Security teams struggle with visibility into behaviors inside their running containers. Qualys is today announcing general availability of Container Runtime Security (CRS) to provide industry-leading visibility for running containers using an approach that is container-engine agnostic and layered into the container image. This provides runtime visibility and enforcement in containers through policy-based control of system calls (File, Network, Process behaviors). These capabilities can be used to address various use cases for container runtime security like file access monitoring, network micro-segmentation, vulnerability mitigation and virtual patching. CRS is an add-on to Qualys Container Security and is immediately available. The Challenge of Securing Running Containers The rise and adoption of containers has been rooted in the promise of workload isolation, application abstraction and immutability. While these specific aspects of containers do help in reducing the attack surface, a single insecure image could be instantiated many times over as separate running containers and thus create a widespread attack surface. The following diagram provides a high-level overview of the attack surface for containers. The attack surface at a host level can be secured via traditional host based solutions (e.g. Host level agents). The in-container attack surface needs to be handled with a defense in depth approach that consists of scanning across the build-ship-run pipeline, fixing…Read More