Twistlock runtime protection for containers uses a set of automatic profiling policies to detect anomalies in runtime. These policies are derived from system call profiling, malicious behavior fingerprinting, user access analysis, and intelligence from image scanning during development. These policies require little to zero intervention from sysadmins and are a powerful tool to detect active threats and compromises.
Our runtime protection solution provides easy-to-use policy templates, including best practices from the CIS benchmark, and a policy interface to specify approved settings, certified images and sanctioned processes for production containers. Twistlock defenders can enforce policies (e.g., no root, no SSH enabled), detect violations, and execute remediation for every container in your environment.
We can automatically build network activity profiles for containers, detect deviating behavior dynamically, spot suspicious communications to compromised IP’s, and report policy-violating network actions. We can also enforce container linkages and port restrictions. When policy violations occur, we can notify, log, block user access, or kill compromised containers.
Twistlock's console provides a central dashboard displaying the number of active containers, vulnerability information, software libraries used, risk visualization/trending, policy violations, corrective actions, and user activities. Twistlock logs everything in native syslog format for easy SIEM integration and analytics.
For DevOps, policies governing static container images are often the same policies applied to running containers. Twistlock can enforce consistent policies from dev time to production with our container tagging framework and central intelligence. Our unique vantage point in both dev and production enables us to optimally gather intelligence and enforce policies for your production applications.
The Twistlock Intelligence Stream includes real-time threat feeds from a variety of sources covering known malicious sites, command & control servers, high risk IP ranges and attack signatures. Twistlock defenders use this information to detect compromised containers and the existence of active threats.