› Process, logs, network, configuration etc. › Evolving Attack Technology and Types › Mainly only anti-malware agent installed to servers › New types of cyber threats that traditional anti-virus programs can't stop. (Ransomware) Move to Edge network from External › Lateral movement, Worm › Targeting attack
installation › Use Installation script provided by Infra Protection Team › Separated by services › Store in Git repository › Git Watch - notify about changes › Move to internal YUM repository Periodic management Windows 658
When instances launch, the script runs › Use Installation script provided by IPT › Separated by specifications (high / low) › Store in Git repository › Git Watch - notify about changes Automate Installation
RBAC › No common account › Rotate API account Access to Web Console Access to Servers › Only Administers can access to › PAM to restrict › Use domain account › Monitor behavior Manager Database Domain Controller PAM Web Console
LINE Securities LINE FRIENDS LINE Mobile Ads Internal systems Services Services Apply discrete policies by service Criterion of use › Active Directory › Databases › Web Applications › Analysis (YARN, HBase)
Pattern update error Duplicated error Engine offline error › Who can handle these problems? › Disk problem? › Sending e-mail to development operator › Communication error? › Agent-manager port open? (reinstall agent or restart service) › Pattern, Duplicated, engine problems? › Administrator handles Classify all cases
properly Upgrade needed › Inform of the status of the uninstalled › Communicate to schedule available date for installation / upgrade › Installation is conducted by whom? Sending scripts to? Fintech Server
properly Upgrade needed › Inform of the status of the uninstalled › Communicate to schedule available date for installation / upgrade › Sending e-mail every week automatically to each ITOPS › Installation is conducted by administrator Fintech Server
there is a security agent problem with the VMs used by Verda Kubernetes Service (VKS).Could you please confirm it? * Security agent somehow hooks system call and does Anti-malware * VKS may attempt to count from the kubernetes container process in a different namespace, but may fail * It works fine when you unload the security agent kernel module. * I'm thinking about whether or not to include the fs(tmpfs) that Kubernetes is going to count. Exception for tmpfs?
got a sys_umount event, then ignored it because the system call was not invoked from the host, but from a container. › By design, the anti-malware driver will track mount points in a host and will only deal with mount/umount system call events coming from the host, which means mount/unmount system call events will be ignored by the driver if they are from containers.
Deploy pod to continually monitor and change parameter within all nodes › Failed (root permission needed) › Plan B › Use Cron to execute script › existing nodes (pod) › newly created nodes (init-script) › Docker process runs › kubelet exist inside
inquiry regarding Verda redis. Can you tell me the coverage of security agent? Currently, we are simply testing performance in dev, stage-dev environments, but due to the influence of Security Agent, the performance difference is between 30 and 50%. Therefore, I would like to check the application scope of security agent and the possibility of future expansion.