Recently I had the opportunity to engage in a Q&A session with Peter Baumbach from AlertLogic.
Peter has been with Alert Logic for over 10 years, so I figured he'd be the expert to ask!
The following is a list of questions I asked Peter and his responses. Hopefully you all find this as helpful as I did!
How does Alert Logic protect container environments?
Alert Logic provides a containerized version of our agent (al-agent-container) that resides on each node you are monitoring. We are collecting all network traffic by binding the to the Docker0 bridge interface and then forwarding a copy of that network traffic to an Alert Logic appliance on the local network. To capture logs, the agent leverages the default Docker log driver that allows it to capture the logs and transport directly back to Alert Logic.
How do I get started using Alert Logic in my Kubernetes cluster?
Container support is included with all tiers of Alert Logic Service that include network-based IDS and log collection. So, once you have your account set up, it’s a matter of deploying the al-agent-container in privileged mode and also a monitoring appliance. You can easily leverage your preferred deployment tools to deploy Alert Logic. Documentation for Kubernetes and all other supported platforms can be found at https://github.com/Alert Logic/al-agent-container.
Where can I see the results of the al-agent-container?
Container threat and log data show up the same way in the Alert Logic UI as threat and log data from standard datacenter / public cloud instances. We provide an additional benefit by enriching container incidents with the container metadata. In this way, Alert Logic provides a unified hybrid view of security encompassing the complete infrastructure. Furthermore, incidents discovered in the containerized parts of the environment roll up through the same 24x7 workflow as for the more traditional infrastructure.
Does Alert Logic consume resources in my app containers?
Alert Logic does not consume any resources on the containers themselves, nor does it require any modification to the monitored containers. Once our al-agent-container is deployed parallel to your other containers, we automatically collect network traffic and log data from all containers on that node without any impact to the containers themselves.
How does Alert Logic behave under heavy CPU load?
...and Network? Memory? Disk?
The al-agent-container uses minimal CPU, memory and disk resources, as it’s not doing any analytics locally. All analytics take place remotely at the Alert Logic appliance and then by Alert Logic in the cloud. Log transport uses minimal network resources because of efficient compression, but the NIDS monitoring can increase local network traffic, in some cases significantly, as it is duplicating all monitored network traffic and sending it to a monitoring appliance. In real-world experience with over 370,000 containers monitored in the field, we have not observed nor received reports of noticeable network degradation.
Does Alert Logic provide image scanning services?
Alert Logic does not currently offer image scanning. However, we have been looking at leveraging and adapting our VA scanning technology to provide image scanning services. We are hoping to add that functionality by the end of 2019.
Are there any SDK integrations that are necessary?
If so, which runtimes are supported?
SDK integrations are not necessary to deploy Alert Logic into container environments. The al-agent-container is easily deployed leveraging your existing container deployment methodology.
What kinds of anti-patterns and use cases should I be aware of as I use Alert Logic?
Alert Logic for containers has broad applications for a wide variety of container deployments. As with any security tool, Alert Logic for containers might not be the perfect fit in some cases. For instance, the al-agent-container needs to run in privileged mode. This currently prevents us from working with serverless platforms like Fargate (although we are working with AWS to find a solution). Occasionally we encounter a preference for using appliance-less security tools in an environment. It’s an Alert Logic advantage not to have to conduct any analytics in the containers or on the nodes, but that does mean we offload network monitoring to an appliance. However, to mitigate those concerns when they arise, we’ve expanded our automation capabilities so that it’s easy to either incorporate appliance deployment into automation scripts, or Alert Logic can fully automate deployment of appliances into the environment as well.
What are the best practices for using Alert Logic in containers and Kubernetes clusters?
Deployment of al-agent-containers on all container / Kubernetes workloads ensures Alert Logic can monitor all network traffic within the container environment. The al-agent-container also gives you the option of collecting log data.
Is Alert Logic supported on any of the managed service platforms?
For managed service platforms, the al-agent-container is able to be deployed in:
It may also be utilized on standard deployments using:
- Amazon Beanstalk Multi-container Docker environments
Data platform support can be found on our GitHub site.
- Docker Swarm (as a standalone container and not as a Swarm service)
What kinds of things has Alert Logic helped to detect that might have otherwise gone unnoticed in containers?
Alert Logic’s biggest differentiator is that on top of enterprise grade security technologies, we’re also monitoring that data 24x7 to create hi-fidelity incidents and walk our customers through a full understanding of what’s happening in their environment. We’re extending that same experience our customers have had in the datacenter, private cloud, and public cloud into the container world. We’ve observed that successful attacks against containers are not fundamentally different attacks than in traditional infrastructure. Rather, the peculiarities and dynamic nature of container deployments are great enough to render most legacy security tools unable to monitor containers. Coupled with the newness of container deployments, it’s also easy to make configuration errors that open up the attack surface. In one example, one of our customers leveraging containers had accidentally allowed inbound access on the Kubernetes pod configuration. As it ultimately turned out, their infrastructure was breached within 28 minutes and had Monero miners installed. They were completely unaware of the activity until Alert Logic was deployed. Shortly after Alert Logic was active, the malware spread was observed, and an incident was created in 6 seconds. This incident was analyzed by our SOC and escalated back to the customer. Importantly, not only are incidents generated, but key metadata is available such as the container id and pod id available in the UI / via API. Our customer experienced seamless security integration. We were not only able to alert them extremely quickly through our escalation processes, we were able to provide them with the key metadata needed to mitigate the breach.
Alert Logic is one of the top security tools we recommend to our clients and they've all been very pleased with the product.
If you have further questions, let me know in the comments!