Twistlock 2.3 Advances Container Security With Serverless Support

Twistlock adds new capabilities to its namesake container security platform, including per-layer vulnerability analysis and an improved Cloud Native App Firewall.

Twistlock 2017

Twistlock released version 2.3 of its container security platform on Jan. 3, adding new features to help protect container workloads.

Among the new features in Twistlock 2.3 in an improved Cloud Native App Firewall (CNAF), per-layer vulnerability analysis functionality, application aware system call defense and new serverless security capabilities.

"Lots of people have vulnerability analysis for containers, so we try to differentiate ourselves in three main ways: precision, actionability and prevention," John Morello, CTO of Twistlock, told eWEEK. "The per-layer analysis is part of how we're more precise and actionable."

Twistlock debuted its container security platform in November 2015 in an effort to provide advanced protection for application containers. The company last updated the platform in September 2017—to the 2.2 release, which included the first release of the Incident Explorer threat hunting technology.

In previous versions of Twistlock's platform, vulnerability data was aggregated at the image level, according to Morello. With a Docker container image, there can however be multiple layers with different components. As such, if an organization had a complex image with many layers, it required some effort to find the layer where a given vulnerability might exist in a container image. Morello said that in Twistlock 2.3, the per-layer analysis decomposes the image into all its layers and overlays vulnerabilities per layer.

"You can literally scroll through the Dockerfile in one pane and, as your mouse hovers over commands within it, see in the other pane what vulnerabilities impact it," he said. "This makes it much easier and faster to identify problems, assign bugs to the right people to correct them and ultimately close them faster with less work."

Twistlock 2.3 also includes a set of new protections for specific types of attack patterns. The new protections are in the Incident Explorer technology, which provides a threat hunting capability.

"In addition to detecting unexpected process, file system and network behavior as we've always done, we've added deeper understanding of what that unexpected behavior looks like in specific scenarios so that we can identify and prevent attacks more accurately," Morello said.

There are also improvements in CNAF as part of the Twistlock 2.3 update. Morello noted that among the improvements are a broader set of protections for detecting brute force attack patterns, suspicious authentication scenarios, and traffic coming from botnets and other nodes typically used for attacks and reconnaissance.

Twistlock is also makes use of Linux seccomp policy libraries in the new update. Seccomp is a Linux technology to help protect against unauthorized system calls. Prior to Twistlock 2.3, system call models were language-specific, Morello said. 

"In 2.3, we've changed this significantly to be completely generally applicable and to have the enforcement performed via seccomp profiles directly without direct interaction by our Defender," he said.  "As part of our normal runtime modeling, Defender automatically identifies what apps run are within what images and maps the right seccomp policy to them. "


Since the company's inception, Twistlock has focused on container security, which includes Docker and now Kubernetes deployments. With the Twistlock 2.3 update, there is also protection for serverless environments. Serverless technologies include Amazon Web Services (AWS) Lambda, which provides a function-as-a-service platform that does not require stateful containers. Serverless technologies increasingly make use of containers to enable services.

"Personally, I believe that in 2018, we’re going to see some consolidation of what we currently think of separately as serverless and containers," Morello said.

Morello expects Kubernetes will end up underpinning most container and serverless deployments, with serverless just being an abstraction layer for developers. From a security perspective, Morello said the new serverless security capabilities in Twistlock are similar to what are available for regular container deployments.

"You simply tell us where the functions are—Azure, AWS and/or Google—give your Twistlock Console access to them, and we automatically discover all the functions you have in those accounts, analyze them and show you the results in the Console," he said.

Looking forward, Twistlock has plans to continue to add new features to its platform to help secure cloud-native environments.

"That means you can expect broader capabilities beyond just containers to protecting orchestrators like Kubernetes and other parts of a cloud-native environment like serverless and modern VMs [virtual machines]," Morello said. "Automation and machine learning will continue to be core strategic advantages for us and are the foundation of everything we do across the stack."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.