• 10 Minutes to Pain - every second counts • A 90% Safe Supply Chain Isn’t Safe Enough • Attackers are Hiding Among the Clouds • 65% of Cloud Attacks Target Telcos and FinTech 6
Seconds to Detect Threats Collect detection signals from the cloud service provider and cloud security tools within 5 seconds to ensure visibility into ephemeral assets. • 5 Minutes to Correlate and Triage Automate triage by gathering full context for all correlated signals within 5 minutes of receiving the first relevant alert. • 5 Minutes to Initiate Response Use the flexibility of the cloud to initiate tactical response actions within 5 minutes of a high-fidelity detection. 7
shell was used as the entrypoint/exec point into a container with an attached terminal. condition: > spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint and not user_expected_terminal_shell_in_container_conditions output: > A shell was spawned in a container with an attached terminal (user=%user.name user_loginuid=%user.loginuid %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository) priority: NOTICE tags: [container, shell, mitre_execution] alerts
Rule language improvements: override option • Testing and stability improvements: increased e2e tests coverage, new kernel and linux distributions • Performance improvements: Falco joined CNCF’s green reviews working group • Rules maturity framework: stable, incubating, sandbox, deprecated • Plugins: ◦ new plugins: Anomaly Detection, K8S Cluster Metadata, Hashicorp Vault ◦ improvements in plugin API: C++ SDK, Go SDK, more to come • Falcosidekick - more outputs: Dynatrace, Sumologic, Qucikwit, etc • falcoctl - now used for downloading drivers • Falco playground: try and test falco rules at play.falco.org
Standardizing feature adoption and deprecation policies ◦ Streamlined configuration and CLI standardization ◦ Addressing legacy language inconsistencies and introducing new constructs ◦ Introducing advanced metrics ◦ Making the modern eBPF the default driver • Distribution ◦ Streamlined DEB/RPM packages, following Linux distro best practices ◦ Switching to a distroless container image by default ◦ Complete supply chain security initiative (ie. ensuring signatures for all artifacts and SBOM)
Falco project in Github • Get involved in the Falco community • Meet the maintainers on the Falco Slack • Follow @falco_org on • Join a Falco workshop • Mailing list: [email protected]
for managing threats in your Kubernetes. It enhances the solutions proposed by the Falco community with a no-code tailor made solution. With easy rules, you can react to events from Falco in milliseconds.
to its outputs • rule: defines criterias for linking the events with the actions to apply • action: each rule can sequentially run actions, each action refers to an actionner • actionner: defines what the action will do • notifier: defines what outputs to notify with the result of the action
Talon overview video from CNCF Live: https://www.youtube.com/watch?v=1ewRLb4cack • Falco Talon examples by Nigel Douglas: https://github.com/nigel-falco/falco-talon-testing
(with IMDSv1). • Vulnerable Spring Boot Application • Falco as a daemon set on k8s cluster • Falco Sidekick • Falco Talon • Falco Sidekick UI • Falco Cloudtrail plugin • Falco AWS Cloudtrail terraform module An attacker host to execute the infiltration and exploit of the attack. • Rootkit installed. • Other tools to escalate privileges and lateral movement.
cncfcanada
katarinadahlin
philnash
mza
mkilby
livdayseo
inesmontani
akademiya2063
smashingmag
badams
quramy
samtorres
coloredviolet
![Marat Salakhutdinov LinkedIn: https://www.linkedin.com/in/salakhutdinov/ Email: [email protected] Senior Customer Solutions Engineer](https://files.speakerdeck.com/presentations/0c76773c6afc4d7fb6b0aa255011f709/slide_1.jpg){kind=link}
