Review: How StackRox protects containers

With the rise of cloud computing and later DevOps, containerization has never been more popular. But cybersecurity has yet to fully catch up. Even security applications designed to work natively in the cloud have trouble protecting the most popular containerized environments, where the infrastructure is more like a series of tiny clouds that are all interconnected, yet independent from one another. To fully protect that kind of environment requires a defensive tool specifically created to navigate those intricacies.

StackRox was designed to do just that. It fully integrates into any containerized cloud environment through the Kubernetes open source container orchestration system, basically becoming part of the cloud container infrastructure itself. Those who have worked with Kubernetes know that the system groups cloud containers into logical units to help with discovery of the environment and management of the containers. Integrating StackRox with Kubernetes is pretty smart, because Kubernetes does a lot of the legwork in simplifying container deployments. StackRox then adds a visual layer to the code, and an easy way to automatically deploy rules to protect containers and monitor to ensure that nothing is being exploited.

The StackRox software deploys as a set of microservices in the company’s infrastructure, on-premises or in the cloud. It fully integrates with Kubernetes so that it touches all three phases of containerization deployment: the building of the containers, the deployment of them into the cloud infrastructure, and finally the running of those containers as they perform their intended functions.

Because StackRox could be used to protect a potentially unlimited number of containers, pricing is instead based on a yearly subscription model where users pay based on a more static setting, namely how many nodes they are running.

Testing StackRox

We looked at StackRox running in a typical containerized cloud environment. Starting with the creation of a new container, StackRox saw what we were doing and suggested several best practice security policies from a list of 66 that it comes with out of the box. Creating a new policy or modifying an existing one is extremely easy. You can then run benchmarks against the new container to see if deploying it will violate any existing network policies or compliance standards.

And, because StackRox is deeply integrated with Kubernetes, all of the information collected by it is available to StackRox. Later on, it’s easy to know who deployed a cloud, what sensitive information is contained within it, the intended runtime activity, operational and workload context and many other factors. StackRox uses this information to help craft good security around the container as it is being created, but also maintains it so that any strange behavior or security alerts later on can be quickly analyzed and remediated.

Once deployed, StackRox provides a full visual assessment of the cloud environment as it relates to the containers, even showing how each of the containers interact with one another and the outside world. It basically treats the entire infrastructure as one big system of interoperable code, and then breaks it down visually so that security analysts can actually see their entire cloud in a way that makes it almost seem like a collection of physical assets. Should a problem arise, security teams don’t have to struggle to visualize how their various containers are affected, because they are given a map with full context of how everything interacts.

John Breeden II

We introduced risk into a container by connecting it to the internet to test the deployment and runtime phases of the StackRox security. The vulnerability popped up on the dashboard, though we could also see it by looking at the container itself on the visual map. In this case, the vulnerability involved an exfiltration ability that was not fully protected. We were able to edit and fix the vulnerability. Once we had our proposed fix in place, StackRox deployed the container into a simulated environment. This allowed us to see how our fix changed the way the other containers interacted with one another and the one with the original vulnerability.

John Breeden II

In our case, the original fix required editing a second container to avoid breaking a critical application. We were able to do all that in the simulated cloud environment and avoid any surprises in the production environment.

Again, the amount of data that StackRox collects and maintains about containers in the environment can’t be overstated in terms of importance. In another instance, it was able to find a vulnerability that was actively being exploited within a container, even showing the exact processes and services that an attacker was using, and why they were able to do so. And, it could show where other instances of that same vulnerability existed in other containers, and if any of them were being actively exploited as well.

John Breeden

That ability to instantly pivot from an alert to an alert in the context of being actively exploited, to drawing a picture of other nodes with the same vulnerability is invaluable in container security. That same process can take days if the information is collected by hand, with no guarantee that every instance will be detected.

Also, because of the data that StackRox has on each container, the entire cloud is easily searchable. Administrators can search for containers that involve, for example, payroll information, or that perform certain functions. And you can configure StackRox to parse administrators by their function or security level, as it easily integrates into almost any authentication service. Perhaps you only want those payroll administrators to work on containers with that function, but not give them access to personnel containers. Or you might want to give certain admins read-only rights. All of that is configurable within StackRox so that it does not become a vulnerability itself.

The bottom line

Cloud security, especially in containerized environments, often fails because analysts don’t have quick access to the information they need to diagnose and fix problems. By integrating with Kubernetes, which collects most critical information natively, and then adding an even more human-friendly and visual interface, it can cut down the event analysis phase when defending against an attack from several days to just minutes. Even better, by integrating into the entire container build, deploy and runtime processes, StackRox can eliminate the majority of vulnerabilities before containers are even deployed.

The fast pace of the DevOps environment and the nebulous nature of containerized clouds requires specialized security. StackRox can perform those functions, and do it in a simple, almost elegant way that makes it easy for mere humans to understand and manage.