Last month, Alert Logic announced the industry’s first network intrusion detection for containers. Since then, we have been going “under the hood” so to speak with a three-part blog series about our unique approach to container security. If you haven’t already checked out the first two blogs in the Container Q&A series, I encourage you to go back and take a look:
- Intrusion Detection for Containers Q&A: A Critical Part of the Container Security Landscape
- Intrusion Detection for Containers Q&A: NIDS vs. HIDS and the Importance of Metadata for Container Security
We are pleased to share the final section of our interview with Matthew Harkrider (one of Alert Logic’s founders & Senior Technical Product Manager) and John Norden (Distinguished Engineer & Release Director).
Q: Can you tell me about the deployment process for Alert Logic intrusion detection for containers? How fast and easy is it really?
JOHN: Deploying Alert Logic’s container security solution is extremely simple, fast, and hands off. Perhaps a “real-life story” best sums it up.
A little over a year-and-a-half ago, we launched a migration of our microservices architecture from a traditional AWS EC2-based architecture to one that could be deployed on a container ecosystem. We chose AWS ECS for a variety of reasons, but mostly it was due to the level of automation we had tied with CloudFormation. We focused heavily on being able to automate everything within the infrastructure and that meant ensuring we could deploy, manage, and manipulate our container environment with ease.
We auto scale 100% across the board with our AWS ECS hosts and containers. We see our ecosystem scale up and down between 100 to 200 AWS ECS hosts, and see our microservices scale up and down between 2000 and 5000 containers. So, as we began to work on our container security solution, we kept all our experiences working within our own container ecosystem at the front of our minds. We wanted to build a solution that could be deployed fast, could be delivered at the speed we scale, and could handle the workload it would be asked to handle at the network inspection level. When it was time for us to “eat our own dog food”, we deployed our container security solution using our own Continuous Deployment pipeline.
MATT: John’s right. It literally took us 15-20 minutes to have ALL our containerized ecosystem protected by Alert Logic’s container security solution. Getting up and running is not only fast, but it’s also easy! Just use the same self-service practices you have in place for the rest of your container environment.
Our customers get the Alert Logic container image from Docker, and the configuration parameters from GitHub. In fact, the download rate of our container security capabilities on DockerHub is off the charts – exceeding 10 million pulls already.
Q: You briefly mentioned our Continuous Development pipeline. It sounds like this easy, repeatable process is perfect for Continuous Integration / Continuous Deployment practices in general. Has this been a key consideration for Alert Logic’s container development strategy?
JOHN: I have spent a large part of my career at Alert Logic building, architecting and driving CI/CD adoption across the company with the primary focus of achieving a state where Continuous Deployment is a reality. Over the past two years, Alert Logic has achieved an extremely elevated level of automation regarding how we deploy our back-end microservices that make up our SaaS platform. When we were talking through the container security initiative, one of the features I was adamant about was that our solution had to be extremely simple to deploy and it had to be deployed just like any other container-based service we develop internally. Our Continuous Deployment pipeline had to be able to easily push the container security solution out into our infrastructure and the solution had to “magically” configure and begin working with minimal to zero effort and no manual intervention. That’s a pretty high bar to set and, frankly, we knocked it out of the park.
Our container security solution deploys just like any other container would in an infrastructure. If you deploy with AWS ECS, then it is a simple AWS ECS Task Definition that is deployable via AWS CloudFormation. If you deploy with AWS EKS or Kubernetes, then it is a simple defined DaemonSet. You do not have to build the container security solution since it is already built as an image referenced in the AWS ECS Task Definition or Kubernetes DaemonSet. Going even further, you don’t have to configure Alert Logic’s security container. And even better, if Alert Logic Threat Manager is deployed in your environment, the container solution automatically claims, aligns to Threat Manager, and begins protecting your environment. It is an incredibly simple solution.
Now, where you could apply this in the “software deployment pipeline” is straight forward. Even at Alert Logic we rely on our own security tools to reduce security risks in our Continuous Deployment lifecycle. At Alert Logic, we deploy our container security solution EVERYWHERE we have container infrastructure running. Whether this is in an integration environment or production environment, it doesn’t matter to us and we protect them all because a security problem anywhere is bad. We conduct Continuous Testing within all our environments and are always validating our own security. Our container security solution is a key part of that, along with the rest of our portfolio.
MATT: It had to be part of the strategy or it simply would’ve been a bad user experience. We needed the ability to build and deploy our container in the exact same ways and models that customers build all their other containers. We may have exceptions related to requirements but those are automatically accounted for in the deployment templates and configuration parameters that we specify when deploying on a given platform.
Q: Do you have any thoughts about the compliance implications of better container security?
JOHN: Building a stronger security posture will positively impact your ability to comply with most security compliance regulations. For instance, when you look at GDPR Compliance and the language they use to describe breaches and disclosure, if you are able to correctly state what happened during an incident, this will could prevent you from being subject to a potentially massive fine. So, if you can lock that down and simplify the scope of the breach, it’s not only good for your customers, of course, but it’s also good for you from the GDPR perspective. And this has implications for other regulations as well—particularly the ones that have thresholding—where if a breach falls below a certain level, you don’t have to disclose at all. In that way, understanding precisely what was breached can be very helpful. Without having full visibility into container attacks, this is impossible.
MATT: I think being able to inspect network traffic at this level is extremely important for compliance initiatives. A massive representation of what is run in containers are services and applications that feed public facing platforms, many of which are subjected to compliance requirements that state Intrusion Detection or Prevention is necessary. So, a significant piece of solving the compliance puzzle is wrapped up in being able to do packet level inspection, which cannot be done without a solution like the one we’ve built. At least not to this level of granularity.
Q: What is next for Alert Logic’s container security initiatives?
MATT: We’ve got some really interesting things in the works – some of which I’m not at liberty to share just yet. However, I can say that we are working towards log support for containers, and plan release it later this year.
Also, our strategy has always been to support container deployments across all cloud and hybrid environments. Today we are securing AWS based container environments. Soon, we will be expanding our support to include Microsoft Azure security for containers. We also plan to support on-premise container deployments, so customers can protect their containers if they are managing their own Docker instances inside of their own data centers.
A final word about container security
A sincere thank you to both Matt & John for their time and insights. If you’re interested in learning more about what it takes to stay ahead of container-based attacks, download our Container Security Workbook: A Container Security Best Practices Guide. This guide walks through some of the best practices to leverage while building your container security strategy and provides a useful workbook to put some of these ideas into practice in your organization. You can also take a look at this 3-minute container security video to see our Network IDS Software for containers capabilities in action.
If you have any comments or suggestions, please leave them below. We’d like to hear it!