Introduction to Microsoft Defender for Containers - Microsoft Defender for Cloud (original) (raw)
Microsoft Defender for Containers is a cloud-native solution that enhances, monitors, and maintains the security of your containerized assets. These assets include Kubernetes clusters, nodes, workloads, registries, images, and more. It protects applications across multicloud and on-premises environments.
Defender for Containers helps you with five core domains of container security:
- Security posture management runs continuous monitoring of cloud APIs, Kubernetes APIs, and Kubernetes workloads. It discovers cloud resources, provides comprehensive inventory capabilities, detects misconfigurations with mitigation guidelines, provides contextual risk assessment, and empowers users to perform enhanced risk hunting capabilities through the Defender for Cloud security explorer.
- Vulnerability assessment - performs agentless vulnerability assessment of container registry images, running containers, and supported Kubernetes nodes with remediation guidelines, zero configuration, daily re-scans, coverage for OS and language packages, and exploitability insights. The vulnerability findings artifact is signed with a Microsoft certificate for integrity and authenticity and is associated with the container image in the registry for validation needs.
- Run-time threat protection - a rich threat detection suite for Kubernetes clusters, nodes, and workloads, powered by Microsoft leading threat intelligence, provides mapping to MITRE ATT&CK framework for easy understanding of risk and relevant context, and automated response. Security operators can also investigate and respond to threats to Kubernetes services through the Microsoft Defender XDR portal.
- Containers software supply chain protection - strengthens your software supply chain by embedding security checks from build to deployment. This includes the Microsoft Defender for Cloud CLI, which empowers developers to scan container images for vulnerabilities and misconfigurations directly within CI/CD pipelines (such as GitHub Actions or Azure Pipelines) or local development environments. By shifting security to the left, findings are surfaced early, allowing for remediation before images are pushed to a registry. The solution also signs vulnerability artifacts with Microsoft certificates to ensure integrity and authenticity, associating them with images for validation. You can enforce organizational security policies by creating rules that block risky images and assess deployments against these rules, preventing the introduction of vulnerabilities into your environments. For more information, see Gated deployment for Kubernetes container images.
- Deployment & monitoring - Monitors your Kubernetes clusters for missing sensors and provides frictionless at-scale deployment for sensor-based capabilities, support for standard Kubernetes monitoring tools, and management of unmonitored resources.
You can learn more by watching this video from the Defender for Cloud in the Field video series: Microsoft Defender for Containers.
Defender for Containers provides the following core capabilities:
- Security posture management: Continuously monitors cloud APIs, Kubernetes APIs, and Kubernetes workloads to discover resources, detect misconfigurations, and surface security recommendations with mitigation guidance. Posture data is available through inventory views, recommendations, and Security Explorer for risk investigation and hunting.
- Vulnerability assessment: Performs agentless vulnerability assessment of container registry images, running containers, and supported Kubernetes nodes. Findings include remediation guidance, exploitability insights, and integration with the cloud security graph for contextual risk analysis.
- Run-time threat protection: Detects suspicious activity in Kubernetes clusters, nodes, and workloads using Kubernetes-aware analytics and threat intelligence. Alerts are mapped to the MITRE ATT&CK® framework for Containers and can be investigated through Microsoft Defender XDR.
- Software supply chain protection: Helps reduce the risk of deploying vulnerable images by scanning container images and associating vulnerability assessment findings with images in the registry. These findings can be used by other Defender for Containers capabilities, such as gated deployments for Kubernetes.
- Deployment & monitoring: Supports at-scale deployment and monitoring of Defender components, including visibility into Kubernetes clusters that are missing sensors or not fully protected.
Security posture management
Agentless capabilities
- Agentless discovery for Kubernetes - provides zero footprint, API-based discovery of your Kubernetes clusters, configurations, and deployments.
- Agentless vulnerability assessment - provides vulnerability assessment for cluster nodes and for all container images, including recommendations for registry and runtime, quick scans of new images, daily refresh of results, exploitability insights, and more. Vulnerability information is added to the security graph for contextual risk assessment and calculation of attack paths, and hunting capabilities.
- Comprehensive inventory capabilities - enables you to explore resources, pods, services, repositories, images, and configurations through security explorer to easily monitor and manage your assets.
- Enhanced risk-hunting - enables security admins to actively hunt for posture issues in their containerized assets through queries (built-in and custom) and security insights in the security explorer
- Control plane hardening - continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations that are available on Defender for Cloud's Recommendations page. The recommendations let you investigate and remediate issues.
You can use the resource filter to review the outstanding recommendations for your container-related resources, whether in asset inventory or the recommendations page:
For details included with this capability, review container recommendations, and look for recommendations with type "Control plane"
Sensor-based capabilities
Antimalware - Defender for Containers provides a sensor-based capability that detects and alerts you to malicious activities within containers. This helps in identifying and mitigating potential security threats proactively. For more information, see Antimalware protection.
DNS detection - Defender for Containers provides a sensor-based capability that detects suspicious DNS activity from container workloads to help identify network-based threats. For runtime protection availability by cloud, see Runtime protection features.
