Elevate Your Container Posture: From Agentless Discovery to Risk Prioritization

As Kubernetes (K8s) continue to power modern containerized applications, the complexity of managing and securing these environments grows exponentially. The challenges in monitoring K8s environments stem not only from their dynamic nature but also from their unique structure—each K8s cluster operates as its own ecosystem, complete with its own control plane for authorization, networking, and resource management. This makes it fundamentally different from traditional cloud environments, where security practitioners often have established expertise and tools for managing the cloud control plane.  The specialized nature of Kubernetes (K8s) environments limits the visibility and control available to many security teams, resulting in blind spots that increase the risk of misconfigurations, compliance gaps, and potential attack paths gaining comprehensive visibility into the posture state of K8s workloads is essential for addressing these gaps and ensuring a secure, resilient infrastructure.

Key benefits

By further expanding agentless container posture approach, Defender for Cloud delivers the following key benefits:

1. Enhanced risk management: improved prioritization through additional security insights, networking information, K8s RBAC, and image evaluation status, ensuring more critical issues can addressed first.
2. Proactive security posture: gain comprehensive insights and prevent lateral movement within Kubernetes clusters, helping to identify and mitigate threats before they cause harm.
3. Comprehensive compliance and governance: achieve full transparency into software usage and Kubernetes RBAC configurations to meet compliance requirements and adhere to industry standards.

Release features overview:

Enhanced K8s workload modeling

To ensure customers can better focus on security findings, and avoid reviewing stale information, Defender for Cloud now models K8s workloads in the security graph based on their configuration (K8s specification) rather than runtime assets. This improvement avoids refresh-rate discrepancies, providing a more accurate and streamlined view of your K8s workloads, with single security findings for all identical containers within the same workload.

New Security Insights for Containers and Pods

Security teams that use the security explorer to proactively identify security risks in their multicloud environments, now get even better visibility with additional security insights for containers and pods, including privileged containers, sensitive mounts, and more.

For example, security practitioners can use the security explorer to find all containers vulnerable to remote code execution, which are also exposed to the internet and uses sensitive host mounts, to eliminate the misconfigurations and vulnerabilities before a potential attacker abuse them to attack the container remotely and break-out into the host through the sensitive host mount.

Figure 1: exposed container with remote code execution vulnerabilities and sensitive mounts

Extended K8s Networking Information

To enable customers to query the security graph based on additional characters of K8s networking and better understand exposure details for K8s workloads, Defender for Cloud now offers extended data collection for both K8s ingresses and services. This feature also includes new properties such as service port and service selectors.

 

The following figure shows all new networking criteria that customers can now use to query for K8s networking configuration:

Figure 2: new query criteria for K8s networking

The following figure show detailed exposure information on a K8s workload exposed to the internet: 

Figure 3: detailed exposure information for exposed workloads

Enhanced image discovery

Customers can now gain complete visibility to all images used in customer environments using the security explorer, including images from all supported registries, and any image running in K8s, regardless of whether the image is scanned for vulnerabilities, with extended information per image.

Here are a few examples for important use cases that customers can detect and respond to action on through a single query in the security explorer:

 

1. Detect usage of images from unmonitored registries:

Figure 4: images deployed directly from an unscanned docker registry

 

2. Check the presence of specific image in the environment

Figure 5: search for an image with a specific digest 

 

3. Trace all images not evaluated for vulnerabilities

Figure 6: all images not assessed for vulnerabilities

K8s RBAC in the security graph

The addition of K8s RBAC into the security graph serves two main purposes:

1. Security practitioners gain easy visibility into K8s service accounts, their permissions, and their bindings with K8s workloads, without prior expertise, and hunt for service accounts that do not meet security best practices.

In the following example, a service account that has full cluster permissions:

Figure 7: example of service account cluster admin permissions on cluster level

 

2. The security graph contextual analysis uses the K8s RBAC to identify lateral movement internally within K8s, from K8s to other cloud resources and from the cloud to K8s.

The following example shows an attack path starting from a container exposed to the internet with a vulnerability that can be remotely exploited. It also has access to a managed identity allowing the attacker to move all the way to a critical storage account:

Figure 8: attack path from a vulnerable exposed container to a critical storage account

Comprehensive Software Inventory for Containers

A detailed software inventory is now available for all container images and containers scanned for vulnerabilities, serving security practitioners and compliance teams in many ways:

1. Full visibility to all software packages used in container images and containers:

Figure 9: Full software list for images and containers

 

2. Query specific software usage across all environments, making it easier to identify risks or ensure compliance. A common example of this use case includes a vulnerable software version with a zero-day vulnerability.

For example, following the OpenSSL zero-day vulnerability publication, a security admin can use the following queries to find all instances of container images within the organization using OpenSSL version 3.0, even before a CVE was published:

 

Figure 10: search for a specific vulnerable open ssl version

Critical Asset Protection for K8s

Critical asset protection has been enhanced to cover additional container use cases:

1. Defender for cloud customers can now define rules to mark workloads as critical based on their namespace and K8s labels.

The following figure shows how customers can define rules that would automatically tag critical workloads based on their K8s labels:

 

 Figure 11: customer defined rules for asset criticality based on K8s labels

 

2. Predefined rules allow K8s clusters to be flagged as critical, ensuring prioritized focus during risk assessments.

 

Example for one of the predefined rules that automatically tags K8s clusters as critical:

Figure 12: Example for predefined K8s cluster criticality rules 

 

As with other asset protection features in Defender for Cloud, these updates seamlessly integrate into the risk prioritization, attack path analysis, and security explorer workflows.

The following example shows a critical attack path where the attack target is critical K8s cluster:

 Figure 13: Critical attack path where the target is a critical K8s cluster

K8s CIS benchmark

Customers that would like to audit their K8s clusters for regulatory compliance using K8s CIS or enforce security controls that are part of the K8s CIS standard, now benefit from updated K8s CIS standards with broader security controls, with K8s CIS 1.5.0 for AKS, and EKS and K8s CIS 1.6.0 for GKE.

To start using the new standards and controls, enable the desired K8s CIS standard through regulatory compliance dashboard, or via security policies:

Figure 14: Enabling K8s CIS 1.6.0 for GKE

Compliance status can then be monitored via the regulatory compliance dashboard for the relevant K8s CIS standard:

Figure 15: Viewing K8s CIS 1.5.0 compliance status 

Get Started Today

To start leveraging these new features in Microsoft Defender for Cloud, ensure either Defender for Container or Defender CSPM is enabled in your cloud environments. For additional guidance or support, visit our deployment guide.

With these updates, we’re committed to helping you maintain a robust, secure, and scalable cloud-native environment.

Learn More

If you haven’t already, check out our previous blog post that introduced this journey: New Innovations in Container Security with Unified Visibility and Investigations.

This new release continues to build on the foundation outlined in that post. With “Elevate your container posture: from agentless discovery to risk prioritization”, we’ve delivered capabilities that allow you to further strengthen your container security practices, while reducing operational complexities.