Announcing Twistlock 2.3
We just signed off on Twistlock 2.3, the 12th time we’ve shipped a major release of Twistlock over the past ~3 years. A few other fun facts from GitHub: we’ve worked on more than 6300 issues, built Twistlock more than 650 times, and shipped 258 customer-requested features for our >100 paying enterprise customers over that time!
Twistlock 2.3 is all about going deeper — taking existing features and broadening their capabilities, incorporating real-world threat research from Twistlock Labs, delivering Twistlock protection to new platforms, and responding to enterprise management requirements from our customers. You’ll also notice visual improvements through the UI, including a more discoverable settings interface and country of origin flags for all IPs in logs and in radar, all built on CSS Grid layouts to make the UI scale gracefully on any resolution and orientation. Read on to get more details on these and other highlights in the release.
— the Twistlock R&D and Product teams
Herzliya and Baton Rouge
Enhanced runtime defense based on Twistlock Labs research
At DockerCon Europe, we presented research from Twistlock Labs on container-specific attack scenarios we’re seeing in the wild. For example, one attack we’re seeing frequently involves quietly poisoning registries and injecting crypto mining tools into otherwise legitimate images. When users run these images, they perform their intended function but also mine Bitcoin for the attacker. We’re also seeing increased awareness of containers by attackers, who are adapting tools and processes used for discovery and lateral movement in traditional systems to work in a container and microservice environment.
In Twistlock 2.3, we’ve added specific heuristics to our runtime defense features to identify and prevent these attacks. For example, when crypto miners are detected within a container, we generate an alert in Incident Explorer detailing the type of threat and prevent the miner from launching. This protection is based on our machine learned model without any manual configuration or rules required.
A few months ago, we announced our beta release of serverless security. We’ve had great interest from customers since then and in 2.3, we’re shipping the built-in, fully-supported version of vulnerability management for serverless functions to make Twistlock is the simplest, most comprehensive tool for finding risks in your functions.
We have inbox support for AWS Lambda, Azure Functions, and Google Cloud Functions. Simply configure Twistlock with credentials (or optionally use our IAM role support if you’re on AWS) to automatically discover all your functions and identify vulnerabilities in them. Twistlock uses the same precise data sources for identifying vulnerabilities in serverless functions as we do for container image analysis. Scanning can be performed automatically through the UI and integrated into any CI/CD process with twistcli.
Per layer vulnerability analysis
In Twistlock 2.2, we added a built-in visual viewer of image layers, to make it easier to understand how images are constructed and what components have vulnerabilities. In 2.3, we’ve taken this capability even further by automatically correlating vulnerabilities to layers so you can instantly identify which layers in an image introduce vulnerabilities and quickly involve the right teams to correct them.
Per layer vulnerability analysis is in addition to the full image vulnerability details we’ve already provided and applies the same ‘thermometer graph’ to displaying per layer results. Per layer analysis works on your existing images without any changes required and results can be exported for simple sharing and analysis in other tools.
Deeper risk analytics in Vulnerability Explorer
In 2.3, we’ve expanded the intelligence and threat knowledge in Vulnerability Explorer to give you even more actionable understanding of the risks in your environment. Specifically, we now use attack vector, attack complexity, and the existence of exploit code as additional inputs when calculating risk scores. Additionally, all views in our vulnerability results show specific visual threat indicators for these scenarios with results sorted by cumulative risk score.
This is in addition to the existing runtime factors we use, such as whether the container runs with a mandatory security profile, whether it runs as root, and whether it receives internet traffic.
Enterprise grade CNAF
Twistlock Cloud Native App Firewall enhances the traditional WAF for cloud native scenarios, providing layer 7 traffic inspection and protection that follows the app, regardless of the cloud, node, IP, or port it’s bound to and without any complex routing required. In 2.3, we’ve fortified CNAF with a variety of additional protective capabilities, including anti-reconnaissance, anti-authentication grinding, and file upload filtering. These features enhance CNAF’s existing capabilities and make it even easier to provide layer 7 protection for your containerized apps wherever they are.
Enhanced app aware system call defense
In 2.3, we’ve re-architected our system call runtime defense capabilities to be independent of the app frameworks and languages used. In 2.3, we start with Twistlock Labs curated seccomp policy library defining the minimal set of syscalls required by common containerized apps like Mongo, MySQL, Redis, Nginx, and others. During our normal runtime learning, we match the app within the container with the relevant policy, with no human interaction required. Then, every time a container is instantiated, Defender automatically injects the proper seccomp policy into the container runtime. If no app-specific policy is available for the image being launched, Twistlock injects a broadly-applicable policy. Policies are updated by Twistlock Labs and distributed via the Intelligence Stream.
Built in compliance templates for PCI, HIPAA, GDPR, and NIST SP 800-190
Twistlock led the industry by releasing the first guides for PCI and HIPAA compliance in containers and leading the development of NIST SP 800-190. In 2.3, we’ve made compliance even simpler by delivering a policy library with templates for PCI, HIPAA, NIST, and GDPR compliance. These policies are built on our existing compliance framework, covering >200 best practices from CIS Benchmarks for Docker, Kubernetes, and Twistlock Labs research.
Additionally, in 2.3, Twistlock Labs has evaluated and scored every compliance setting and assigned a Low / Medium / High scoring, in common with our standard approach for vulnerabilities. This makes it even easier to identify what settings are most critical to enforce and this scoring is used across Compliance Explorer.
Enhanced logging and syslog data streams
We’ve always supported syslog as one of many open formats to access Twistlock data (including CSV downloads from the UI and JSON exports via the API). In previous versions, syslog was focused on identifying active threats in an environment, such as runtime anomalies, as well as summary data about vulnerability and compliance posture. Some of our customers prefer to use their SIEM to collect even more detailed information about their environment, so in 2.3 we’ve enhanced our syslog output to optionally provide verbose data about all discrete vulnerability and compliance findings and all process activity.
Similarly, customers have asked for additional auditing of events that occur within Twistlock, beyond logon activity to also include changes to policies and configuration. In 2.3, we’re logging those details not just to syslog, but also to the Console UI, including clear “before and after state” of every change throughout the environment.
Follow @Twistlockteam on Twitter to get updates on what’s next with Twistlock and cloud native cybersecurity.
- Container Security
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.