Binary drift detection - Defender for Containers provides a sensor-based capability that alerts you about potential security threats by detecting unauthorized external processes within containers. You can define drift policies to specify conditions under which alerts should be generated, helping you distinguish between legitimate activities and potential threats. For more information, see Binary drift protection.
Binary drift blocking - Defender for Containers provides a sensor-based capability that blocks unauthorized external processes within containers. You can define drift policies to specify conditions under which processes should be blocked, helping you prevent potential security threats. For more information, see Binary drift protection.
Kubernetes data plane hardening - To protect the workloads of your Kubernetes containers with best practice recommendations, you can install the Azure Policy for Kubernetes. Learn more about monitoring components for Defender for Cloud.
With the policies defined for your Kubernetes cluster, every request to the Kubernetes API server is monitored against the predefined set of best practices before being persisted to the cluster. You can then configure it to enforce the best practices and mandate them for future workloads.
For example, you can mandate that privileged containers shouldn't be created, and any future requests to do so are blocked.
You can learn more about Kubernetes data plane hardening.
Vulnerability assessment
Defender for Containers scans the cluster node OS and application software, container images in Azure Container Registry (ACR), Amazon AWS Elastic Container Registry (ECR), Google Artifact Registry (GAR), Google Container Registry (GCR), and supported external image registries to provide agentless vulnerability assessment.
Now for public preview in multicloud environments, Defender for Containers also performs a daily scan of all running containers to provide an updated vulnerability assessment, agnostic to the container's image registry.
Vulnerability information powered by Microsoft Defender Vulnerability Management is added to the cloud security graph for contextual risk, calculation of attack paths, and hunting capabilities.
Learn more about vulnerability assessments for Defender for Containers supported environments, including vulnerability assessment for cluster nodes.
Run-time protection for Kubernetes nodes and clusters
Defender for Containers provides real-time threat protection for supported containerized environments and generates alerts for suspicious activities. You can use this information to quickly remediate security issues and improve the security of your containers.
Threat protection is provided for Kubernetes at the cluster, node, and workload levels. Both sensor-based coverage that requires the Defender sensor and agentless coverage based on analysis of the Kubernetes audit logs are used to detect threats. Security alerts are only triggered for actions and deployments that occur after you enable Defender for Containers on your subscription.
Runtime detection examples
Examples of security events that Microsoft Defender for Containers monitors include:
- Exposed Kubernetes dashboards
- Exposed Kubernetes service detected (when a Kubernetes Service of type
LoadBalanceris created or updated and publicly exposes workloads) - Creation of high privileged roles
- Creation of sensitive mounts
Prioritize exposure alerts when internet-facing access is unintended or when the exposed service has weak or missing authentication.
For more information about alerts detected by Defender for Containers, including an alert simulation tool, see alerts for Kubernetes clusters.
Defender for Containers includes threat detection with over 60 Kubernetes-aware analytics, AI, and anomaly detections based on your runtime workload.
Defender for Cloud monitors the attack surface of multicloud Kubernetes deployments based on the MITRE ATT&CK® matrix for Containers, a framework developed by the Center for Threat-Informed Defense in close partnership with Microsoft.
Defender for Cloud is integrated with Microsoft Defender XDR. When Defender for Containers is enabled, security operators can use Defender XDR to investigate and respond to security issues in supported Kubernetes services.
Microsoft-maintained container images
Defender for Containers deploys container images that are maintained and updated by Microsoft as part of the runtime protection components. These images are published to Microsoft Container Registry (MCR).
Customers don't modify or patch these images directly. Microsoft maintains and updates them as part of the Defender for Containers release process.
The following images are used by Defender for Containers runtime protection components:
| Image | Purpose | MCR path |
|---|---|---|
| security-publisher | Publishes security findings collected from Kubernetes environments | mcr.microsoft.com/azuredefender/stable/security-publisher |
| low-level-collector | Collects low-level runtime telemetry from Kubernetes nodes | mcr.microsoft.com/azuredefender/stable/low-level-collector |
| pod-collector | Collects Kubernetes pod runtime data used for threat detection | mcr.microsoft.com/azuredefender/stable/pod-collector |
| anti-malware-collector | Collects malware detection signals for container workloads | mcr.microsoft.com/azuredefender/stable/anti-malware-collector |
| old-file-cleaner | Cleans up temporary and stale files as part of initialization workflows | mcr.microsoft.com/azuredefender/stable/old-file-cleaner |
| audit-logs-enabler | Enables audit log collection for supported environments (for example, on-premises clusters) | mcr.microsoft.com/azuredefender/stable/audit-logs-enabler |
| defender-admission-controller | Enforces runtime gating policies for Kubernetes workloads | mcr.microsoft.com/mdc/prd/defender-admission-controller |
Updates are delivered through the deployment mechanism used by your environment. For example:
- When deployed using the AKS add-on, updates are delivered through the AKS release lifecycle.
- When deployed using Helm, updates are released within 30 days through updated chart versions.
If you detect a vulnerability in a Microsoft-maintained Defender image, open an Azure support request and include the image name, tag, and CVE identifier.
Learn more
Learn more about Defender for Containers in the following blogs:
Next steps
In this overview, you learned about the core elements of container security in Microsoft Defender for Cloud. To enable the plan, see: