Sysdig Adds Ability to Make Container Runtimes Immutable

Sysdig today added a Drift Control capability to its container security platform that makes it possible to lock down runtime environments.

Daniella Pontes, senior manager for product marketing at Sysdig, says IT teams can now maintain immutable instances of runtimes in production environments that can’t be modified.

At the same time, Sysdig says it is partnering with Proofpoint to make threat intelligence feeds available to IT teams that have deployed its container security platform.

The Sysdig container platform is built on Falco, an open source container runtime security platform that is being advanced under the auspices of the Cloud Native Computing Foundation (CNCF).

However, Pontes notes it’s also critical for organizations to employ multiple layers of additional security to prevent their IT environments from being compromised. That’s especially critical in distributed container environments where changes are made frequently, she adds.

As part of its layered approach, Sysdig is adding Drift Control to both identify and deny deviations from the trusted original container initially defined by a developer, says Pontes. That makes it possible for IT to prevent common runtime attacks by blocking executables that were not in the original container image, she notes.

The existing Sysdig Secure platform can then be used to investigate a compromised or suspicious container. Teams can minimize exposure by removing the malicious file locally via the command line. Finally, a detailed audit trail of all mitigation commands is provided and IT teams can upload session history to an external storage repository.

A recent analysis of container environments conducted by Sysdig finds 85% of the container images running in production environments had at least one vulnerability. Three-quarters of those vulnerabilities (75%) are rated as “high” or “critical,” according to the report.

As more container applications are deployed in production environments, it’s clear there is still work to be done when it comes to security. Far too many developers, for example, still assume that because a container only runs for a few seconds a cybercriminal will not have the time to discover and exploit it. Cybercriminals, however, are now continuously scanning for container vulnerabilities within software supply chains. The challenge is that the defensible attack surface in container environments is now vast, says Pontes.

Worse yet, Pontes notes, it’s already been shown that it’s relatively simple for cybercriminals to take over an entire host once a container is compromised. In fact, it’s not uncommon for cybercriminals to monitor activity for months before launching any type of attack, she adds.

Container security may improve as more responsibility for securing containers is shifted left toward developers, but there is still a clear need to secure container runtimes. In the age of containers, no DevOps or IT team can afford to let their guard down, says Pontes.

There is, of course, a lot more focus today on securing software supply chains in the wake of a series of high-profile breaches. However, it’s not clear whether cybersecurity teams are prepared to secure container applications, which are much more dynamic than the IT environments that came before.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1615 posts and counting. See all posts by Mike Vizard