|
1 | 1 | == Runtime defense for containers |
2 | 2 |
|
3 | | -Runtime defense is the set of features that provide both predictive and threat based active protection for running containers. |
| 3 | +Runtime defense is the set of features that provide both predictive and threat-based active protection for running containers. |
4 | 4 | For example, predictive protection includes capabilities like determining when a container runs a process not included in the origin image or creates an unexpected network socket. |
5 | | -Threat based protection includes capabilities like detecting when malware is added to a container or when a container connects to a botnet. |
| 5 | +Threat-based protection includes capabilities like detecting when malware is added to a container or when a container connects to a botnet. |
6 | 6 |
|
7 | | -Prisma Cloud introduced runtime defense all the way back in our 1.1 release. |
8 | | -In releases since then, we’ve continuously added to the feature set. |
9 | | -This article describes the current architecture. |
10 | 7 |
|
11 | | -Prisma Cloud has distinct sensors for file system, network, and process activity. |
| 8 | +Prisma Cloud Compute has distinct sensors for file system, network, and process activity. |
12 | 9 | Each sensor is implemented individually, with its own set of rules and alerting. |
13 | | -The runtime defense architecture is unified to both simplify the admin experience and to show more detail about what Prisma Cloud automatically learns from each image. |
| 10 | +The runtime defense architecture is unified to both simplify the administrator experience and to show more detail about what Prisma Cloud automatically learns from each image. |
14 | 11 | Runtime defense has two principle object types: models and rules. |
15 | 12 |
|
16 | 13 |
|
17 | 14 | === Container Models |
18 | 15 |
|
19 | 16 | Models are the results of the autonomous learning that Prisma Cloud performs every time we see a new image in an environment. |
20 | | -A model is the ‘allow list’ for what a given image should be doing, across all runtime sensors. |
| 17 | +A model is the ‘allow list’ for what a given container image should be doing, across all runtime sensors. |
21 | 18 | Models are automatically created and maintained by Prisma Cloud and provide an easy way for administrators to view and understand what Prisma Cloud has learned about their images. |
22 | 19 | For example, a model for an Apache image would detail the specific processes that should run within containers derived from the image and what network sockets should be exposed. |
23 | 20 |
|
24 | 21 | Navigate to *Monitor > Runtime > Container Models*. |
25 | | -Click on the image to view it’s model. |
| 22 | +Click on the image to view the model. |
26 | 23 |
|
27 | 24 | There is a 1:1 relationship between models and images; every image has a model and every model applies to a single unique image. |
28 | 25 | For each image, a unique model is created and mapped to the image digest. |
@@ -96,9 +93,9 @@ This automatic switching only happens during the first 24 hours of model initiat |
96 | 93 |
|
97 | 94 | === Archived mode |
98 | 95 |
|
99 | | -Archived mode is a phase that models are transitioned into after no containers are actively running them. |
100 | | -Models persist in archived mode for 24 hours after being archived, after which point they’re automatically removed by an internally managed garbage collection process. |
101 | | -Archived mode essentially acts a 'recycle bin' for models, ensuring that a given image does not need go through learning mode again if it frequently starts and stops while also ensuring that the list of models does not continuously grow over time. |
| 96 | +Archived mode is a phase that models are transitioned into when a container is no longer actively running them. |
| 97 | +Models persist in archived mode for 24 hours after being archived, after which point they’re automatically removed. |
| 98 | +Archived mode serves as a 'recycle bin' for models, ensuring that a given image does not need go through learning mode again if it frequently starts and stops while also ensuring that the list of models does not continuously grow over time. |
102 | 99 |
|
103 | 100 | Models display all the learned data across each of the runtime sensors to make it easy to understand exactly what Prisma Cloud has learned about an image and how it will protect it. |
104 | 101 | However, what if you need to customize the protection for a given image, set of images, or containers? |
@@ -131,8 +128,8 @@ By default, Prisma Cloud has a single rule that says 'use the models'. |
131 | 128 | As with every other subsystem in Prisma Cloud, you can customize how it works by creating rules, scoping the rules to the desired objects with filtering and pattern matching, and then xref:../configure/rule_ordering_pattern_matching.adoc[properly ordering the rules] in the policy. |
132 | 129 | Rules are evaluated sequentially from top to bottom. |
133 | 130 | Once a match is found for the scope, the actions in the rule are executed and enforced. |
134 | | -Only a single rule is ever enforced for a given event |
135 | | -While rules are combined with models as described above, rules themselves are never combined. |
| 131 | +Only a single rule is ever enforced for a given event. |
| 132 | +While rules work in conjunction with models as described above, rules themselves are never combined. |
136 | 133 |
|
137 | 134 | Prisma Cloud ships with a rule named *Default - alert on suspicious runtime behavior* that enables runtime protection for containers by default. |
138 | 135 | You can further refine your policy by creating additional custom rules that target specific resources, enable or disable protection features, and define exceptions to the automatically generated allow-list models. |
|
0 commit comments