![]() ![]() ![]() To take our example further, imagine we wanted to not just look for a specific process violation, but instead to visualize trends over time. Even more powerfully, you can correlate and visualize trends across multiple hosts. Of course, with Sumo Logic, you could also build much more sophisticated queries, for example, looking for any process violation that occurs on hosts called prod-* and is not caused by a common shell launching. (_sourceCategory=twistlock_logs (Process violation)) AND _sourcehost = “cto-stable-ubuntu.c.cto-sandbox.internal” AND nc Once this data is in Sumo Logic, it’s easy to drill down even further and look for it: Because Twistlock understands the entrypoint on the image, how the container was launched via Docker APIs, and builds a predictive runtime model via machine learning, it can immediately identify the unexpected process activity. Again, because of Twistlock’s runtime defense, this anomaly is automatically detected as soon as it occurs without any human having to create a rule to do so. Perhaps you’re looking for a specific action that an attacker took, like running netcat, something that should likely never happen in your production containers. (_sourceCategory=twistlock_logs (Process violation)) AND _sourcehost = “cto-stable-ubuntu.c.cto-sandbox.internal” To do this, we simply add a little more logic to the query: This is a common incident response scenario and this illustrates the power of Twistlock and Sumo Logic working together to identify the anomaly and to understand it more completely. So, let’s assume you want to drill down a little further and look for process violations that Twistlock detected on a specific host. Here’s a simple example of just looking across all Twistlock logs using the source=”twistlock_logs” query: Of course, the real power of a tool like Sumo Logic is being able to easily sort, filter, and drill down into log data. Once log files are collected, searching, slicing, and visualizing data is done using the standard Sumo Logic query language and tools. These logs track activities such as authentication to the local node and runtime events that occur on the node. Defender logs are produced on each node that Twistlock protects and are local in scope.Console logs track centralized activities such as rule management, configuration changes, and overall system health.Note that Twistlock produces 2 main types of logs, aligned with our distributed architecture as illustrated below. In this case, the log collection is named “twistlock_logs” to make it easy to differentiate between standard Linux logs. After a collector is installed on a host Twistlock is protecting, configure Sumo Logic to harvest the log files from /var/lib/twistlock/log/*.log: ![]() Setting up integration is easy, simply follow the standard steps for collecting logs from a Linux host that Sumo Logic has already automated. In addition to storing all event data in its own database, Twistlock also writes events out via standard syslog messages so it’s easy to harvest and analyze using tools like Sumo Logic. ![]() Runtime defense, which combines static analysis, machine learning, Twistlock Labs research, and active threat feeds to protect container environments at scale, without human intervention.īecause Twistlock has a rich set of data about the operations of a containerized environment, integrating with powerful operational analytics tools like Sumo Logic is a natural fit.This capability builds on Twistlock’s authorization plugin framework that’s been shipping as a part of Docker itself since 1.10. Access control that applies granular policies to managing user access to Docker, Swarm, and Kubernetes APIs.Compliance which enforces compliance with industry best practices and configuration policies, with 90+ built-in settings covering the entire CIS Docker benchmark.Vulnerability management that inspects the full stack of components in a container image and allows you to eradicate vulnerabilities before deployment.More specifically, The Twistlock container security suite offers 4 major areas of functionality: Twistlock provides dev-to-production security for the container environment. ![]()
0 Comments
Leave a Reply. |