Thursday, December 9, 2021

Introducing Microsoft Defender for Containers

Container adoption is booming - production deployments of Kubernetes clusters and containers continue to soar as organizations increasingly containerize applications to meet their needs for scalability, portability, and more. Since 2016, the use of containers in production has increased by 300%.


In line with these widespread adoption trends, the security & threat landscape has shown a rapid increase in the number and sophistication of attacks targeting containers and Kubernetes as shown in image 1.


Image 1: Growth overview of attack trends between June 2019 and December 2020 as seen in the 2020 Cloud Native Threat Report.Image 1: Growth overview of attack trends between June 2019 and December 2020 as seen in the 2020 Cloud Native Threat Report.


Traditional security tools aren’t setup to provide visibility into container usage and monitor traffic flows, making it challenging to stay on top of secure configurations drifts. Unlike traditional compute, containerized applications are elastic, spawn, and are often short lived – creating the need to fix vulnerabilities early and often and making a dedicated container security strategy essential.


Advanced threat protection for container solutions

To address the evolving security challenges surrounding container solutions, we are excited to announce Microsoft Defender for Containers – a new cloud workload protection plan designed around the unique needs of container-based solutions including Azure Kubernetes Service, Amazon EKS, and on-prem environments. It is part of Microsoft Defender for Cloud. 


Critical capabilities include native at-scale onboarding for Kubernetes, hardening controls, vulnerability assessment, and run-time protection. The new plan merges the capabilities of the two existing Microsoft Defender for Cloud plans, Microsoft Defender for Kubernetes and Microsoft Defender for container registries, and adds a new set of critical features shown in image 2.


Image 2: Overview of the added capabilities in Defender for ContainersImage 2: Overview of the added capabilities in Defender for Containers



For a live demo of the new capabilities, watch the latest episode of Defender for Cloud in the field.



Getting started

Starting today, Microsoft Defender for Containers is available as a new plan in Microsoft Defender for Cloud. You can onboard any of your Azure subscriptions or AWS accounts and start protecting your container solutions with a broad set of capabilities.



Kubernetes-native deployment

We understand how critical it is to protect containers as soon as they are deployed into your environment. That’s why we developed an automatic deployment capability, so you can easily enable Microsoft Defender for Containers across all Kubernetes resources in your organization, in the Microsoft Defender for Cloud portal.

The solution is designed to support any Kubernetes, Azure & non-Azure workloads with a DaemonSet, that is deployed and maintained on the Kubernetes control plane. This gives customers visibility and management capabilities directly via Kubernetes-native tooling. It is also integrated into the Azure Kubernetes Service (AKS) as a Security profile and into Azure Arc connected clusters as a cluster extension for both multi-cloud and on-prem scenarios.


Image 3: Onboarding to the Microsoft Defender for Containers with automatic at scale deploymentImage 3: Onboarding to the Microsoft Defender for Containers with automatic at scale deployment


Advanced Threat Detection

To expand threat detection beyond the Kubernetes management layer, Microsoft Defender for Containers now offers host level threat detection with over 60 (!) new Kubernetes-aware analytics, AI, and anomaly detections based on your runtime workload. The solution monitors the growing attack surface of multi-cloud Kubernetes deployments and tracks the MITRE ATT&CK® matrix for Containers, a framework that was developed by the Center for Threat-Informed Defense in close partnership with Microsoft and others.

The full list of available threat detection alerts can be found here.



Image 4: Examples of container specific threat detection alerts in Microsoft Defender for CloudImage 4: Examples of container specific threat detection alerts in Microsoft Defender for Cloud


To make investigations easier by providing runtime context, we have added new entities to Kubernetes security alerts including image, registry, pod, service, namespace, and more. In addition, the new entities can be used to provide more granularity for customers' suppression logic to fine tune alerts and reduce alert fatigue.



Image 5: Examples of new entities to Kubernetes security alertsImage 5: Examples of new entities to Kubernetes security alerts


Coming soon: Fileless attack detection. Fileless attacks are typically used by attackers to execute code without presence on the filesystem; thereby preventing detection by traditional anti-virus software. With the new Fileless Attack Detection capability, automated memory forensic techniques will identify fileless attack toolkits, techniques, and behaviors. The detection mechanism periodically scans your nodes at runtime and extracts insights directly from the memory of the running processes. It can find evidence of exploitation, code injection and execution of malicious payloads. Fileless attack detection generates detailed security alerts to accelerate alert triage, correlation, and downstream response time.



Vulnerability Assessment

A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Microsoft Defender for Cloud provides out of the box vulnerability assessment capabilities and integrates with the tools of your choice to regularly check your resources for vulnerabilities.


As part of the Microsoft Defender for Containers plan, we added a new detection for Runtime visibility of vulnerabilities. This new recommendation shows only running images with vulnerabilities, enabling customers to better prioritize and focus on the vulnerabilities that pose the highest risk to their organization.


Image 6: Vulnerability security alert specific to containersImage 6: Vulnerability security alert specific to containers


We also enhanced the periodic scanning of images that have been pulled from Azure Container registry (ACR) during the last 30 days, with a continuous image scan for all ACR images running on a Kubernetes cluster.



Planning your container security spend

We know that understanding cost across your workloads and protections is critical. That’s why we created a cost estimation workbook that allows you to estimate the anticipated costs for Microsoft Defender for Containers across all your subscriptions. The workbook estimates costs for your Kubernetes clusters based on your average usage over the last 30 days. In addition, it shows the number of container images that are included for vulnerability assessment scanning based on your configuration. You can deploy the workbook to your Defender for Cloud environment using the ARM template and learn more in the Defender for Cloud GitHub repository.


Image 7: Overview of the cost estimation workbook for Microsoft Defender for Containers.Image 7: Overview of the cost estimation workbook for Microsoft Defender for Containers.


The new Microsoft Defender for Containers plan provides organizations with a streamlined way to enable advanced threat protection for all their container workloads across Azure, AWS, and in hybrid cloud environments and keep their critical resources secure.


More information

  • Sign up for our live webinar on January 12 where we will walk through the new plan, demo the capabilities and open up for Q&A.
  • Check out our documentation and learn how to protect your container solutions with the new Defender for Containers offering
  • Subscribe to our blog and stay up to date with the latest Defender for Cloud news


  • How much does Microsoft Defender for Containers cost? - The price for Microsoft Defender for Containers is $7/ Kubernetes vCore/month. It includes 20 free scans per vCore. Every subsequent scan will be charged at $0.29 per image digest. We expect that >90 of customers will not require additional scans. Furthermore, we removed the cost-incurring dependency on Microsoft Defender for Servers to enable host-level protection of Kubernetes clusters through the addition of native, node-level protection capabilities in Microsoft Defender for Containers.
Posted at