Introducing StackRox Prevent: Reimagining Container Deployment Security to Minimize Your Attack Surface

Security leaders today are charged with the increasingly complex task of defending the technology that powers modern enterprises, at a time when the software stack has never been more diverse or unmanageable. Implementing a coherent security program can seem daunting in light of the patchwork of duties that may fall under a security organization’s purview: static code analysis, identity and access management, compliance, data privacy and integrity, vulnerability management, monitoring, incident response, threat hunting, forensics…and the list continues. Leveraging disparate tools and data sources to drive a strategy that tangibly improves an organization’s security posture is patently nontrivial. Accomplishing this across multiple lines of business and at every layer of the stack can seem impossible.

The era of containers and microservices brought with it substantial gains in terms of developer convenience, modularity, and portability. However, it also delivered an expanded scope of responsibility to security’s already-crowded doorstep. The flexibility and abstractions enabled by containers often result in highly complex and opaque environments. As a result, security teams have a hard time determining whether container deployments have implemented appropriate controls and configurations to reduce their attack surface.

As containerization becomes the de facto standard for modern software development, enterprises increasingly find themselves in dire need of a way to focus their personnel and resources toward the most impactful activities to drive down risk exposure.

Bringing Strategic Context to Security Governance

Security leaders need a way to centralize governance of enterprise container environments in a way that allows them to:

  1. easily contextualize the risk that stems from vulnerabilities and misconfigurations across the diverse set of platforms, layers, and tools in their container environments;
  2. prioritize remediation activities to mitigate that risk; and
  3. understand the implications of accepting risk when pragmatism demands imperfect security.

Today, the StackRox team is pleased to announce the beta release of StackRox Prevent, a new product offering designed to satisfy these needs. StackRox Prevent is a governance tool for container-based software environments that enables security teams to minimize the container attack surface from build to deployment. It synthesizes information across diverse security and DevOps datasets into actionable insights, giving security leaders the holistic perspective they need to make strategic, risk-driven decisions.

Figure 1: StackRox Prevent dashboard

Do the Things That Matter Most

The purpose of collecting and analyzing data is to enable decision-making. However, distilling meaningful insights from a sea of data points spread across disparate security and container toolsets is a massive challenge. By bringing together the right subset of that data, StackRox Prevent gives security leaders a full understanding of the exploitation risk associated with flaws across their attack surface. This understanding enables them to prioritize the most impactful remediation and risk mitigation activities for their specific environments and business concerns. StackRox Prevent empowers security leaders by enabling them to:

  • know what to do first;
  • focus on lobbying to fix problems with clear, explicable consequences rather than fighting to fix every vulnerability or misconfiguration; and
  • feel confident that their personnel and resources are correctly aligned to make an impact.

Close the Gap Between DevOps and Security

As containers and microservices increasingly dominate modern software development, the speed and efficiency of the feedback loop between DevOps and security is critical to preventing unnecessary exposure to exploitation risk. StackRox Prevent removes the lag in this loop by helping DevOps and security teams to:

  • quickly assess the attack surface footprint and risk implications of new CVEs;
  • immediately understand whether container configurations at deployment time actually reflect what was intended; and
  • automate feedback to development teams with workflow integrations like JIRA and Slack.

Furthermore, StackRox Prevent helps security leaders maintain governance over application components and configurations produced by DevOps teams. It provides the capability to codify organizational security standards in the form of deployment policies—and to enforce those standards by automatically blocking new deployments, if desired.

Create Capacity to Move Beyond Hygiene

Minimizing vulnerabilities and ensuring that secure configurations are implemented across the container attack surface are critical components of good security hygiene. It is not difficult to find examples of high-profile breaches that resulted from the exploitation of these primitive problems. Nailing down the basics is a simple concept, but doing it well is not easy. StackRox Prevent simplifies and streamlines the process of minimizing the container attack surface so that security teams can turn their attention to the more nuanced challenges around runtime detection and response.

To learn more about how StackRox secures the entire container lifecycle, see our product overview page.