PT Container Security

Main article: Security Information and Event Management (SIEM)

2024: Opportunities to search for runtime events and conduct incident investigations

Positive Technologies has released an updated version of PT Container Security, a product to protect container environments. The main thing in the release is the ability to search for runtime events and investigate incidents, improve performance by updating the WebAssembly (Wazero) runtime, runtime detectors developed based on tests on the Standoff cyber polygone, as well as an updated version of Tetragon, containing a number of improvements to the runtime monitoring engine. The company announced this on September 30, 2024.

According to field tests, PT Container Security is capable of processing a stream of tens of thousands of events per second or higher. The product supports large high-load production clusters without losing speed, that is, it can ensure the security of infrastructure of any size. As the load increases, PT Container Security can scale horizontally, increasing the number of replicas, or vertically, adding computing resources. Additional performance improvements have been achieved with the latest versions of WebAssembly and Tetragon.

WebAssembly technology allows you to develop detection modules in general-purpose programming languages ​ ​ and implement any arbitrarily complex detection logic in the form of a portable and cross-platform byte code. Using the latest versions of the Wazero runtime, which since release 1.7 has implemented an optimizing compiler, has accelerated each individual detector by 30-35% without changing the source code. Tetragon is used in PT CS to detect threats in runtime starting with the first commercial version of the product.

PT Container Security is based on the most current technologies. With the help of scaling, our development team is guaranteed to ensure stable operation of the solution under high loads and with the maximum possible speed, - said Nikita Ladoshkin, Development Manager of PT Container Security at Positive Technologies.

As part of the update, PT Container Security received new capabilities that make it easier for analysts to investigate incidents in runtime:

• Context filters. Allow you to quickly find events related to the operation of child and parent processes, for example, an attacker runs malicious utilities in a compromised container. Built on observations and analysis of real investigations, help to build a chain of actions of attackers.
• Conventional filters. Help focus on important events, such as events related to a particular pod Kubernetes in or related to specific executables. files
• Presets for frequent checks, raw event formatting and fast filters help information security specialists investigate cyber incidents in containers faster. Allow you not to lose information and quickly return to any point of investigation.
• Detectors developed with the PT Expert Security Center. Due to maximum flexibility, detectors do not require additional tuning, combine signature and behavioral approaches to detecting threats in runtime, offering a hybrid option that combines the strengths of detection methods. The set of detectors is constantly replenished.