Without secure hosts, you cannot run secure containers. In Twistlock 2.4, Twistlock extends our host protection to protect hosts from unexpected behavior in both known and new services.
Container Host Protection Capabilities
Twistlock will define each service by the capabilities that the service requires. For new services, these container host protection capabilities are determined by machine learning the first time the service is run on a host protected by Twistlock. For example, here are the capabilities for dockerd, the underlying daemon for Docker:
Capabilities define the expected system and administrative actions that the service will take.
When a service requests a capability that isn’t in its model, Twistlock will generate an audit:
In this case, an HTTP server executed the useradd command, which is included in the USERS_ADMIN capability. This is out of the model for the http-server service (obviously, I hope).
We can also create rules that prevent this behavior:
With this rule in place, further attempts to exploit http-server are blocked:
Improvements to host protection allow Twistlock to more precisely model the actual activity of background services, resulting in more comprehensive preventive runtime defense while also demonstrating lower false positive rates.
Related Twistlock 2.4 Posts:
- Twistlock Product
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Twistlock Releases Serverless Runtime Defense
A few months ago, we wrote a piece on “The Continuum of Cloud Native...
Why DevSecOps is No Longer Optional
DevSecOps has been a hot topic within tech conversations for a few yea...
Better Together: Announcing The Twistlock Advantage Program
It’s been about three years since we exited stealth with the first g...
My Security Toolset Today Vs 10 Years Ago
It can be easy to forget how sophisticated IT security tools are today...
How to crash the Linux Kernel with a CDROM interaction – CVE-2018-11506
I’ve recently discovered and reported a buffer overflow vulnerabilit...