Rawpixel - Fotolia
Startups have begun to make a name for themselves with IT organizations, as their products address container security concerns.
Network-based attacks and exploits on IT infrastructure aren't new, but container technology, popularized by Docker, demands a new way to address time-honored problems. For example, containers spin up and disappear far faster and more often than VMs, so container security policies must follow an ever-changing infrastructure. Containers also tend to rely on overlay networks, which can be difficult to visualize with traditional network monitoring tools.
Enter three companies with products designed to address such issues: NeuVector, Aqua Security and Twistlock, all founded in 2015.
It's not uncommon for startups to pop up around new technologies, according to analysts, but there are pros and cons to trusting a startup's product as part of an IT infrastructure.
A big pro for many large IT organizations is that they can play a part in shaping the roadmap of an early-stage vendor, and possibly an entire market space.
"With a mature company, you're just a customer," said Adrian Sanabria, analyst at 451 Research. "With a startup, you're more like a partner and an investor."
Steve O'DonnellCIO, G4S
However, the risk is that the main technology provider may offer these features, and many startups at least begin with point products that may overlap with other products an enterprise deploys.
"Nobody is using 100% cloud or containers, so we're seeing duplication, which can make the people and process component of troubleshooting dicey," Sanabria said. DevOps teams tend to gravitate toward containers and cloud deployments, which enable rapid updates to deploy without affecting the underlying IT resources.
Since DevOps teams are sometimes a small enclave within an IT staff, enterprise IT ops pros should still be aware they may bring one of these products in, he added.
New players tackle container security concerns
NeuVector, an angel-funded startup in San Jose, Calif., focuses on container security. Deployed as a container within the virtual environment, the company's software combines Layer-7-based network packet inspection and machine learning to automatically generate a whitelist of normal behaviors on the container network at runtime. From there, the software enforces automatically generated security policies based on that whitelist, and updates them in real time as containers spin up and down. It requires no agents, and no changes to container images or to application code.
Twistlock, which came out of stealth in 2015, brushed up its runtime capabilities similar to NeuVector's on Jan. 18, 2017. Aqua Security, which launched its platform for general availability in May 2016, followed close behind Twistlock, disclosing the capabilities on Feb. 2, 2017.
Version 2.0 of Aqua's software performs network microsegmentation to block bad traffic and permit good connections. Twistlock 1.7 also brushed up image scanning at runtime, which adds more visibility and machine learning features.
Because NeuVector inspects packets at Layer 7, its software can block app-level security exploits, such as distributed denial of service and domain name server-level attacks. It captures packets for forensic analysis during suspicious events.
Other new companies in this space include StackRox, Deepfence, and a company Tenable Network Security recently acquired called FlawCheck. Larger platforms, such as Trend Micro's Deep Security, have also recently added container-specific features. And there are some open-source projects, such as the Lynis auditing tool, that might warrant a look, Sanabria said.
Global security giant taps NeuVector
When G4S, a company known for armored cars and security guards, sought a new approach to shore up its Amazon Web Services (AWS)-based container environment last year, it chose NeuVector. G4S CIO Steve O'Donnell heard about the stealth company last November from an acquaintance who's an early investor in the firm.
"We didn't want to run something that depended on developers getting stuff right," O'Donnell said. "We wanted something that fit into our DevOps environment and got out of their way."
The software enforces best practices on developers, rather than the other way around, as they make an average of 45 code deliveries to production daily.
"We integrate this into our continuous integration environment, and part of our DevOps process is test-driven development," O'Donnell said. "So when our developers create a test harness, it'll automatically invoke the NeuVector components, and every time we do a successful build, it's testing the security."
Once the code is in production, NeuVector monitors the application for suspicious activity, and can microsegment the container network, as it blocks malicious traffic and lets through acceptable signals.
G4S uses containers in production in AWS both inside and outside of the Amazon EC2 Container Service alongside a Hadoop data processing environment that analyzes closed-circuit television video feeds. NeuVector supports both Amazon ECS and an Apache Mesos-managed cluster running on EC2 instances, as well as Google Kubernetes container orchestration.
O'Donnell said the app NeuVector is being used with, a part of the U.S. government's Transportation Security Administration's airport security program worldwide, is still in the earlier stages. Thus NeuVector has yet to be put through its full paces in global production, and G4S looks to add persistent storage to its container environment later on as well.
"With the number of releases we do in a day, it's too hard to do security unless you build it straight into the DevOps process," O'Donnell said.
Read this before becoming a startup customer
U.K. government enacts partnership program for cybersecurity startups
Cybersecurity startups compete for RSAC 2017: Innovation Sandbox