Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to Use CNCF’s Falco to Protect Yourself Fro...

cncf-canada-meetups
October 18, 2023
Technology
0
28

How to Use CNCF’s Falco to Protect Yourself From the New SCARLETEEL Attack! by Marat Salakhutdinov @Sysdig

cncf-canada-meetups

October 18, 2023
Tweet

More Decks by cncf-canada-meetups

See All by cncf-canada-meetups
Canada Cloud Native Meetups - 2025 Sponsor Deck
cncfcanada
0
13
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope
cncfcanada
0
70
[CNCF Q1 2024] Remediate Kubernetes Security Threats in Real-Time with Falco Talon
cncfcanada
0
19
[Q2 CNCF 2023] Metrio, a Cloud run journey
cncfcanada
0
17
[CNCF Q1 2024] Agentic Installer LLMs Helm Charts by Chris Gruel @Akeyless
cncfcanada
0
23
Karpenter @LightSpeed
cncfcanada
0
57
Shorten the dev loop with mirrord
cncfcanada
0
29
October 2023 Montreal CNCF Meetup
cncfcanada
0
41
Beyond Dashboarding The Grafana Observability Stack by Steve Caron
cncfcanada
0
77

Other Decks in Technology

See All in Technology
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
310
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
750
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.8k
ドメイン名の終活について - JPAAWG 7th -
mikit
33
20k
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
110
Lambdaと地方とコミュニティ
miu_crescent
2
370
【若手エンジニア応援LT会】ソフトウェアを学んできた私がインフラエンジニアを目指した理由
kazushi_ohata
0
150
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
2
600

Featured

See All Featured
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
RailsConf 2023
tenderlove
29
900
Designing the Hi-DPI Web
ddemaree
280
34k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
The Pragmatic Product Professional
lauravandoore
31
6.3k
A designer walks into a library…
pauljervisheath
204
24k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Happy Clients
brianwarren
98
6.7k
GraphQLとの向き合い方2022年版
quramy
43
13k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k

Transcript

  1. How to Use CNCF’s Falco to Protect Yourself From the

    New SCARLETEEL Attack! Marat Salakhutdinov Senior Customer Solutions Engineer at Sysdig

  2. Marat Salakhutdinov Senior Customer Solutions Engineer @Sysdig linkedin: https://www.linkedin.com/in/salakhutdinov/ email:

    [email protected]
  3. None

  4. Sysdig 2023 Global Cloud Threat Report 1. Cloud Automation Weaponized

    2. 10 Minutes to Pain - every second counts 3. A 90% Safe Supply Chain Isn’t Safe Enough 4. Attackers are Hiding Among the Clouds 5. 65% of Cloud Attacks Target Telcos and FinTech

  5. SCARLETEEL attack 5

  6. “The Security Camera for Modern Apps” created by Sysdig

  7. What is Falco? • Runtime security engine • Observability for:

    ◦ Endpoints ◦ Cloud infrastructure • Built on eBPF • Integrated with Kubernetes CNCF INCUBATED PROJECT

  8. Beyond system calls and containers Plugins are dynamic shared libraries

    which allow Falco to collect and extract fields from streams of events

  9. Resources Get started at Falco.org Check out the Falco project

    in Github Get involved in the Falco community Meet the maintainers on the Falco Slack Follow @falco_org on Join a Falco workshop

  10. Demo Environment Details K8S cluster running on an EC2 node

    (with IMDSv1). • Vulnerable Spring Boot Application • Falco as a daemon set on k8s cluster • Falco Sidekick • Falco Sidekick UI • Falco Cloudtrail plugin • Falco AWS Cloudtrail terraform module An attacker host to execute the infiltration and exploit of the attack. • Rootkit installed. • Other tools to escalate privileges and lateral movement.

  11. Demo time 11

  12. Is runtime security enough? What helps the attacker to execute

    the attack: • Vulnerable packages • Vulnerable binaries ◦ In Runtime • Privileged containers • Extensive Permissions • Misconfigurations 12 Vulnerability Management * CSPM / KSPM / CIEM * CNAPP * * - its all can be done by Sysdig CNAPP Platform

  13. CNAPP: SCARLETEEL - Sysdig demo lab Features and flows of

    the Lab: • Runtime Threat Detection and Response • Cloud Threat Detection (AWS account) • Vulnerability Management for K8s workloads • Security Posture ◦ CSPM: Cloud Security Posture Management ◦ CIEM: Cloud Identities and Entitlements Management 13