Tomer co-founded SentinelOne in 2013. He is responsible for the company’s direction, products, and services strategy.
At a bare minimum, CISOs are expected to have insight into everything that’s going on from a technology perspective and protect any and all attack surfaces that may present a threat. As if that wasn’t already challenging enough, the rise of containers and cloud technologies has added a new layer of complexity.
Today’s critical business infrastructures are powered by and reside in the cloud, with many living as containerized workloads. Containers, Kubernetes and microservices have become a vital part of the equation in how businesses develop and deploy applications and services. For example, every time you search a new address for directions on your mobile app, the cloud service creates a new container to handle the workload. Now, think of how many times people are using Google Maps on any given day — that’s a lot of containers, and that’s just one application.
According to a report published by Gartner, Inc., “by 2022, more than 75% of global organizations will be running containerized applications in production.” The question on every CISO’s mind now becomes how they can protect their rapidly proliferating cloud attack surface to keep up with the uncertainties brought on by containers and Kubernetes.
The answer: runtime visibility.
Visibility Across Your Network
As organizations embrace the operational efficiencies and benefits of containers and Kubernetes, security teams need to ensure their containerized applications are protected from unknown malware, zero-days and in-memory attacks in real time while automatically pinpointing which image and pod within the container was the target.
The challenge lies in the fact that containers only live for as long as they are needed, which adds quite a bit of complexity to an organization’s overall security strategy. Containers also tend to be replaced frequently, so the number of containers in your network at any given moment is constantly in flux. This temporary nature of containers makes investigating and getting to the root cause of incidents involving containers complex and sometimes impossible.
One common security practice is scanning container images for known vulnerabilities. While identifying vulnerabilities within the containers in your environment may seem like a daunting task, it doesn’t have to be. Each container runs on a recipe, so if you notice a piece of vulnerable code within the recipe (often with the help of the Common Vulnerabilities and Exposures system), that’s your first indicator the recipe needs to be changed.
However, scanning for known vulnerabilities doesn’t protect you from the unknown vulnerabilities, which present the larger threat.
Protecting Against The Unknown
Runtime protection allows organizations to protect themselves against the unknown, using artificial intelligence to combat zero-day threats. Exploiting unknown threats or vulnerabilities can’t always be prevented on systems or cloud workloads, leaving security teams challenged to quickly detect and remediate these exploits as they happen. In order to do that, security teams need runtime visibility and behavioral modeling in place — the visibility so they can understand what is happening and the modeling so they can identify when the behavior of the workload becomes abnormal because of the exploit.
Following the immediate remediation of the threat, the historical visibility that these technologies provide can play a crucial role in helping security teams find the root cause, or weakness, that allowed the attack. Understanding the weakness or vulnerability is key to updating and fixing it in the code to eliminate the need to detect and respond at runtime. The idea of identifying runtime security issues then shifting the “fix” for those issues into the design and build pipelines is called “shift-left.”
Without proper visibility and logging, it becomes impossible to identify the issue and those eliminate it.
Shortening The Window
It’s important to identify each and every container running the vulnerable code — and fast. The longer vulnerabilities remain undetected, the greater the risk, and the shorter the window to stop the attack becomes.
In order to shorten this window, it’s also important for security teams and developers to work in sync. The DevOps team typically builds Kubernetes clusters and containers, although they often feel they aren’t the ones in charge of protecting them. Security teams need to ensure there are processes in place to be able to implement the required security controls without disrupting developers’ innovation. This requires open communication and collaboration between the groups to empower developers to feel like part of the overall security strategy, ensuring they produce secure and compliant applications that are well within the security framework.
There’s no denying that containers are a lot more challenging to secure than traditional monolithic applications. However, when CISOs have the solutions and people in place to prevent vulnerabilities, easily identify them and clean them up with little disruption to the network, they can not only keep up with the uncertainties but stay one step ahead.