Prevent Container Risks With Advanced Container Image Sandboxing

Developers and DevOps Teams Can Now Use Prisma Cloud’s Advanced Machine Learning to Prevent Dynamic Threats Before They are Deployed Into Operational Environments

Today’s high speed deployments in a DevOps world rely on the efficient reuse of image libraries and the increasing usage of container images. Developers and DevOps teams regularly pull images from third-party registries to run in their corporate environments. Simultaneously, today’s cybercriminals continue to adapt as our threat researchers show in the Unit 42 Cloud Threat Report, 1H 2021 — cloud security incidents are on the rise. For every organization, third-party images provide an avenue for bad actors to enter production environments.

Prisma Cloud continues to push the boundaries of cloud security, showing that it’s possible to have better protection. We’re recognized as a leader in Vulnerability Management by GigaOm, while Forrester’s TEI study highlights our impressive 276% ROI.

Today’s announcement delivers a leap in what’s possible for container security, taking our incredible machine learning and applying it to third-party images regardless of its provenance, enabling customers to run these in a pre-deployment sandbox. Automatically, Prisma Cloud analyzes the actual runtime for dynamic threats, learning all the processes that will be run, the network activity for the image and all filesystem access to build an in-depth model of what the image will do.

Automation is essential to keep pace, and this release of Cloud Workload Protection in Prisma Cloud is no different. The latest release for Cloud Workload Protection includes:

  • Container Security: Pre-Deployment image analysis Sandbox.
  • Host Security: Auto-protection for virtual machines on Azure and Google Cloud.
  • Web Application and API Security: Windows support, service mesh support and improved API telemetry.
  • Partner Update: Prisma Cloud is a Red Hat® Certified Technology Vulnerability Scanner

Let’s dive into these new features.

Container Security: Pre-Deployment Image Analysis Sandbox

Organizations download and run images from many different sources, including container registries maintained by different business units internally, external sources like Docker Hub or other registries from third-party vendors.

Prisma Cloud Sandbox screenshot of interface.

The Prisma Cloud Command Line Interface (CLI) — twistcli— allows users to scan images for vulnerabilities, compliance issues, malware and secrets with the ability to operate on a developer’s laptop, as well as their CI/CD tooling. We’re excited to announce this much sought after feature — image analysis sandbox.

With image analysis sandboxing, Prisma Cloud will run your third-party container image in an isolated environment you host, leveraging our machine learning to perform deep inspection of all the processes, file system and networking activity pre-deployment. This means you have complete visibility and control over all aspects of any image before you bring it into a live environment with detailed analysis results to both the CLI and the Console UI.

Host Security: Auto-Protection for VMs on Azure and Google Cloud

With our last Cloud Workload Protection release, we proudly announced our auto-detection and auto-protection capabilities for standalone VMs (hosts) running in AWS. Now, our Host Security expands and enhances its capabilities to provide auto-protection functionality for hosts on Azure and Google Cloud.

These capabilities are vital because certain host security requirements, such as continuous monitoring and active prevention, can only be achieved with an agent protecting the workload. With auto-protection, Prisma Cloud greatly reduces the efforts required by DevOps and security teams to manually configure, deploy and update host security agents.

Screenshot of map showing deployed defenders used with Prisma Cloud.

Now organizations can be confident that their workloads running across these cloud service providers will have advanced protection capabilities automatically deployed.

Web Application and API Security: Expanded Support Across Windows, Service Mesh, and More

Web Application and API Security (WAAS) delivers unmatched protection for cloud native applications, extending capabilities from Web Application Firewalls (WAFs) to cover the OWASP Top 10, API security capabilities, advanced DoS protection and bot risk management.

These capabilities have been further expanded to protect Windows hosts, including Windows Server 2019 LTSC. Additionally, WAAS now automatically supports installing on service meshes, such as Istio or Linkerd. These enhancements speak to the rapid customer adoption of integrated WAAS capabilities over the past year and providing more technologies that Prisma Cloud can support.

Screenshot of unprotected web applications scan results on the Prisma Cloud survey.

WAAS now also provides detailed information on the health and throughput of your APIs, including application response codes, traffic and performance details, TLS certificate status and customizable log sanitization.

Partnership: Red Hat Container Security Certification

Prisma Cloud continues enhancing our product through our partnership programs. Red Hat expands their container presence through their OpenShift environment and their Red Hat Container Images, which Prisma Cloud uses as a base image. We are proud to be a Red Hat Advanced Partner.

Now, we’re pleased to announce that our Red Hat-certified vulnerability scanner is now available in the Red Hat Ecosystem Catalog.

“At Red Hat, we believe that container security is Linux security, and we are continuously evolving to set new standards for security to better support our partners and customers,” said Lars Herrmann, vice president of Partner Ecosystems, Product & Technologies at Red Hat. “With the Red Hat Vulnerability Scanner Certification, we are helping partners like Palo Alto Networks harness Red Hat security-related data to deliver more reliable and consistent container vulnerability reporting to customers.”

Additional Capabilities

In addition to the powerful capabilities shared above, Prisma Cloud also delivers:

  • App-Embedded Defender Forensics: Prisma Cloud expands protection as organizations consume new workload types, like AWS Fargate, Azure Container Instances, Google Cloud Run and Google Kubernetes Engine Auto-Pilot, Defender forensics brings customer runtime rules and our extensive forensic data collection to all of these compute stacks.
  • Amazon Machine Image (AMI) Scanning Improvements: Host Security capabilities are expanded to cover custom VPCs and even encrypted AMIs.
  • Serverless Security: The latest release includes Serverless Auto-Protect v2 and support for Ruby 2.5 and 2.7 in Serverless Defender.
  • N-2 Backwards Compatibility: Prisma Cloud console is backward compatible up to two major releases back, helping operationalizing teams to have nearly a year of support timeline between Defender and twistcli /Jenkins plugin upgrades.
  • SaaS Platform Expansion: Our deep product integration continues to shine with unified notification provider setup between CSPM and CWP, helping teams direct cloud service posture management alerts to the same channels as workload related alerts. In addition, with this release the speed of undefended workload discovery (via Cloud Discovery for SaaS accounts) has been improved with changes to scanning mechanism.

Note: The capabilities highlighted in this announcement are available as of August 31, 2021 in Prisma Cloud Compute Edition. Availability in Prisma Cloud Enterprise Edition will become available in October.