Without secure hosts, you cannot run secure containers. In Twistlock 2.4, Twistlock extends our host protection to protect hosts from unexpected behavior in both known and new services.
Container Host Protection Capabilities
Twistlock will define each service by the capabilities that the service requires. For new services, these container host protection capabilities are determined by machine learning the first time the service is run on a host protected by Twistlock. For example, here are the capabilities for dockerd, the underlying daemon for Docker:
Capabilities define the expected system and administrative actions that the service will take.
When a service requests a capability that isn’t in its model, Twistlock will generate an audit:
In this case, an HTTP server executed the useradd command, which is included in the USERS_ADMIN capability. This is out of the model for the http-server service (obviously, I hope).
We can also create rules that prevent this behavior:
With this rule in place, further attempts to exploit http-server are blocked:
Improvements to host protection allow Twistlock to more precisely model the actual activity of background services, resulting in more comprehensive preventive runtime defense while also demonstrating lower false positive rates.
Related Twistlock 2.4 Posts:
- Twistlock Product
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Serverless Comparison: Lambda vs. Azure vs. GCP vs. OpenWhisk
Serverless computing adoption is growing at exponential rates. As with...
DevSecOps in Practice
If you understand DevOps, you probably also intuitively understand Dev...
Squaring the Circle: Making CI/CD Fast and Secure
Today, most DevOps teams place priorities on software delivery speed a...
Securing Istio with Twistlock
This article is about Istio, a new service mesh management platform th...
Twistlock Releases Serverless Runtime Defense
A few months ago, we wrote a piece on “The Continuum of Cloud Native...