The use of Docker containers is rapidly becoming the standard approach for most companies to deploy services in their environment; however, it also introduces risks and vulnerabilities. Explore the pros and cons of containers and how to mitigate Docker container security risks.
Docker Containers at a Glance
Docker container technology entered the market in 2013 introducing an opensource platform that helped drive a revolution towards containerization in software development. Solomon Hypes, co-founder of Docker, explains the problem that containers solve and why they are useful — containers help fix the issue of shipping software from machine A to machine B in a reliable and automated way.
Especially as applications became more intricate over the years and the software stack and infrastructure grew more complex, developers often ran into issues of getting code to run reliably on various machines.
Inspired by shipping containers which can move anything across the world in a standardized and automated fashion — Docker container technology is essentially a “shipping container” for software. A container is a standard unit of software that packages up code and all its dependencies allowing an application to run reliably from any computing environment.
Containers are useful because they allow for a separation of concerns and streamline the development lifecycle so that developers can work in standardized environments. Here are examples of challenges and issues that arise in the software development cycle that containers can fix, according to Hypes:
- Sharing your development environment with another contributor
- Deploying from a development machine to a staging server
- Scaling from one server to multiple servers
- Migrating from one hosting provider to the next
- Migrating from a private cloud to public cloud
- Moving into a new data center
By providing a standardized packaging format for applications, Docker technology can solve many of these challenges, allowing developers and system operators to separate application dependencies from infrastructure.
Containers: Pros and Con
Containers have been a boon to both software and infrastructure engineers. They trivialize the deployment process and enable easy and repeatable methods for testing applications and services. Other benefits of containers, include:
- Extremely small and lightweight
- Portable
- Fast to launch
- Can easily scale
- Great for continuous integration (CI) and continuous deployment (CD)
While security engineers recognize the benefits of the technology, they are considerably more skeptical of the implementation. Containers and their orchestration platforms can be unwieldy to manage and monitor posing security challenges that you must address. Visibility into container actions such as an image being pulled from a repository or a container failing becomes increasingly more important to be able to track and react to.
Containers vs. Virtual Machines
People often mistake equating Docker containers with Virtual Machines (VMs). Although they may work in similar ways with concepts like resource isolation, they are actually fundamentally different. Containers differ from virtual machines in one key area: they’re service-focused, whereas VMs are system-focused. In a nutshell, containers are dedicated to serving a function instead of providing a foundation. Containers virtualize an operating system (OS) and it is capable of running multiple workloads on a single OS instance while VMs virtualize the hardware to run multiple OS instances. For a more in-depth comparison, Nick Janetakis, creator of diveintodocker.com, provides a great video breakdown that explains the key differences between containers and virtual machines:
Both containers and VMs have various advantages and disadvantages depending on your needs; however, as long as you are developing on the same foundation that you plan to support after deployment, why waste extra compute resources on development or in deployment replicating that foundation over and over again?
Mitigating Docker Container Security Risks
While Docker is a popular software choice for developers who are building and sharing containerized applications, there are common container security risks and vulnerabilities during a development cycle that can be exploited be attackers. System architects, DevOps, and chief information security officers (CISOs) must proactively address these risks to prevent detrimental damage and find a way to automate security for a more reliable defense.
Tripwire explains five common Docker container security risks for your team to be aware of:
- Using insecure images
- Containers running with the privileged flag
- Unrestricted communication between containers
- Containers running rogue or malicious processes
- Containers that are not properly isolated from the host
Learn how to address these types of risks and vulnerabilities here.
SOAR with Docker in LogRhythm
With automation comes reliability and longer-term low costs. LogRhythm’s security orchestration, automation, and response (SOAR) solution can help provide an insight into Docker vulnerabilities and the events that are used to spawn containers in real time.
Let’s say, for example, Beth Nickels, a Financial Analyst at Mobius Inc, is looking for a way to pad her less-than-ideal salary. She has heard about a new cryptocurrency called Monero. After some digging, she manages to learn some rudimentary Docker management. What’s more, the Mobius Inc. Infrastructure team has poor RBAC and she finds a sudo login to their Docker host. With that newfound information, she can easily spin up a Monero mining Docker container and start siphoning off compute cycles to make money. LogRhythm can detect and remediate this event automatically, saving Mobius Inc. money and increasing the virtualization environment’s visibility.
Watch a SIEM Detect Cryptomining in a Docker Container
It can be challenging for security analyst to detect exploits targeting Docker containers. Threat actors can easily hide within the high volumes of container activity. LogRhythm NextGen SIEM Platform can help you monitor and detect cryptomining in a docker container by:
- Identifying cryptomining malware hiding among containers in your DevOps environment
- Alerting you of malicious keywords within your environment to help you quickly locate unapproved containers
- Using playbooks and SmartResponse™ automation to stop the malicious container and prevent cryptojacking
- Locating where the attack initiated so your team can prepare for future attacks
Watch this demo to learn how LogRhythm can assist security teams with visibility into the DevOps environment. With automated response capability and intuitive workflows to detect threats, LogRhythm can help you stop a Docker container attack reliably and efficiently.
