› Process, logs, network, configuration etc. › Evolving Attack Technology and Types › Mainly only anti-malware agent installed to servers › New types of cyber threats that traditional anti-virus programs can't stop. (Ransomware) Move to Edge network from External › Lateral movement, Worm › Targeting attack
Servers Servers Servers Servers Servers Servers Servers Servers Servers Servers Encrypted Traffic › Need to decryption solutions to monitor › But volume of traffic is too large IDS IPS
Servers Backbone Only monitoring purpose If a disorder occurs › All Server under can’t be monitored Servers Servers Servers Servers Servers Servers Servers Servers IDS IPS
shipped › Installing agents is big burden › Anxiety about service failure Installing when the server is shipped › Prevention of omission › No pressure on developers either
installation › Use Installation script provided by Infra Protection Team › Separated by services › Store in Git repository › Git Watch - notify about changes › Move to internal YUM repository Periodic management Windows 658
When instances launch, the script runs › Use Installation script provided by IPT › Separated by specifications (high / low) › Store in Git repository › Git Watch - notify about changes Automate Installation
› Verda Dev › External (Non LINE Asset, AWS, etc.) By Infra High Ability › Configured at least two or more servers › Managers: Load Balancing › Databases: Failover › Databases are managed by DB Team
RBAC › No common account › Rotate API account Access to Web Console Access to Servers › Only Administers can access to › PAM to restrict › Use domain account › Monitor behavior Manager Database Domain Controller PAM Web Console
LINE Securities LINE FRIENDS LINE Mobile Ads Internal systems Groups 2nd Service Name › Exposure to external attacks › Easy to organize and manage › Fast to check current situation
Services Default Services Policy Flexible response to service expansion Actual way to detect/prevent actions › By OS Platform › From Default policy › Easy to send policies against vulnerability
LINE Securities LINE FRIENDS LINE Mobile Ads Internal systems Services Services Apply discrete policies by service Criterion of use › Active Directory › Databases › Web Applications › Analysis (YARN, HBase)
Malfunction Disk insufficient Communication error Pattern update error Duplicated error Engine offline error Vaildation Installed or not Works properly Upgrade needed
Pattern update error Duplicated error Engine offline error › Who can handle these problems? › Disk problem? › Communication error? › Pattern, Duplicated, engine problems? Classify all cases
Pattern update error Duplicated error Engine offline error › Who can handle these problems? › Disk problem? › Sending e-mail to development operator › Communication error? › Agent-manager port open? (reinstall agent or restart service) › Pattern, Duplicated, engine problems? › Administrator handles Classify all cases
properly Upgrade needed › Inform of the status of the uninstalled › Communicate to schedule available date for installation / upgrade › Installation is conducted by whom? Sending scripts to? Fintech Server
properly Upgrade needed › Inform of the status of the uninstalled › Communicate to schedule available date for installation / upgrade › Sending e-mail every week automatically to each ITOPS › Installation is conducted by administrator Fintech Server
there is a security agent problem with the VMs used by Verda Kubernetes Service (VKS).Could you please confirm it? * Security agent somehow hooks system call and does Anti-malware * VKS may attempt to count from the kubernetes container process in a different namespace, but may fail * It works fine when you unload the security agent kernel module. * I'm thinking about whether or not to include the fs(tmpfs) that Kubernetes is going to count. Exception for tmpfs?
got a sys_umount event, then ignored it because the system call was not invoked from the host, but from a container. › By design, the anti-malware driver will track mount points in a host and will only deal with mount/umount system call events coming from the host, which means mount/unmount system call events will be ignored by the driver if they are from containers.
Deploy pod to continually monitor and change parameter within all nodes › Failed (root permission needed) Pod Monitor and Change Kubelet Pod Containers Nodes Parameter /proc/driver/HOOK/
Deploy pod to continually monitor and change parameter within all nodes › Failed (root permission needed) › Plan B › Use Cron to execute script › existing nodes (pod) › newly created nodes (init-script) › Docker process runs › kubelet exist inside
inquiry regarding Verda redis. Can you tell me the coverage of security agent? Currently, we are simply testing performance in dev, stage-dev environments, but due to the influence of Security Agent, the performance difference is between 30 and 50%. Therefore, I would like to check the application scope of security agent and the possibility of future expansion.
line_devday2020
oracle4engineer
mrbobbytables
lycorp_recruit_jp
takumiogawa
kakehashi
smt7174
10xinc
negi111111
emiki
mongodb
caitiem20
jonyablonski
pedronauck
tammyeverts
paigeccino
jacobian
aarron
andyhume
stephaniewalter
lynnandtonic
irinanazarova
