New Runtime Defense Architecture For Containers

Twistlock, provider of cloud container security solutions, unveiled a new runtime defense architecture for its Twistlock 1.7 container security platform that enables both predictive and threat-based active protection for running containers. Introducing an intent-based security model, Twistlock 1.7 allows organizations to conduct intent analysis for container applications, spot anomalies, and enforce runtime policy -- all in an automated fashion across hundreds of images with no user interaction.

Real-time Threat Detection and Incident Response Capabilities

“In general, it is difficult to look at applications and deduce their intent, but containers help the effort being single-purpose and immutable,” said John Morello, chief technology officer, Twistlock. “Add to this the power of Twistlock’s real-time threat detection and incident response capabilities: the new Twistlock 1.7 feature set uniquely enables organizations to do application intent analysis, monitoring, and anomaly detection automatically. From image analysis to role-based access control, Twistlock offers everything you need to secure your containerized applications.”

Twistlock’s runtime defense architecture automatically processes applications and models their intent -- all without user interaction. Then, in runtime the engine uses this intent as a baseline to monitor the execution of the application. Using Twistlock 1.7, organizations can automatically determine if an application’s behavior has deviated from its model, for example, when a container runs a process not included in the origin image or creates an unexpected network socket. It can also automatically detect compromises with new threat-based protection capabilities that enable security teams to detect when malware is added to a container or when a container connects to a botnet. Twistlock users get ahead of the threat curve by spotting indicators of compromise and proactively isolating threats and attacks.

Key features and benefits of Twistlock 1.7 include:

• Enhanced Machine Learning Functionality: Using enhanced autonomous learning capabilities, Twistlock 1.7 captures data that includes inter-container network flows, post deployment process activity and system call behaviors to to detect anomalies in runtime.

• Greater Visibility: Twistlock 1.7 introduces the concept of models, which are autonomously created descriptions of everything learned about a given image, including process, file system, network, and system call behaviors.

• Simplified Sensor Rules: Twistlock 1.7 consolidates sensor rules into a single object. This not only saves developer teams time, but also speeds up time to market through automatic alerts created based on the models mentioned above.

• Trusted images - A list of repositories and images that are trusted and provide access to simple policies that alert or block deployment of images outside this list. Trusted Images works with repositories on any registry, anywhere including Artifactory, Docker Trusted Registry, and services like AWS ECR and Google Container Registry.

• Deployment templates - Support for deploying Defenders across Kubernetes clusters using Daemon Sets. Using a Daemon Set makes deployment simple and automatic, regardless of cluster size.

• Windows support - Added support for protecting Windows images and registries.