How to Protect Your Containers Against the Latest Threats and Vulnerabilities

Container technology allows developers to break applications into smaller more manageable pieces, enabling rapid production and deployment of massively scalable, highly reliable applications – hence their rapid adoption by the DevOps community. But DevOps rapid development cycles leave little room for security and vulnerability testing. In this blog I’ll highlight some recent container threats and vulnerabilities and introduce security steps you should consider when deploying containers.

Increasing Container Popularity Has a Downside

Because of their many benefits, containers are becoming increasingly popular. Forty-six percent of respondents to a recent survey by storage company DataCore said they were using containers either in production or in development and testing. Gartner estimates that by 2020, more than half of all global organizations will be running containerized applications in production. And the industry’s adoption of Docker, the leading container platform, exploded from 35 percent in 2017 to 49 percent in 2018, a 40 percent increase in one year.

As containers are deployed by more companies, they become a tempting target. Hackers are just beginning to exploit container vulnerabilities, but attacks will increase as more bad actors learn to launch container-focused exploits.

Containers are vulnerable in a variety of ways. For example, poorly configured images can allow an attacker to break into an enterprise network. Images sometimes contain authentication keys or certificates that attackers can use in further attacks. Opensource software used in images often include vulnerabilities. Applications running inside of containers may be outdated, unpatched or unsecure. They may even contain hidden malware. And if a hacker breaks into just one container or gains access to the host, they could potentially gain control of every container running in an enterprise.

These threats are more than theoretical. In fact a recently discovered vulnerability, initially dubbed Doomsday, affects runC, the open-source command-line tool developed by Docker for spawning and running Docker containers, as well Kubernetes and other container-dependent programs. Now known as CVE-2019-5736, this vulnerability could allow an attacker-controlled container to gain root-level code execution to the Docker host. Scott McCarty, technical product manager for containers at RedHat, warns, “Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it."

And that’s just the latest reported vulnerability. Earlier this year, the proof-of-concept Play-with-Docker hack allowed security researchers to manipulate Docker containers running on host systems. Last year, 17 malicious Docker images were pulled from the Docker Hub image repository. The images had been used for cryptojacking attacks and were collectively downloaded more than 5 million times. In one early 2019 survey, 60 percent of respondents say their organization had been subject to at least one container security incident in the last year. Seventy five percent of companies with more than 100 containers say they were hit.

How to Keep Your Containers Safe

There are ways, however, to keep your container deployments safe. Symantec Cloud Workload Protection (CWP) discovers and protects your compute instances and containers across Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and now Oracle Cloud Infrastructure (OCI). CWP goes even further to protect containers running in private clouds and on-premises data centers, all from a single cloud-delivered console. Cloud-native integration enables DevOps to bake security into continuous integration and deployment (CI/DC) workflows. For organizations preferring to use a localized management console, Symantec Data Center Security offers the same strong protection for containers and hosts deployed in traditional data centers.

It’s problematic to install an agent on container images, so the CWP agent is installed on the Docker host. This enables the agent to protect the Docker host from attacks while discovering and defending all containers running on the host against exploits. This centralized location also allows the CWP agent to control communications between containers through container-level and application-level firewall rules. Most importantly, CWP isolates processes running inside of each container from the docker host and other containers, effectively creating a ‘castle’ environment for each container. Any unauthorized processes on the Docker host or containers are effectively isolated in ‘jails’ with zero trust privileges. This ensures that deployed containerized applications and the Docker host remain immutable (or unchangeable). This isolation feature in CWP blocks Docker Doomsday exploits from using any potentially compromised containers to access and modify host file systems.

CWP constantly monitors all containers on the host, providing a central view that includes metadata and run status. It deploys Unix real-time File Integrity Monitoring (FIM) policy to the Docker host that monitors changes to an application’s executable and data files on the host as well as the containers. It also monitors all containers downloaded and deployed from Docker Hub, providing an audit trail. And it tracks users created on Docker hosts and inside containers.

For containers or workloads leveraging public cloud storage, Symantec Cloud Workload Protection for Storage (CWP for Storage) discovers, scans, and tags Amazon S3 buckets and stored objects for malware and threats. This ensures that shared storage cannot spread threats, such as ransomware and bots, to other containers, applications, services and end user devices. And, with the recently released CWP for Storage with DLP solution, objects in Amazon S3 buckets can also be scanned and tagged for DLP policy violations. Leveraging threat and DLP detection tags, security practitioners can create tag-based IAM Policy rules to prevent containerized applications from accessing infected S3 buckets and objects.

The upshot of all this? Your enterprise can enjoy the performance benefits of containers without sacrificing security. You’ll be able to run containers and rest easy, knowing that your critical applications and data are safe.