News

Container Security

Aqua Introduces Runtime Protection Against “Zero Day” Vulnerabilities for Containerized Applications

Expands security controls across the cloud-native stack for “thin OS” Linux hosts and serverless

Boston, MA — 18 July, 2018 — Aqua Security, the market-leading platform provider for securing container-based and cloud-native applications, today announced version 3.2 of its cloud-native security platform, featuring deep runtime protection capabilities and extended security and compliance controls across the cloud-native stack.

Runtime Protection Against “Zero Days”
Sophisticated attacks often exploit unknown vulnerabilities in the application or operating system, also known as “zero days”, to either escalate privileges, run arbitrary code, or exfiltrate data. Doing this at the OS level requires the use of system calls (syscalls), core functions that applications use to request the OS perform anything from opening files, creating network connections, to rebooting the system.

The large number (more than 330) of available syscalls presents a significant attack surface that can lead to OS-level kernel exploits, even though for any given application, only a small subset of syscalls is actually being used. To reduce this risk, the Linux community has created seccomp profiles, a utility that allows developers to disable unneeded syscalls and apply those profiles per application. Docker, for example, has disabled 50 syscalls in its default seccomp profile for running Docker containers. However, this still leaves more than 250 syscalls enabled, most of which would not be necessary for a specific application, and best practices are for developers to disable them. The challenge is that creating custom profiles for an application is difficult because it requires a deep low-level understanding of how the application uses syscalls – which is why most organizations often rely on the weak default.

The newest release of Aqua Container Security Platform makes custom syscall filtering possible by dynamically analyzing a running container’s syscall use, white-listing those being used, and creating a custom seccomp profile to prevent the use of all other syscalls. Since a typical container only uses between 40-70 syscalls, this results in a dramatic reduction in the number of available syscalls for a given service, reducing the attack surface by as much as 90%. Any attempt by an attacker to use a non-whitelisted syscall will be blocked by Aqua and generate an alert.

“Aqua is committed to making cloud-native applications more secure while minimizing any disruption to business continuity,” says Amir Jerbi, CTO and co-founder of Aqua Security. “Dynamically profiling system calls is the kind of modern application security we can enable with containers that was difficult to do well with monolithic applications, providing a fully automated and accurate method of blocking malicious activity and preventing exploits.”

Securing the Spectrum of Cloud-Native Deployments
Modes of cloud-native app deployment are constantly expanding to cater for varying needs. Today, in addition to running containers on VMs, organizations can deploy “serverless” code, whether as on-demand containers using services such as AWS Fargate or Azure Container Instances, or as serverless functions.

Aqua 3.2 adds new capabilities for full-stack security across this spectrum, extending Aqua’s MicroEnforcer technology released earlier this year:

  • AWS Lambda function scanning: Aqua’s extensive vulnerability, hard-coded secrets and malware scanning is now available for scanning AWS Lambda functions.
  • CRI-O and containerd support: Aqua’s runtime protection controls are now available in environments using the CRI-O and containerd container engines.
  • “Thin OS” protections: Aqua Monitors hosts that run containers for successful and failed login attempts and provides discovery and scanning for container images stored on the host.

Additional Compliance and Platform Features
Aqua 3.2 also introduces numerous new features based on customer requirements:

  • Aqua’s Container Firewall now allows the use of rules based on domain names, in addition to container/cluster IP addresses, making it easier to create application network rules.
  • New out of the box compliance templates for runtime protection, applying best practices for meeting NIST, PCI, HIPAA, and GDPR requirements.
  • Integration with the Azure Container Registry quarantine feature, preventing vulnerable images from being pulled from the registry.
  • Enhanced SAML support, allowing Federated Single Sign-On from Microsoft ADFS, Okta, and Google Apps, among others.

About Aqua Security

Aqua Security enables enterprises to secure their container and cloud-native applications from development to production, accelerating application deployment and bridging the gap between DevOps and IT security. Aqua’s Container Security Platform provides full visibility into container activity, allowing organizations to detect and prevent suspicious activity and attacks in real time. Integrated with container lifecycle and orchestration tools, the Aqua platform provides transparent, automated security while helping to enforce policy and simplify regulatory compliance. Aqua was founded in 2015 and is backed by Lightspeed Venture Partners, Microsoft Ventures, TLV Partners, and IT security leaders, and is based in Israel and Boston, MA.  For more information, visit www.aquasec.com or follow us on twitter.com/AquaSecTeam.