Announcing StackRox 1.3 with enhanced threat detection

Today we are excited to announce that version 1.3 of the StackRox platform is now generally available. Every new release adds a number of significant features, but 1.3 in particular enables greater flexibility, configurability, and scalability when securing some of the world’s largest enterprises running containers in production.

We previously wrote that threat protection in container environments has to start with visibility and detection. This release delivers several advancements to detection rules, policies, and deployment automation that enable StackRox to discover a broader set of threats, faster. Here are some of the feature highlights of StackRox 1.3.

New Detection Rules

StackRox 1.3 adds new detection rules with a new interface for simpler configuration and customization. Previous releases shipped with pre-configured rules to extract various threat indicators at the level of individual system calls, but customizing these required a detailed understanding of how certain system calls map to application activity.

Our new detection rules remove this complexity by automatically identifying various application activities based on related system calls, making it easy for customers to customize their detection using more than a dozen different rule templates and more than 60 pre-configured rules to get started with. Users can create as many additional rules as needed using these templates. These detection rules cover activities across the network, file system, and container hosts for comprehensive coverage.

StackRox 1.3 delivers new detection rules that can be configured using an intuitive interface in the Portal.

Our new detection rules also allow customers to programmatically incorporate known malicious IP addresses that can be applied when analyzing outgoing or incoming network flows from containers to discern anomalous or malicious activity.

Flexible Policy Management

StackRox has always provided a rich policy management framework for expressing relationships and automatically correlating across distributed threat indicators to uncover the progression of attacks on containers. For example, a policy can be configured to detect code execution, followed by persistency, then lateral movement, and finally data exfiltration. In previous versions, however, doing so required enforcing time windows in which these various events had to have occurred.

With StackRox 1.3, long-lived threat patterns are now more easily discoverable using a rich policy management framework.

But threat actors often bide their time after they gain entry, waiting days or weeks, before taking subsequent action. StackRox 1.3 removes the requirement for time windows when it comes to correlation, in order to detect long-lived attack patterns throughout the container environment. Policies are used to evaluate events in certain combinations and sequences that reflect attacker techniques that could take place over days, weeks, or even longer. Recurring events are also tracked and collated as part of existing alerts to reduce noise.

Alerts summaries also now capture both detected events and their context, along with automated enforcement actions, so that detection, prevention, and response can all be tracked in a single place.

Scalable Data Services

StackRox sees more data, in greater detail, than any other container security solution today. The unique ability to perform distributed threat analysis in real time requires a highly scalable, efficient data pipeline. StackRox 1.3 adds new data pipeline services to achieve greater scalability, which in turn enables the platform to process more data, thereby generating more effective machine learning models. These new data services allow StackRox to catch certain threats within seconds, compared to minutes or hours using traditional solutions. Additionally 1.3 adds support for running these data services on dedicated compute nodes within the customer’s environment to improve overall performance.

Deployment Automation

StackRox has always been designed to fit in with enterprise container environments. Early on, we built deployment integrations to ensure a native experience when using the leading container orchestrators and platforms including Kubernetes, Red Hat OpenShift, Docker Swarm, and Docker Enterprise Edition. This means that customers can deploy StackRox using the same orchestrator toolchains that are already familiar to them. Using new automation scripts available with 1.3, it only takes on the order of minutes to get StackRox up and running.

There is a lot more to come, so stay tuned to this blog and our Twitter for more information. We will also be at DockerCon EU this week, so please drop us a note if you would like to meet and learn more about how StackRox can secure your container environment.