Secure cloud-native services with Prisma Cloud Compute
Safe Clouds
The recent notable milestones in the evolution of software development and how applications are served over the Internet, not least of which are the popularity of portable containers and Docker's remarkable rate of adoption, had security professionals scratching their heads until the security challenges that they presented were fully understood. Few niche vendors fully embraced container security headaches as Docker's toolbox took the developer world by storm. The sophisticated security suite Twistlock, now Prisma Cloud Compute Edition [1] after their acquisition by Palo Alto Networks (see the "What's in a Name?" box), stood out from the crowd and, through natural selection, took center stage in the container security space.
What's in a Name?
The rebranding from Twistlock to Prisma Cloud Compute is still in transition, so you'll see both product names mentioned throughout this article. Adding to the confusion, Palo Alto Networks offers two similarly named products [2]: the software-as-a-service (SaaS) version Prisma Cloud Compute, for which Palo Alto Networks hosts the console and you deploy the agents, and the Prisma Cloud Compute Edition on-premises product, which you deploy and operate in your own environment. In this article, "Prisma Cloud Compute" refers to the self-hosted version.
Now, having increased its feature set significantly, the cloud-native security suite is exceptionally sophisticated. After the introduction of multiple new features (e.g., the ability to protect host machines that aren't running containers, serverless function protection, and improvements in continuous integration-continuous delivery), it's safe to say that the product has raised its game significantly. Moreover, Prisma Cloud Compute no longer focuses only on protecting Amazon Web Services (AWS); the security suite now supports the Google Cloud and Microsoft Azure platforms, as well.
Admittedly, it's difficult to do the product justice in a single article, so I will have to skip some details to fit as much content as possible. Although Prisma Cloud Compute is not an open source product, I will point you at some open source code that might be useful in the container security niche. Once you've had a look at what's included in the box, I hope you will be suitably motivated to request a demo to try it out yourself.
To get started, I'll begin with some basic terminology, and then briefly look at the three areas most important to supporting the DevSecOps life cycle: runtime defense, vulnerability management, and the all-important area of compliance, which is especially key in enterprises. In this article, I'll run through a basic installation, get your hands dirty with a look at Prisma Cloud Compute in action, and take a look at how Prisma Cloud Compute can be configured to prevent serverless functions from being compromised.
The Automation
To my mind one of the most powerful aspects of Prisma Cloud Compute is its inclusion of machine learning, which creates behavior models for discovered resources automatically. After an initial period of monitoring a resource, any deviations to a model triggers alerts of varying severities. Once the (sometimes thousands of) intricate profiles for all of your resources have been created, you can then fine-tune associated rules at a surprisingly granular level. This process not only saves vast amounts of time (not forgetting typing errors and misconfigurations commonly made by humans), but after discovering the "normal" behavior of your resources, you can then tweak the rulesets to account for anomalies with great ease.
The Mothership
The architecture includes a centralized server known as the Console, to which other components phone home with their audit logs and receive new rules in return. The Console currently needs Docker running in the background and is provided as a container that listens on TCP port 8084 for what are known as Defenders. In addition to chatting away merrily to Defenders, the Console presents a well-designed and easy-to-use dashboard over a web interface. Normally this would be over TCP port 8083, but it's not uncommon to add your own TLS/SSL certificate and move it to HTTPS to avoid site is not to be trusted errors from your browser and simplify internal firewall rules. Take note that if you write scripts around the API then some settings will default to TCP port 8083 and will need to be tweaked.
The Enforcers
Currently three types of Defenders are offered: Container, Host, and Serverless. Each is responsible for monitoring a specific type of resource. Once your Console is up and running, most of your time will likely be spent tweaking the rules to which your Defenders adhere and ensuring that all your resources have a Defender monitoring their behavior.
Prisma Cloud Compute not only offers the Defenders to protect your resources, but it also offers two types of firewalls (which make some use of the machine learning models too). One, as you might expect, deals with simple network access and allows whitelisting and blacklisting of IP address ranges. The other is a relatively simple but effective web application firewall named the Cloud Native Application Firewall (CNAF). Note that rolling CNAF rules across all resources might affect performance.
Also employed to keep common threat information current is a custom threat intelligence system that works by aggregating a number of commercial online feeds. The intel is updated frequently to catch the latest security issues and can be tweaked manually so that you can add, for example, your own malware signatures, whitelisted vulnerabilities, and banned IP address ranges.
Buy this article as PDF
(incl. VAT)