With every new security market, someone needs to define the critical capabilities to address the challenges that new market is trying to solve. The same holds true for container security, and more importantly, Container Native Application Protection.  Typically, this is one of the analyst firms.  However, in the container security market, trends and requirements are evolving quickly.  In the absence of an analyst definition, let me try to define these critical capabilities.

Defining Critical Capabilities

First, let’s define a framework.  The NIST Cybersecurity Framework provides a great starting point with five security domains: Identify, Protect, Detect, Respond, and Recover.  I’m going to swap the order of Protect and Detect and drop Recover.  Also, we need to add a domain for Deploy, as most critical capabilities definitions include this domain.

Now, let’s summarize the critical capabilities for each of these domains…

Deploy

This domain focuses on initial deployment and supported technology requirements of the solution. The critical capabilities for this domain are organized by the following sub-domains:

  • Setup – Including automated deployment with the existing container environment which does not require changes or impacts operation
  • Supported Technology – Including both Linux and Windows containers, Container-as-a-Services, Function-as-a-Service, and Serverless Computing offerings
  • Operations – Including no root privileges and support for read-only containers
  • Authentication – Including support for Oauth and SAML

Identify

This domain focuses on the asset management requirements to address cybersecurity risks to applications, containers, and data. The critical capabilities for this domain are organized by the following sub-domains:

  • Container Images – Including auto-discovery of images, software libraries, system binaries, and other dependencies
  • Container Instances – Including auto-discovery of instances and identification of pre-configured policies

Detect

This domain focuses on identifying cybersecurity events and detection processes for containers, both static and dynamic. The critical capabilities for this domain are organized by the following sub-domains:

  • Static Analysis – Including vulnerability assessment and malware detection with detailed findings
  • Policy Compliance – Including policy templates for mis-configurations and software version and license violatio
  • Dynamic Analysis – Including system, storage, network, and application monitoring, log and forensics evidence collection, and privilege escalation

Protect

This domain focuses on implementing appropriate protective safeguards for containers, specifically at runtime. The critical capabilities for this domain are organized by the following sub-domains:

  • General – Including real-time, dynamic policy enforcement
  • System – Including system call enforcement to prevent shell execution, malicious code/exploit execution, and process escalation
  • Storage – Including storage activity, binary whitelist, and file/binary integrity enforcement
  • Network – Including network communication enforcement and micro-segmentation
  • Application – Including application activity and call path enforcement

Respond

This domain focuses on actions to address cybersecurity events, commonly known as incident response. The critical capabilities for this domain are organized by the following sub-domains:

  • Alerts and Notifications – Including allow, capture, and block alerts
  • Integrations – Including Security Incident & Event Management (SIEM) and Threat Intelligence

There’s More…

This is just the high-level summary.  All of these critical capabilities are available in our free evaluation worksheet with weightings to evaluate multiple solutions. Register at layeredinsight.com/criticalcapabilities to get your free copy.

You can also learn more by visiting layeredinsight.com/solutions/, requesting a demo here, or contacting us at [email protected].