Without secure hosts, you cannot run secure containers. In Twistlock 2.4, Twistlock extends our host protection to protect hosts from unexpected behavior in both known and new services.

Container Host Protection Capabilities

Twistlock will define each service by the capabilities that the service requires. For new services, these container host protection capabilities are determined by machine learning the first time the service is run on a host protected by Twistlock. For example, here are the capabilities for dockerd, the underlying daemon for Docker:

Capabilities define the expected system and administrative actions that the service will take.

Violations

When a service requests a capability that isn’t in its model, Twistlock will generate an audit:

In this case, an HTTP server executed the useradd command, which is included in the USERS_ADMIN capability. This is out of the model for the http-server service (obviously, I hope).

We can also create rules that prevent this behavior:

With this rule in place, further attempts to exploit http-server are blocked:

Summary

Improvements to host protection allow Twistlock to more precisely model the actual activity of background services, resulting in more comprehensive preventive runtime defense while also demonstrating lower false positive rates.

Read more about Twistlock 2.4 here, or get started with Twistlock today!

Related Twistlock 2.4 Posts:

  • Multi Tenancy & Infinite Scale with Projects in Twistlock 2.4
  • Twistlock 2.4 Release Notes
  • Multiple Container Registry Scanners in Twistlock 2.4
  • ← Back to All Posts Next Post →