Microsoft Defender for Containers is a comprehensive cloud-native solution designed to improve, monitor, and maintain the security of your containerized assets across multi-cloud and on-premises environments. This article delves into the key capabilities of Defender for Containers and how it can help organizations address the evolving security challenges surrounding container-based solutions.

Core Elements of Defender for Containers

Defender for Containers assists you with four core domains of container security:

1. Security Posture Management

Defender for Containers provides a range of agentless capabilities to help you manage the security posture of your container environments:

  • Agentless discovery for Kubernetes: Discover your Kubernetes clusters, configurations, and deployments without any additional footprint.
  • Agentless vulnerability assessment: Assess vulnerabilities in container images, including registry and runtime recommendations, quick scans, and exploitability insights.
  • Comprehensive inventory capabilities: Explore and monitor your container resources, pods, services, repositories, and configurations through the Defender for Cloud security explorer.
  • Enhanced risk-hunting: Empower security teams to actively hunt for posture issues in containerized assets using queries, built-in insights, and the security explorer.
  • Control plane hardening: Continuously assess your Kubernetes cluster configurations and generate security recommendations to investigate and remediate any misconfigurations.

Defender for Containers also offers sensor-based capabilities, such as binary drift detection and Kubernetes data plane hardening, to further strengthen your container security posture.

2. Vulnerability Assessment

Defender for Containers provides agentless vulnerability assessment for container images hosted in Azure Container Registry (ACR), Amazon ECR, Google Artifact Registry, and Google Container Registry. This includes registry and runtime recommendations, remediation guidance, quick scans of new images, and exploitability insights.

The vulnerability information is integrated into the Defender for Cloud security graph, enabling contextual risk assessment, attack path calculation, and enhanced security hunting capabilities.

3. Run-time Threat Protection

Defender for Containers offers real-time threat protection for Kubernetes clusters, nodes, and workloads. This includes sensor-based coverage as well as agentless analysis of Kubernetes audit logs to detect suspicious activities such as exposed dashboards, high-privilege role creations, and sensitive mount configurations.

The threat detection capabilities are powered by Microsoft’s leading threat intelligence and mapped to the MITRE ATT&CKĀ® matrix for Containers, providing valuable context for understanding and responding to threats.

4. Deployment and Monitoring

Defender for Containers simplifies the deployment and management of container security capabilities. It monitors your Kubernetes clusters for missing sensors and provides frictionless at-scale deployment of sensor-based protections. It also supports integration with standard Kubernetes monitoring tools and helps manage unmonitored resources.

Getting Started with Defender for Containers

Microsoft Defender for Containers is generally available, with certain features in preview. To get started, you can:

By leveraging the comprehensive capabilities of Defender for Containers, organizations can strengthen the security of their container-based solutions and stay ahead of the evolving threat landscape.

Source: Overview of Container security in Microsoft Defender for Containers