Slide 1

Slide 1 text

Néstor Salceda, Integrations Engineer Docker Barcelona Meetup Sept 27th 2018 Implementing Active Security with Sysdig Falco

Slide 2

Slide 2 text

@nestorsalceda • I work at Sysdig • Security and Monitoring passionate • Open Source enthusiast • Daddy of twins • Kubernetes member: Maintainer of Sysdig and Falco Helm charts • Judo, Aikido and other Gendai Budo martial arts lover

Slide 3

Slide 3 text

Active Security and Response Engine CNCF Flavor: NATS & Kubeless approach AWS Flavor: SNS & Lambda approach Layers of Container Security Agenda What is Sysdig Falco?

Slide 4

Slide 4 text

• Layers of Container Security

Slide 5

Slide 5 text

Networking Cluster Container Runtime Host Infrastructure

Slide 6

Slide 6 text

Vulnerability Management: ● Upstream OS ● Application Vulnerabilities Image / Software Provenance: ● Signed Images / Layers ● Artifact Signing Build

Slide 7

Slide 7 text

Secure Secrets Anomaly Detection Forensics Service / Container Admittance Runtime

Slide 8

Slide 8 text

What is Sysdig Falco?

Slide 9

Slide 9 text

• Detects suspicious activity defined by a set of rules • Uses Sysdig’s flexible and powerful filtering expressions Behavioral Activity Monitor • Uses Sysdig’s container and orchestrator support Full Support of Containers Orchestration Flexible Notification Methods Open Source Software • Files • STDOUT • Syslog • Execute other programs • And more ... • Welcome contributions • Transparency

Slide 10

Slide 10 text

Filter expressions A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)

Slide 11

Slide 11 text

falco_probe Kernel Module Kernel User Syscalls Sysdig Libraries Events Alerting Falco Rules Suspicious Events File Syslog Stdout Filter Expression Shell

Slide 12

Slide 12 text

More rules implemented in draios/falco-extras repository: ● Traefik ● Redis ● Nginx ● PostgreSQL Falco ships with a nice default ruleset for best practices: ● Writing files in bin or etc ● Reading sensitive files ● Terminal spawning in a container Batteries included

Slide 13

Slide 13 text

Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING

Slide 14

Slide 14 text

Try it out! $ helm install --name sysdig-falco-1 --set fakeEventGenerator.enabled=true stable/falco

Slide 15

Slide 15 text

Active Security and Response Engine

Slide 16

Slide 16 text

Breaches may extend for days or weeks before detected Attacks are changing to abuse activities rather than data exfiltration Ephemeral nature of containers may mean you were breached but may never know Many security paradigms are still reactive Current Security Challenges

Slide 17

Slide 17 text

CNCF Flavor

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

Don’t let that Kubeless code spreads in your codebase Command Design Pattern Respect PubSub rules TDD with Playbooks What worked well?

Slide 20

Slide 20 text

Talk is cheap, show me the code

Slide 21

Slide 21 text

AWS Flavor

Slide 22

Slide 22 text

Don’t assume anything from your execution environment If you don’ t test your software, your users will do Welcome changes. Even in late phases. Same old story ...

Slide 23

Slide 23 text

See it in action!

Slide 24

Slide 24 text

Functions looks like a good fit for react to monitoring events Do not rely on your infrastructure, make it swappable Containers adds more infrastructure, layers and risks. But we have seen them before: DDoS, Injections ... Just a quick summary

Slide 25

Slide 25 text

Moltes gràcies Questions? [email protected] @nestorsalceda