In my previous blog, I discussed the challenges and solutions of understanding what running containers are doing.  Now it’s time to protect these containers.  As we previously discussed, container images are a union of layered filesystems, libraries, and other dependencies.  New vulnerabilities may be discovered after static analysis has been completed and the container is running in production. These running containers are now susceptible to these new vulnerabilities and previously unknown threats and attacks.  You now need to understand what’s the best way to protect the running container, commonly known as runtime protection.

Since the container image has already passed static analysis, it’s unlikely that DevOps will stop all running instances of the container.  No one wants to impact the availability of the application.  Alternatively, a new build may take time to resolve all the newly discovered vulnerabilities.   To help mitigate exposure, you need to enforce container behavior.  This creates a new set of challenges not addressed by current security solutions.  Let’s look at each of these challenges separately.

Identifying Normal Behavior of Running Containers

The first challenge is identifying normal behavior of running containers.  This includes application and system behavior, including system, network, and storage activity.  Defining normal behavior is critical for both developers and security teams, as they run and secure applications.

From the previous blog, I discussed how the embedded security probes monitor all activity.  This allows the creation of activity and behavior profiles, thus establishing normal behavior. These profiles set the foundation for creating security policies to enforce normal, runtime behavior.

Building Activity and Behavior Policies

Once the normal behavior of a container has been defined, security policies need to be created to enforce this behavior.  In a traditional security approach, various policies would be created for each product participating in the protection of containers.  These include endpoint protection, network micro-segmentation, web application firewall, and other container security solutions.

Leveraging the injected security probes, a single security policy per container is created. This policy is automatically created from the activity and behavior profiles used to identify normal behavior.  This policy also creates the single enforcement of the container behavior from within the container itself.  No other security solutions are required, but adjacency solutions may be complementary as part of a broader security ecosystem.

Automating Protection of Running Containers

Now it’s time to dynamically protect the running container itself.  This requires the automated enforcement of the container activity and behavior policies.

The injected security probes, and their corresponding policies, provide automated enforcement of the following activity and behavior:

  • Only the normal (pre-observed) network communications among containers within an application and with other applications
  • The allowed processes within a container are the ones receiving or creating outgoing communications, including processes running only whitelisted binaries
  • Normal storage calls, including read-only and read-write paths and allowed mount points
  • Only the normal application execution paths from higher level languages all the way through system calls


If your organization is adopting containers, then you need to unify DevOps and SecOps. By embedding security within the container, you provide complete visibility and control of containerized applications through the entire lifecycle. This benefits both DevOps and SecOps.  Adopt a Container Native Approach and solve the three key challenges facing container security:

  • Accurate insight into container images, including software composition, vulnerability assessment, and compliance validation;
  • Adaptive analysis of running containers, including runtime activity, container communication, and behavior profiles; and
  • Automated enforcement of container behavior, including behavior policies, anomaly detection, and runtime protection

Learn more by visiting, requesting a demo here, or contacting us at [email protected].