Twistlock 2.2 Improves Container Security with Cloud Native Firewall

Container security startup delivers new release adding an incident explorer feature to help detect threats.

Twistlock 2.2

Container security startup Twistlock is set to formally announce its latest platform update on Sept. 21, providing new security features to manage and control micro-services deployments. The Twistlock 2.2 update builds on elements the company first introduced in its 2.0 update in April, including the shift to the Go programming language. When Twistlock first debuted in November 2016, the technology was built on the node.js framework.

"In the Twistlock 2.2 release, we've expanded the automation capabilities to learn how the network works, to help secure workloads," John Morello, CTO of Twistlock, told eWEEK.

Among the new features in the Twistlock 2.2 update is a Cloud Native Network Firewall (CNNF). Morello explained that CNNF is basically a real-time model of all the inter-container communications in a deployment. The model includes insight into what network ports and cache services are in use and what external services are connected.

The CNNF learns what is normal behavior for a container application, sets policy based on the usage and can then enforces the policy to make sure abnormal connections that could be potentially malicious, do not occur.

"So unlike a traditional firewall where all the different routes need to be manually configured, we have learned the connectivity pattern automatically," Morello said. "The policy works irrespective of what cloud platform Twistlock is running on. It's a container-centric way of building automation for secure network connectivity."

With the Twistlock 2.2 release, Morello said that his company also changed how it plugs into container and orchestration engines to get the network level control and visibility. Prior to Twistlock 2.2, Twistlock plugged into the Container Networking Interface (CNI) which is widely used in Kubernetes container orchestration deployments. While Kubernetes is widely used, there are other container orchestration tools, including Docker Swarm.

"With 2.2, we're not CNI-specific so our firewall will work regardless of the container orchestrator that is being used," Morello said.  

From a deployment perspective, Twistlock 2.2 is now installed as a container itself. Morello said that Twistlock is just another container on the host that is being protected.

"We actually run as a Docker container," Morello said. "We're not running as kernel-mode component and we don't modify the host operating system. Twistlock can be deployed literally anywhere you can run Docker."

Going a step further, Twistlock 2.2 now also provides what Morello referred to as a native deployment experience for Docker Swarm. He noted that in the past, most Twistlock customers were running Kubernetes and the method for deploying Twistlock in a Docker Swarm cluster required additional steps.

"Kubernetes has long had a capability called the daemon set, whereby anytime a new node comes online, a specific container can be run on it," Morello said. "Docker just recently came out with the same concept, that they call a Global Service."

Incident Explorer

While automated policies can block and prevent many types of threats, there are also other threats that require additional effort to uncover. Twistlock 2.2 introduces the new Incident Explorer that provides a threat hunting capability to discover container security risks.

"All the sensors we have are oriented around monitoring that an application behaves the way we expect it to behave, based on the observed behavior of the container," Morello said. 

Whenever there is an anomaly the new incident explorer now provides Twistlock users with meaningful information about the anomalous activity that can be acted upon.

"We have an intelligence engine that is running inside of Twistlock 2.2 that identifies and correlates events into incidents," Morello said.

Looking forward, Morello said that Twistlock is currently working on other container security innovations that will likely debut before the end of 2017. Among the new features that Twistlock is working on is enhanced intelligence capabilities to detect a broader set of attack patterns.

"What we'll be doing in the next release is taking the capabilities we already have, going deeper and making them smarter," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.