Do You Know What’s Hiding in Your Containers?

adversary amongst containers

Between the growth of cloud-native applications and the demands of faster application delivery, the use of containers is widely predicted to continue to increase.

In fact, a recent study conducted by Enterprise Strategy Group (ESG) for CrowdStrike, “The Maturation of Cloud-native Security: Securing Modern Apps and Infrastructure,” found that container adoption has grown 70% over the last two years, and there is projected to be a 50% increase in cloud-resident workloads over the next 24 months. This increase is also driving the need for container security and orchestration solutions. Like any other technology deployed in production environments, containers have to be properly configured, provisioned, secured and monitored.

That last piece — monitoring — is vital. Many containers are short-lived, and the sheer number of them creates challenges around visibility. Obtaining visibility is also complicated due to the scope of the DevOps environment and a lack of integration between disparate tools. To properly enable the use of containers, organizations need to be able to extend security from the base images being used all the way to production.

A False Sense of Safety

Containers do not magically make everything secure — yet organizations often act as though they do. It is not uncommon, for example, for images to run with root privileges — which in many cases is likely a violation of the principle of least privilege. Then there is the fact that developers often utilize code from third-party libraries. Not all of this code, unfortunately, is secure. For example, in April 2020, Microsoft reported that Azure Security Center had uncovered of a widespread cryptocurrency mining attack against Kubernetes clusters caused by containers running an image laced with XMRig, a very popular open-source Monero miner.

Older images may contain vulnerabilities that can be exploited by attackers. If one container is compromised, it can serve as a gateway to a deeper compromise into the environment. While immutability provides benefits for automation and deployment, it also makes it vital to catch vulnerabilities early in the CI/CD process. Attempting to bolt on security later will only cause organizations to miss vulnerabilities that could have been caught prior to the containers being deployed. 

Misconfigurations — from images with excessive permissions to improperly configured Docker servers — can pose a critical risk as well. However, even containers that are configured properly and verified can be compromised by zero-day bugs and runtime threats. Security teams are dealing with a much broader threat landscape than a decade ago, and they need new tools and skills to adjust.

A New Way Is Needed

To avoid becoming a roadblock, security must keep pace with innovation. In the DevOps world, that means applying the security controls and processes needed without slowing down the speed of application delivery. This reality has resulted in a shift-left approach to security and also forced security teams to get up-to-speed. 

Part of the challenge is that traditional security solutions and processes don’t typically work well in DevOps environments where automation and speed are critical. Manual security processes cannot keep up with the rapid change needed to protect containers, and traditional tools lack the visibility into those containers that organizations need. Using disparate, siloed tools will not be effective either, as the poor integration just serves to add more complexity. 

What organizations need instead is a security solution that integrates seamlessly with developer toolchains to allow for faster remediation and response. It’s critical to have the ability to scan images for vulnerabilities, integrate into the CI/CD process and continuously monitor an organization’s ecosystem of containers. Using the CrowdStrike Falcon® platform, we provide cloud threat detection and response and runtime protection for containers to secure both the host and all of the containers running on it. In addition, CrowdStrike utilizes threat intelligence and machine learning to detect attacks against containers in real time. Proactive threat hunting capabilities provide further protection that allows organizations to uncover new tactics, techniques and procedures used by attackers. Whichever solution is used, it must eliminate the manual processes around security and reduce alert fatigue so organizations can quickly prioritize and remediate threats to their environment.

Embrace Containerization — But Do It Securely

Even with the challenges, businesses should not shy away from containers. With the right solution, organizations can weave security into their DevOps environment and CI/CD pipeline to secure containers from the development phase to the end of their lifecycle. To learn more about how CrowdStrike can help you protect containerized environments, and enable DevOps teams to deploy applications with greater speed and efficiency, visit

Additional Resources

Related Content