Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Implementing Active Security with Sysdig Falco - Docker Barcelona Meetup

Implementing Active Security with Sysdig Falco - Docker Barcelona Meetup

Woah! We have our application deployed in a cluster and ready to manage or fleet of containers. And is really awesome, we can scale them automatically! But, but... WTF?! What does it mean this message about "File below a known binary directory opened for writing"? Which container opened a file under /bin to write in among the other 9813 containers in my deployment?

When you are managing a Docker cluster with a lot of nodes and containers, finding which one originates the alert may be cumbersome. Time matters and the faster we can react to a security issue the better to avoid greater damage.

Automation is an important point in DevSecOps mindset, and in this talk we are going to learn how to implement custom playbooks with Open Source Software and deploy it using serverless technology for deploying an active security system which uses Sysdig Falco for detecting security threats.

Néstor Salceda

September 27, 2018
Tweet

More Decks by Néstor Salceda

Other Decks in Technology

Transcript

  1. Néstor Salceda, Integrations Engineer
    Docker Barcelona Meetup Sept 27th 2018
    Implementing
    Active Security with
    Sysdig Falco

    View Slide

  2. @nestorsalceda
    • I work at Sysdig
    • Security and Monitoring passionate
    • Open Source enthusiast
    • Daddy of twins
    • Kubernetes member: Maintainer of Sysdig and Falco Helm charts
    • Judo, Aikido and other Gendai Budo martial arts lover

    View Slide

  3. Active Security and Response Engine
    CNCF Flavor: NATS & Kubeless approach
    AWS Flavor: SNS & Lambda approach
    Layers of Container Security
    Agenda
    What is Sysdig Falco?

    View Slide


  4. Layers of
    Container
    Security

    View Slide

  5. Networking
    Cluster
    Container Runtime
    Host
    Infrastructure

    View Slide

  6. Vulnerability Management:
    ● Upstream OS
    ● Application Vulnerabilities
    Image / Software Provenance:
    ● Signed Images / Layers
    ● Artifact Signing
    Build

    View Slide

  7. Secure Secrets
    Anomaly Detection
    Forensics
    Service / Container Admittance
    Runtime

    View Slide

  8. What is Sysdig
    Falco?

    View Slide

  9. • Detects suspicious activity
    defined by a set of rules
    • Uses Sysdig’s flexible and
    powerful filtering expressions
    Behavioral
    Activity
    Monitor
    • Uses Sysdig’s container and
    orchestrator support
    Full Support of
    Containers
    Orchestration
    Flexible
    Notification
    Methods
    Open
    Source
    Software
    • Files
    • STDOUT
    • Syslog
    • Execute other programs
    • And more ...
    • Welcome contributions
    • Transparency

    View Slide

  10. Filter expressions
    A shell is run in a container container.id != host and proc.name = bash
    Overwrite system binaries
    fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
    and write
    Container namespace change
    evt.type = setns and not proc.name in
    (docker, sysdig)
    Non-device files written in /dev
    (evt.type = create or evt.arg.flags contains O_CREAT) and
    proc.name != blkid and fd.directory = /dev and fd.name != /dev/null
    Process tries to access camera
    evt.type = open and fd.name = /dev/video0 and not
    proc.name in (skype, webex)

    View Slide

  11. falco_probe
    Kernel
    Module
    Kernel
    User
    Syscalls
    Sysdig Libraries
    Events
    Alerting
    Falco Rules
    Suspicious
    Events
    File
    Syslog
    Stdout
    Filter Expression
    Shell

    View Slide

  12. More rules implemented in draios/falco-extras repository:
    ● Traefik
    ● Redis
    ● Nginx
    ● PostgreSQL
    Falco ships with a nice default ruleset for best practices:
    ● Writing files in bin or etc
    ● Reading sensitive files
    ● Terminal spawning in a container
    Batteries included

    View Slide

  13. Rules
    - macro: bin_dir
    condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin)
    - list: shell_binaries
    items: [bash, csh, ksh, sh, tcsh, zsh, dash]
    - rule: write_binary_dir
    desc: an attempt to write to any file below a set of binary directories
    condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs
    output: "File below a known binary directory opened for writing (user=%user.name
    command=%proc.cmdline file=%fd.name)"
    priority: WARNING

    View Slide

  14. Try it out!
    $ helm install --name sysdig-falco-1
    --set fakeEventGenerator.enabled=true
    stable/falco

    View Slide

  15. Active
    Security and
    Response
    Engine

    View Slide

  16. Breaches may extend for days or weeks before detected
    Attacks are changing to abuse activities rather than data
    exfiltration
    Ephemeral nature of containers may mean you were
    breached but may never know
    Many security paradigms are still reactive
    Current Security Challenges

    View Slide

  17. CNCF Flavor

    View Slide

  18. View Slide

  19. Don’t let that Kubeless code spreads in your codebase
    Command Design Pattern
    Respect PubSub rules
    TDD with Playbooks
    What worked well?

    View Slide

  20. Talk is cheap,
    show me the code

    View Slide

  21. AWS Flavor

    View Slide

  22. Don’t assume anything from your execution environment
    If you don’ t test your software, your users will do
    Welcome changes. Even in late phases.
    Same old story ...

    View Slide

  23. See it in action!

    View Slide

  24. Functions looks like a good fit for react to monitoring
    events
    Do not rely on your infrastructure, make it swappable
    Containers adds more infrastructure, layers and risks. But
    we have seen them before: DDoS, Injections ...
    Just a quick summary

    View Slide

  25. Moltes gràcies
    Questions?
    [email protected] @nestorsalceda

    View Slide