How CrowdStrike Increases Container Visibility
Introduction
Through an easy to deploy, lightweight agent, CrowdStrike’s cloud native platform provides unparalleled visibility and proven protection capabilities to all workloads across datacenters and platforms. In this article and demonstration, we will look specifically at how Falcon provides visibility and the ability to investigate potential threats on container workloads.
Video
How does CrowdStrike protect container workloads?
The use of containers is an important aspect of many cloud strategies. With Crowdstrike, the same agent protects the host as well as any running containers. The CrowdStrike Falcon® Platform provides run-time protection, unparalleled EDR visibility and container awareness to help organizations secure their cloud workloads without compromising performance.
How are container events presented in the UI?
In this example event, CrowdStrike detected a high severity command and control event. With detailed event data, the solution is able to provide visibility into everything from the runC executions to hands on keyboard commands. In addition to the process tree and detailed event data, CrowdStrike also reports the associated container ID. This container awareness is available for Docker and any other platform compliant with the Linux Open Container Initiative standards.
What container reporting is available?
The event and container visibility helps identify and investigate threats. However, it also enables a great deal of container specific reporting.
The usage dashboard gives an overview of the containers and hosts in the environment with useful information around runtime. Seeing a spike in how many containers are running or containers running for an abnormal period of time would indicate cause for investigation.
Important information like privilege and interactive mode are highlighted on the container configurations dashboard. It also highlights user accounts and detections per container.
The next dashboard provides an overview of the number of containers running per host with the option to search by AID to find a specific system.
And finally, the container image page provides information on the image used to create these containers. This is especially helpful in the case that you have a container with a known vulnerability. Using the image ID that is available in the detailed event data, we can search to identify all of the containers that were created from a single, vulnerable image. In this case, 46 containers will need to be addressed for the same vulnerability.
Closing
CrowdStrike understands the importance of containers in today’s landscape and delivers a unique, cloud native solution. Along with that, the CrowdStrike solution offers a number of dashboards to help organizations understand and monitor these rapidly evolving and dynamic workloads. The CrowdStrike Falcon® Platform offers deployment flexibility, unparalleled visibility, container awareness and reporting to help organizations secure their container workloads without compromising performance.
