Necessity of anti-malware function in container security

As mentioned above, container images used via public registries such as Docker Hub may contain threats such as cryptominers and malware. announced that it had found 30 malicious cryptojacking images that had been downloaded more than 20 million times. (Article: https://unit42.paloaltonetworks.jp/malicious-cryptojacking-images/)

Image: Quoted from https://unit42.paloaltonetworks.jp/malicious-cryptojacking-images/

Prisma Cloud has always been able to detect and protect against hash-based malware in container images through threat intelligence feeds. This time, this has been further strengthened through WildFire integration.

Advantages of enabling WildFire integration

WildFire is a technology that has been provided by Palo Alto Networks in cooperation with next-generation firewall products, etc., and can detect and defend against unknown malware that makes full use of zero-day exploits and advanced evasion techniques.

Now that Prisma Cloud's anti-malware functionality is natively integrated with WildFire, it is now possible to detect even more sophisticated malicious images, including unknown malware. In addition to Prisma Cloud, WildFire also has the advantage that zero-day malware detected through other Palo Alto Networks products such as next-generation firewalls (NGFW) around the world and Cortex XDR can also be detected in Prisma Cloud. produce.

Two points where WildFire works

Analysis by WildFire is performed at two points. Execution in local/CI pipeline and execution in runtime.

• Execution in local/CI pipeline
  For local/CI pipeline execution, we use the command line tool called twistcli, which has been provided for some time. Images with file hashes that have already been identified by Palo Alto Networks will be checked locally in near-real time. are subjected to advanced malware analysis, including Box techniques, to identify unknown malware. With this, even if it is unknown malware, it can be detected in the CI pipeline and prevented from being deployed as it is.
• Execution at runtime
  WildFire detects unknown malware even in running containers through runtime protection. For a running container, if malware is downloaded to the filesystem, it will be blocked from executing and a forensic data capture will be taken automatically. Similarly, even if a container containing malware were to run, the threat could be automatically detected and an investigation initiated.

Image: Taken from https://www.paloaltonetworks.com/blog/prisma-cloud/prisma-cloud-and-wildfire-integration/

Summary

With this WildFire integration, it is now possible to detect not only known but also unknown malware with high accuracy as an anti-malware function. I believe this is one of the strengths and innovations of Prisma Cloud provided by Palo Alto Networks, a comprehensive security vendor with a proven track record. If you are considering container security and are also interested in malware detection for container images and running containers, please feel free to contact us.