Purpose-built for Kubernetes
Calico Enterprise IDS identifies Advanced persistent threats (APTs) through behavior-based detection using machine learning and a rule-based engine that enables active monitoring.
Product Details Video (3mins 49s)
Threat Feed Integration
Calico Enterprise ingests threat feeds that identify IPs for known bad actors such as botnets. Any ingress or egress traffic to those IPs are automatically blocked and can be configured to generate alerts. In addition, traffic to VPNs and TOR exit nodes is blocked and alerted on.
Firewall often detect and block traffic associated with known bad actors, but do not have visibility into which pod is infected. Calico Enterprise can pinpoint and report on the source of malicious traffic.
Custom Alerts for Known Attacks
Calico Enterprise can alert on unauthorized changes to your cluster and security policies as well as known attack patterns such as domain generation algorithms. Alerts are available out-of-the-box and can be customized or added by your security researchers or ours.
Port scans, IP sweeps, and service byte anomalies can all be indicators that your environment has been compromised and is hosting an advanced persistent threat. Calico Enterprise detects and alerts on that activity and can quarantine those workloads.
Calico Enterprise can also detect and prevent OWASP Top 10 attacks targeting your microservices.
Configure Security for Critical Workloads
A small set of your workloads may have access to sensitive data, and you will want to put additional detection and alerting for those microservices.
Calico Enterprise provides the ability to configure policies and alerts for a subset of your environment that will detect and alert on abnormal activity, effectively utilizing a moat to protect your critical workloads.
Defining your moat is as simple as using a label and then defining detailed alerts for workloads utilizing those labels.
Calico Enterprise HoneyPods
While inspecting all the network data can enable you to detect attacks, this can cause a huge performance penalty. Calico Enterprise utilizes an elegant approach to identify traffic that warrants deeper inspection.
Calico Enterprise Honeypods are fake pods that run in your cluster. All traffic to these pods generates alerts that trigger further inspection of data.
Once any traffic hits a honeypot, Calico Enterprise inspects packets from this traffic and analyzes it for well-known malware signatures using SNORT and other tools.
Calico Enterprise Alerts can trigger automated remediation by cutting the rogue microservice off from the network and generating policy recommendations to prevent future attacks.
The quarantined workload can be left running to allow your SOC Analysts to investigate the malicious workload.
Interested in trying Calico Enterprise IDS for Kubernetes?
Sign up for a free trial or get a demo