Container security emerges in IT products enterprises know and trust

Container security has arrived from established IT vendors that enterprises know and trust, but startups that were first to market still have a lead, with support for cloud-native tech.

Managed security SaaS provider Alert Logic this week became the latest major vendor to throw its hat into the container security ring, a month after cloud security and compliance vendor Qualys added container security support to its DevSecOps tool.

Container security monitoring is now a part of Alert Logic's Cloud Defender and Threat Manager intrusion detection systems (IDSes). Software agents deployed on each host inside a privileged container monitor network traffic between containers within that host, as well as between hosts for threats. A web application firewall blocks suspicious traffic Threat Manager finds between containers, and Threat Manager offers remediation recommendations to address any risks that remain in the infrastructure.

Accesso Technology Group bought into Alert Logic's IDS products in January 2018 because it supports VM-based and bare-metal infrastructure, and planned container support was a bonus.

"They gave us a central location to monitor our physical data centers, remote offices and multiple public clouds," said Will DeMar, director of information security at Accesso, a ticketing and e-commerce service provider in Lake Mary, Fla.

DeMar beta-tested the Threat Manager features and has already deployed them with production Kubernetes clusters in Google Kubernetes Engine and AWS Elastic Compute Cloud environments, though Alert Logic's official support for its initial release is limited to AWS.

Immediate visibility into intrusion and configuration issues … [is] critical to our DevOps process.

"We have [AWS] CloudFormation and [HashiCorp] Terraform scripts that put Alert Logic onto every new Kubernetes host, which gives us immediate visibility into intrusion and configuration issues," DeMar said. "It's critical to our DevOps process."

A centralized view of IT security in multiple environments and "one throat to choke" in a single vendor appeals to DeMar, but he hasn't ruled out tools from Alert Logic's startup competitors, such as Aqua Security, NeuVector and Twistlock, which he sees as complementary to Alert Logic's product.

"Aqua and Twistlock are more container security-focused than intrusion detection-focused," DeMar said. "They help you check the configuration on your container before you release it to the host; Alert Logic doesn't help you there."

Container security competition escalates

Alert Logic officials, however, do see Aqua Security, Twistlock and their ilk as competitors, and the container image scanning ability DeMar referred to is on the company's roadmap for Threat Manager in the next nine months. Multiple layers of infrastructure are involved to secure Docker containers, and Alert Logic positions its container security approach as network-based IDS, as opposed to host-based IDS. The company said network-based IDS more deeply inspects real-time network traffic at the packet level, whereas startups' products examine only where that network traffic goes between hosts.

Aqua Security co-founder and CTO Amir Jerbi, of course, sees things differently.

"Traditional security tools are trying to shift into containers and still talk in traditional terms about the host and network," Jerbi said. "Container security companies like ours don't distinguish between network, host and other levels of access -- we protect the container, through a mesh of multiple disciplines."

That's the major distinction for enterprise end users: whether they prefer container security baked into broader, traditional products or as the sole focus of their vendor's expertise. Aqua Security version 3.2, also released this week, added support for container host monitoring where thin OSes are used, but the tool isn't a good fit in VM or bare-metal environments where containers aren't present, Jerbi said.

Aqua Security's tighter focus means it has a head start on the latest and greatest container security features. For example, version 3.2 includes the ability to customize and build a whitelist of system calls containers make, which is still on the roadmap for Alert Logic. Version 3.2 also adds support for static AWS Lambda function monitoring, with real-time Lambda security monitoring already on the docket. Aqua Security was AWS' partner for container security with Fargate, while Alert Logic must still catch up there as well.

Industry watchers expect this dynamic to continue for the rest of 2018 and predict that incumbent vendors will snap up startups in an effort to get ahead of the curve.

"Everyone sees the same hill now, but they approach it from different viewpoints, more aligned with developers or more aligned with IT operations," said Fernando Montenegro, analyst with 451 Research. "As the battle lines become better defined, consolidation among vendors is still a possibility, to strengthen the operations approach where vendors are already focused on developers and vice versa."