Container and cloud security company Sysdig has announced a new capability, Drift Control, designed to detect and prevent container attacks at runtime.

Drift Control will function as part of Sysdig Secure, built to detect vulnerabilities in containers. Sysdig Secure is a component in Sysdig’s container intelligence platform, which includes several container-oriented security applications.

Aiming to detect, prevent and speed incident response for containers that were modified in production, also known as container drifts, Drift Control offers the ability to close “dangerous security gaps” created due to deviations from the trusted original container.

“Drift Control detects and prevents execution of packages or binaries added or modified after a container is deployed into production,” says Daniella Pontes, security product marketing manager at Sysdig. “By preventing the execution of added or modified executables in production, Drift Control ensures that container software is not modified during its lifetime enforcing its immutability, preserving consistency from source to run, and preventing actions that could be part of an attack.”

Additionally, Sysdig announced improved malware and cryptomining detection, featuring threat intelligence feeds from Proofpoint Emerging Threats (ET) Intelligence and Sysdig’s own threat research team.

Sysdig has partnered with Proofpoint because the company provides malware detection with context and categorization, consistently updating intelligence on malicious software and domains, and follows a robust scoring system for threats, according to a Sysdig blog post.

Both existing and new Sysdig Secure customers have access to Drift Control and the new threat feeds at no additional cost.

How container drift happens

According to Pontes, a typical container deployment experiences drift during production in situations including:

  • Attempting to run a package that was downloaded or updated with the package manager;
  • Attempting to run an embedded executable from a downloaded malicious file, e.g., malware;
  • Attempting to run a file whose permission/attribute has been changed to executable.

Drift Control detects and blocks those new or modified executables, adds Pontes. Sysdig tracks these executables through the lifecycle of the container and when they attempt to run, denies or stops the executables.

Additionally, Drift Control has been built to let organizations prevent the “risky legacy practice” of making ad hoc modifications that are hard to track and secure, Pontes says.  “Given the dynamic nature of cloud-native environments and legacy practices carrying over to cloud environments, teams often neglect or are unable to enforce immutability best practices, leaving security gaps caused by drift. Drift Control provides the capability to automatically enforce Kubernetes’ cloud-native immutability principle.”

Container drift is not necessarily an issue that constantly makes headlines, but it is a risk that needs to be considered and appropriately addressed, says Gary McAlum, an analyst at Tag Cyber. “While it’s likely not on the ‘most common’ list of attacks, it is a real target for a sophisticated attacker who has gained unfettered access to a company’s production environment.”

“Unless your container is configured properly, they can be modified, e.g., with privilege escalation, which can do damage in a run-time environment,” McAlum says.

Furthermore, as containers communicate with each other in a Kubernetes environment, there is added danger for a threat’s lateral movement in the cluster.

Sysdig platform is based on Falco

Drift Control is a “very strong enhancement” to Sysdig’s container security platform, McAlum says, adding that the fact Sysdig has based its platform and security functionality on the Falco standard is a huge plus.

Falco is an open-source standard tool created by Sysdig in 2016 for continuous risk and threat detection across Kubernetes, containers, and the cloud. In October 2018, Falco was accepted as a Cloud Native Computing Foundation (CNCF) incubation-level project. CNCF is an open-source software foundation that promotes the adoption of cloud-native computing.

Sysdig Secure, apart from the newly added Drift Control capabilities and threat feeds, features the ability for security teams to dig into compromised or suspicious containers via on-demand secure shell access, in order to investigate blocked executables and related system communications.

Recently Sysdig launched Risk Spotlight, a vulnerability prioritization tool based on runtime intelligence, designed to enable  security teams to prioritize remediation.