Better correlate and automate container runtime policies to reduce noise leveraging Anvilogic’s Detection Automation.
Correlate Container Runtime Policies To Reduce Noise
Anvilogic makes it easy to quickly determine what policies and alerts are actionable
Even if you're collecting runtime policies from security tools, such as AquaSec, Stackrox, or Sysdig, determining what policies (or alerts) are actionable can prove to be challenging.
The amount of noise that comes from the policies deployed in your containerized environments can result in a lot of alerts being sent to the SOC. SOC teams need a way to better determine what noise matters most and when to quickly take action.
Variables to consider for noisy runtime policies:
1) Are your runtime policies being enforced?
In many environments, it is a challenge to enforce runtime policies because it simply would break your critical business applications if the underlying containers hosting your applications are not compliant. Due to this, the challenge of operating versus enforcing security arises, and as a result, the policies remain in audit mode sending noisy alerts to the SOC.
2) How restricted (or unrestricted) is your CI/CD pipeline?
It is best practice to implement preventative controls in the build phase of your CI/CD pipeline. A common practice companies try to enforce is keeping secrets (API Tokens, SSH Keys, Passwords) out of code committed, however it is very common for things to bypass your controls resulting in alerts on container images being scanned.
3) How restricted (or unrestricted) are your container image scans?
Although container images are normally scanned before implemented into production environments, the determination of what passes an image scan is up to the business (not the SOC!). This can result in more opportunities for runtime policies to fire in the environment, which drives noise.
Automate Runtime Policies with Anvilogic Detection Automation Platform
Through an understanding of the contributing factors that drive alert volume derived from containerized environments, Anvilogic has built automation that takes your runtime policies and builds them into threat identifiers that are mapped to the MITRE ATT&CK Framework. This allows for the correlation of your runtime policies across MITRE Tactics and Techniques and helps to deliver high fidelity/efficacy alerting across multiple events happening on a container, pod, or namespace.
Anvilogic enables you to make for more actionable/critical alerts to triage from your containerized environments and correlate runtime policies occurring on a container, pod, or namespace - by mapping each of your runtime policies to tactics and techniques.
In the example below, we are looking at container execution activities followed by action on objectives occurring in the Persistence, Privilege Escalation, Credential Access, Lateral Movement, and Command & Control tactics.
In addition, you can create risk-based correlations helping you determine if multiple runtime policies are triggering for the same pod, container, or namespace. In the example below, the Scenario is looking for 3 or more runtime policies triggering on container, pod, or namespace regardless of MITRE Mapping.
Easily Enforce Policies, Controls, and Scanning: Automate runtime policies
If your SOC team has alert fatigue one factor could be because there are runtime policies that are too noisy due to lack of runtime policy enforcement, poor CI/CD controls, and/or unrestrictive image scanning. By enabling your SOC team to build correlation across runtime policies mapped to the MITRE ATT&CK framework, you can drive down the amount of noise coming from your containerized environments while delivering more high fidelity/efficacy alerts to investigate.
Learn more about how the Anvilogic Detection Automation Platform can help enable you and your team to focus on your most important work, not noisy alerts.
Visit Anvilogic.com for more information on how we can help or reach-out for a low effort free trial that we lead to show you in 1-2weeks how to streamline your security operations and force-multiply your team.