Technical Report on Container Security (V)-3

Technical Report on Container Security (V)-3

março 27, 2019 | Adeline Zhang

Security Tools – StackRox

  • About StackRox

StackRox features a distributed architecture that collects and analyzes data throughout the application lifecycle to detect and block malicious actors, and finally meet the requirement for protecting containerized cloud-native applications. StackRox delivers continuous detection through its unique combination of distributed sensors and centralized analysis and machine learning to provide context and correlation at the speed and scale of containers.

The Adversarial Intent Model (AIM) is a product design idea proposed by StackRox. With the rapid development of modern information technology (IT), conventional scanning, patching, prevention, monitoring, and methods for securing independent operations seem to lag behind and be insufficient for effective protection. StackRox came up with an idea of developing defense strategies from the standpoint of adversaries. With the overall operating environment of containers taken into account and based on the five attack lifecycle phases, StackRox proposed a new multidimensional threat detection model, namely AIM.

Figure 5.16 Attack lifecycle model

Currently, the company’s products mainly include StackRox Prevent and StackRox Detect and Respond.

  • StackRox Prevent

StackRox Prevent is a product that automates security and compliance for container deployments based on monitoring and analysis of information across multiple dimensions. It provides a contextual profile of overall container security posture by checking whether containers have adopted appropriate controls and configurations, thereby minimizing the attack surface from the initial phase.

Core functions of StackRox Prevent are as follows:

  • Dashboard: provides a holistic view of the entire container cluster, events, images, security configurations, alerts, and the like.
  • Security policy management: creates and modifies security detection policies; reevaluates and updates security policies after disclosure of new vulnerabilities.
  • Compliance check: scans Docker, Swarm, and Kubernetes configurations against CIS Benchmarks to determine the gap between current environment configurations and security baselines.
  • Product integration: can easily integrate with container-related platforms or tools.

Figure 5.17 Logical view of StackRox Prevent

In the preceding logical view, StackRox Prevent consists of the sensor and API/UI parts, both of which are deployed on a container platform or orchestration platform as containers.

Sensor containers are deployed in various container clusters in a distributed manner to implement detection. The API/UI container is a logical centralized controller, which exchanges control and result information with the distributed sensors through APIs and presents such information on the user interface (UI).

StackRox Prevent has the following characteristics:

  • Risk evaluation and forecast based on rich environment data such as image vulnerabilities, container configurations, and host and network configurations
  • Fast generation of aggregate analysis reports based on detection results to quantify and benchmark risks
  • Providing configuration baselines and supporting security policy customization
  • Adaptation to and support for a variety of platforms (DevOps, Orchestration, and PaaS) and tools

Up to now, StackRox Prevent has adapted itself to various platforms and tools, as listed in the following table.

Container Platform Docker Enterprise Edition, Google Kubernetes Engine (GKE), RedHat OpenShift
IaaS Amazon Web Services (AWS), Google Cloud Platform (GCP), IBM Bluemix, Microsoft Azure, OpenStack, Oracle Cloud, virtual machines (KVM, Hyper-V, VMware, Xen), bare metal
Image Repository Docker Hub, Docker Trusted Registry (DTR), Tenable, Quay
Vulnerability Scanner Docker Security Scanning, Tenable, Quay, CoreOS Clair
Identity Management Auth0
Workflow Jira, Slack, e-mail


  • StackRox Detect and Respond

StackRox Detect and Respond, through integration with containers or cloud platforms, provides built-in security for local applications and visibility into the container attack surface, reveals malicious activities, and prevents attacks by employing a new detection and response method.

Core functions of StackRox Detect and Respond are as follows:

  • Attack visibility: Through deployed sensors, the product can continuously monitor millions of signals, detect anomalous activities in each container at runtime, and promptly nip the threat in the bud.
  • Kill chain analysis: Through machine learning, the product can learn how an attacker gains access, infiltrates the business environment, and finally launches attacks, and conduct an in-depth analysis of the root cause.
  • Threat prevention: By automatically blocking, isolating, and narrowing down threats, the product can effectively mitigate the impact of threats.

