within the network. Unfortunately, traditional firewalls or endpoint security offer none of the network visibility required to recognize and defend against attacks and exploits utilizing this internal traffic.
At the same time, containerized environments actually present greater attack surfaces since container orchestration tools and systems can be targeted for attacks as well. Therefore, the visibility to vet connections in real-time is essential to securing these environments, and automation is absolutely necessary in order for security measures to address connections in the dynamic environment.
Q: As a leader in Kubernetes security and provider of the first and only multi-vector container firewall, how can NeuVector address and mitigate ongoing container threats and attacks?
A: The NeuVector platform serves as a real-time Kubernetes and OpenShift container security solution, designed to adapt to dynamic environments and ensure containers are secure during run-time (and it’s worth repeating that’s when they’re most vulnerable). NeuVector utilizes behavioral learning to establish a baseline of normal connections and application behavior within a container environment, and leverages that information to build a security policy that protects container-based services automatically. This declarative security policy allows applications to scale quickly as necessary, free from manual intervention. Through Layer 7 network inspection, any unauthorized connections – either between containers or from external networks – can be cataloged or disallowed, without disrupting normal container activity. In this way, the solution offers complete container security for enterprises, by protecting applications, container services, and infrastructure from attacks originating via multiple vectors. As a Red Hat and Docker Certified container, NeuVector is easily deployed on each host to establish a container firewall, host monitoring and security, security auditing with open source CIS benchmarks, and vulnerability scanning.
Q: Share with our readers some tips on how to successfully deploy an enterprise-wide container strategy. What are the most critical best practices for keeping container infrastructure safe and secure?
A: It’s critical to automate security across the entire build-ship-run process as much as possible. In the build phase, it’s important to scan images for vulnerabilities, and utilize Docker and Kubernetes CIS Benchmark testing to ensure systems are locked down. Integrating security with software development lifecycle tools allows for analysis to check whether code is free of known exploits – and that’s especially valuable when using open source code. Attack surfaces should then be reduced, removing software vulnerabilities and hardening service and workload configurations. Then throughout run-time, enterprises must be able to prevent unauthorized connections seamlessly, without disrupting running containers. All running containers and host OSes must be tested for vulnerabilities through an automated means as well.
Q: NeuVector recently released NeuVector 2.0, which automates Kubernetes security incident detection and response. Tell us a little about this new solution – how does NeuVector 2.0 go further to protect Kubernetes environments and enable enterprises to deploy with confidence?
NeuVector 2.0 console
A: As with previous iterations, the NeuVector 2.0 container security platform deploys within an organization’s existing security processes to rapidly address and mitigate ongoing container threats. When NeuVector 2.0 does detect threats and vulnerabilities, it invokes new auto-response rules designed to address common container attacks and security alerts in order to take instant action in protecting containers. New automated protections have also been added to NeuVector 2.0, which are built to detect exploits such as suspicious processes or file system activities within containers. If any installation of malicious packages, libraries, or new executables (or any modification to sensitive files) is detected, NeuVector 2.0 will scan the container for vulnerabilities and send alerts flagging the suspicious activity. With these capabilities, NeuVector 2.0’s multi-vector firewall provides deeper visibility into Kubernetes deployments, and better protects containers from process and file system attacks.
NeuVector 2.0 also contains many CI/CD features for securing containers in the Build and Ship phases, including registry scanning for common registries such as Docker, Red Hat OpenShift, AWS ECR, Azure ACR, and JFrog Artifactory.
Q: What makes NeuVector 2.0 unique? What are its key features and capabilities?
A: The founders of NeuVector have a deep understanding of network security and, more specifically, deep packet inspection (DPI) technologies commonly used in next generation firewalls. We’ve combined this with virtualization experience to develop the first and only multi-vector container firewall. This gives us the unique capability to detect and prevent network attacks, monitor all east-west container traffic, and provide visualization and diagnostics (such as packet capture) for container networks. There are many new container security vendors entering the market, and many overlapping features such as vulnerability scanning, compliance testing, and run-time monitoring. We provide all of these too, for a complete end-to-end container security platform.
Q: Looking ahead, what technologies or software development trends do you think will impact container security? How is NeuVector meeting these head-on?
A: Public cloud providers such as AWS, Azure, Google, IBM, Alibaba, and Oracle are all adding managed Kubernetes container services, and will continue to beef up features for them. NeuVector is engaged with all of these providers to make sure our security platform is as easy to deploy, configure, and bill through these services.
About NeuVector
NeuVector is the global leader in Kubernetes security that offers the first and only multi-vector container security platform. Headquartered in San Jose, California, NeuVector has been providing east-west container traffic visibility, container protection, and host security in an automated and highly integrated solution to a wide range of industries such as healthcare, publishing, and financial services.