Runtime Defense

The underlying engines, or runtimes, that power applications are subject to detailed investigation by Prisma Cloud Compute.

Container Defender. From the container perspective, the runtime might have more facets than initially thought. For example, sometimes very unwelcome (privileged) interactions occur between a host machine's kernel and any running containers that need to be closely monitored. This type of Defender is also responsible for scanning the images in your container image registry. Note that a Container Defender via the host machine's kernel monitors the host for you so that no Host Defender is required. As a result, if you're using a managed Kubernetes service like the Elastic Kubernetes Service (EKS) on AWS, for example, a Container Defender will additionally scan the host operating system (OS) on the nodes that are running the Console.

Host Defender. As you'd expect in the main filesystem access, RAM and all OS and hardware interactions are picked up at high levels of detail. This relatively new addition to the feature list means that you can dutifully check for any issues on each machine on your estate that isn't running Docker directly.

Serverless Defender. I'll look at this Defender in action a little later when using AWS Lambda functions. Take note that this type of Defender interacts with the Console noticeably differently from the other Defender types. Unlike Container Defenders and Host Defenders, the runtime protection for serverless functions is separate from the vulnerabilities and compliance configuration. You might even say that the runtime protection is deployed at arms length so it is distinctly different from the other types of protection. In this article, I look at how to set up all three serverless protection modes.

Vulnerability Management

Across all three Defender types, the ability to monitor which vulnerabilities are present is a key part of securing an estate. Common Vulnerabilities and Exploits (CVEs) [3] are the most popular way of listing, publishing, and categorizing security bugs. Within Prisma Cloud Compute, you can configure alert thresholds to filter out unwanted noise from logging data. For example, you might want to receive alerts only for High and Critical grades of vulnerability and ignore those listed as Low and Medium grades.

Compliance

The venerable Prisma Cloud Compute comes with a number of built-in compliance frameworks, including the National Institute of Standards and Technology (NIST), Payment Card Industry (PCI), and Center for Internet Security (CIS) benchmarks. As well as saving lots of time going through relatively tedious rule configuration, you can fine tune a template of compliance rules to suit your bespoke needs once it has been applied. The security suite's Compliance feature has been officially certified by my favorite benchmark, CIS [4], which are consensus-based, industry-respected guides detailing what you would be wise to attend to when it comes to security.