Figure 5.18 Logical view of StackRox Detect and Respond

StackRox Detect and Respond combines a brand-new security architecture with ongoing monitoring and machine learning capabilities to protect the container environment from new threats. The product can be deployed on any type of infrastructure through container-based microservices.

The logical view in Figure 5.18 shows that the product consists of two parts, the same as StackRox Prevent. In a container cluster, StackRox can be deployed for data collection and runtime monitoring. Director, as the controller for logically centralized management, analyzes the collected data by means of machine learning and makes decisions accordingly on how to handle the perceived threats. However, until now, there is no detailed explanation about how such machine learning is implemented and how accurate that will be.

StackRox Detect and Respond has the following characteristics:

  • Deep visibility into threats
  • Asset visibility: discovers all containers in a cluster and groups services within applications to provide a holistic view of assets for threat detection.
  • Threat visibility: provides low-noise data from ongoing monitoring of file systems, networking, processes, and container-related events to constitute a massive web of threat monitoring points.
  • Business visibility: provides valid data sources for anomaly monitoring and identification by monitoring communication between all containers.
  • Adaptive detection and response
  • Expanded monitoring scope: Currently, the monitoring can be conducted from five dimensions: foothold, privilege escalation, persistence, lateral movement, and objectives.
  • Autotuned machine learning: implements fully automated learning according to container activity changes.
  • Automated orchestration and response: automatically responds to discovered threats by blocking unauthorized instructions, terminating system calls, or isolating the related container.
  • Policy customization: While StackRox provides common preconfigured templates, users can also customize their protection policies according to their own business workflows.
  • Alert context: provides detailed context for security events to inform decision-making on threat responding.
  • Fast deployment and ease of management

StackRox Detect and Respond can be launched using the existing deployment toolchain or directly deployed on the current orchestration system to be subject to unified management and orchestration with other containers. StackRox allows operations through web interfaces, command lines, and APIs. Up to now, StackRox Detect and Respond has adapted itself to various platforms and tools, as listed in the following table.

Container Platform Amazon Elastic Container Service for Kubernetes (EKS), Azure Container Service (AKS), Docker Enterprise Edition, Google Kubernetes Engine (GKE), IBM Bluemix Container Service, Mesosphere DC/OS, Red Hat OpenShift
Operating System CentOS, Debian, Red Hat Enterprise Linux (RHEL), Ubuntu
IaaS Amazon Web Services (AWS), Google Cloud Platform (GCP), IBM Bluemix, Microsoft Azure, OpenStack, Oracle Cloud, virtual machines (KVM, Hyper-V, VMware, Xen), bare metal
Image Repository Amazon EC2 Container Registry (ECR), Artifactory, Azure Container Registry (ACR), Docker Hub, Docker Trusted Registry (DTR), Google Container Registry (GCR)
Identity Management SAML 2.0-compliant identity providers including Google, Okta, Ping Identity
Event Alert PagerDuty, Slack


  1. Summary

The container technology provides a lightweight mode of virtualization, greatly conveniencing DevOps and development of cloud-native applications. After several years’ evolution, it has been accepted as a technology with increasingly strong advantages. Containers were initially popular as a useful tool for developers to isolate the development and testing environment from the ongoing integration environment thanks to their lightweight as well as ease of configuration and use.

In the meantime, cloud-native applications have been gradually accepted by more and more people because of their agility, high scalability, and high availability. As a typical example, the Cloud Native Computing Foundation (CNCF) initiated by Google has drawn wide attention from numerous vendors and open-source communities.

From containerization of applications to development of cloud-native applications, the container technology has always been the most fundamental and essential support. While new technologies can convenience and benefit our work, they also bring in new security threats, which should never be neglected.

In the past few years, a succession of security risks and events incurred by containers and container application environments have been reported. Container networking, container images, exposed APIs, and container isolation have become top concerns for the use of containers.

Revolving around security risks of containers from aspects of software vulnerabilities and security threats along with application security threats, this article presents security issues facing containers and container application in a systematic manner. To deal with these security issues, the author proposes detection and protection recommendations on host security, image security, networking security, and application security. The last part of this article gives a brief account of some solutions to container security from the perspectives of open-source communities and vendors.