Smart Runtime Defense
Container Runtime Protection Against Active Threats And Policy Violations
Twistlock’s Runtime Defense protects your containers against exploits, compromises, program mistakes and configuration errors. We monitor container activities, detect policy violations, report anomalies, and execute corrective actions. We do all this without changing your host, your containers, the container daemon, or your applications.
Twistlock’s runtime protection for containers uses a set of automatic profiling policies to detect anomalies in runtime. These policies are derived from system call profiling, malicious behavior fingerprinting, user access analysis, and intelligence from image scanning during development. These policies require no or little intervention from sysadmins and are a powerful tool to detect active threats and compromises
Our runtime protection solution provides easy-to-use policy templates, including best practices from the CIS benchmark, and a policy interface to specify approved settings, certified images and sanctioned processes for production containers. Twistlock Defenders can enforce policies (e.g., no root, no SSH enabled), detect violations, and execute remediation for every container in your environment.
Network activity profiling
We can automatically build network activity profiles for containers, detect deviating behavior dynamically, spot suspicious communications to compromised IP’s, and report policy-violating network actions. We can also enforce container linkages and port restrictions. When policy violations occur, we can notify, log, block user access, or kill compromised containers.
Visibility & Analytics
The Twistlock Console provides a central dashboard displaying the number of active containers, vulnerability information, software libraries used, risk visualization/trending, policy violations, corrective actions, and user activities. A complete export of Defender logs (as in syslogs) are available for forensics and SIEM analysis.
Dev-to-production vantage point
For DevOps, policies governing static container images are often the same policies applied to running containers. Twistlock can enforce consistent policies from dev time to production with our container tagging framework and central intelligence. Our unique vantage point in both dev and production enables us to optimally gather intelligence and enforce policies for your production applications.
Real-time threat intelligence
The Twistlock Intelligence Stream includes real-time threat feeds from a variety of sources covering known malicious sites, command & control servers, high risk IP ranges and attack signatures. Twistlock Defenders use this information to detect compromised containers and the existence of active threats.
The Twistlock Architecture
“This is exactly what we have been looking for – the ability to enforce certified base images and sanctioned processes in runtime and still give developers the freedom to do their work.”
- The Twistlock Console: A central dashboard and a policy configuration portal. Runs in the cloud or on premises.
- Twistlock Defenders: A Defender runs as a privileged container on the host with protected app containers. It monitors runtime behavior, reports violations, and executes corrective actions.
- The Twistlock Intelligence Service: This service runs in the Twistlock cloud. It aggregates real-time threat and vulnerability info from a variety of sources and updates the Twistlock Console.