Introduction to Microsoft Defender for Containers

Microsoft Defender for Containers is a powerful cloud-native solution designed to improve, monitor, and maintain the security of your containerized assets across multi-cloud and on-premises environments. This comprehensive platform addresses the unique security challenges associated with the rapid growth and adoption of containers and Kubernetes.

Defender for Containers provides a holistic approach to container security, focusing on four core domains:

  1. Security Posture Management: Continuously monitors cloud APIs, Kubernetes APIs, and Kubernetes workloads to discover resources, detect misconfigurations, provide risk assessment, and enable enhanced risk hunting capabilities.

  2. Vulnerability Assessment: Offers agentless vulnerability assessment for container images across Azure, AWS, and GCP, providing remediation guidance, quick scans, and exploitability insights.

  3. Run-time Threat Protection: Delivers a rich threat detection suite for Kubernetes clusters, nodes, and workloads, powered by Microsoft’s leading threat intelligence and mapped to the MITRE ATT&CK framework.

  4. Deployment and Monitoring: Provides frictionless at-scale deployment of sensor-based capabilities, supports standard Kubernetes monitoring tools, and manages unmonitored resources.

Security Posture Management

Agentless Capabilities

  • Agentless Discovery for Kubernetes: Provides zero-footprint, API-based discovery of your Kubernetes clusters, their configurations, and deployments.

  • Agentless Vulnerability Assessment: Delivers vulnerability assessment for container images, including registry and runtime recommendations, remediation guidance, and exploitability insights.

  • Comprehensive Inventory: Enables you to explore resources, pods, services, repositories, images, and configurations through the Defender for Cloud security explorer.

  • Enhanced Risk-Hunting: Empowers security admins to actively hunt for posture issues in containerized assets using queries and security insights.

  • Control Plane Hardening: Continuously assesses the configurations of your clusters and compares them to applied initiatives, generating security recommendations for investigation and remediation.

Sensor-based Capabilities

  • Binary Drift Detection: Alerts you about potential security threats by detecting unauthorized external processes within containers, allowing you to distinguish between legitimate activities and potential threats.

  • Kubernetes Data Plane Hardening: Protects Kubernetes workloads by monitoring every request to the API server against a predefined set of best practices, with the ability to enforce these practices for future workloads.

Vulnerability Assessment

Defender for Containers scans container images in Azure Container Registry (ACR), Amazon AWS Elastic Container Registry (ECR), Google Artifact Registry (GAR), and Google Container Registry (GCR) to provide agentless vulnerability assessment. This includes registry and runtime recommendations, remediation guidance, quick scans of new images, and real-world exploit insights.

The vulnerability information is added to the cloud security graph, enabling contextual risk assessment, attack path calculation, and enhanced hunting capabilities.

Run-time Protection for Kubernetes Nodes and Clusters

Defender for Containers provides real-time threat protection for supported containerized environments, generating alerts for suspicious activities to help you quickly remediate security issues and improve the security of your containers.

The threat protection covers Kubernetes at the cluster, node, and workload levels, utilizing both sensor-based coverage and agentless analysis of Kubernetes audit logs. Examples of monitored security events include exposed Kubernetes dashboards, creation of high-privileged roles, and sensitive mounts.

Defender for Containers also includes host-level threat detection with over 60 Kubernetes-aware analytics, AI, and anomaly detections based on your runtime workload. The protection is aligned with the MITRE ATT&CKĀ® matrix for Containers, a framework developed in partnership with Microsoft.

Getting Started with Defender for Containers

To enable Defender for Containers, follow these steps:

  1. Enable Defender for Containers
  2. Review the Containers support matrix for information on feature availability and release state.
  3. Explore the common questions about Defender for Containers.

By leveraging the comprehensive capabilities of Microsoft Defender for Containers, you can enhance the security of your containerized environments and stay ahead of the evolving threat landscape.

Source: Overview of Container security in Microsoft Defender for Containers