Slide 1

Slide 1 text

Néstor Salceda, Integrations Engineer LibreCon Bilbao, Nov 22th 2018 Securing your Kubernetes applications

Slide 2

Slide 2 text

@nestorsalceda • Open Source enthusiast • Security and Monitoring passionate • I work at Sysdig • Daddy of twins • Kubernetes member: Maintainer of Sysdig and Falco Helm charts • Top 3 Contributor to Falco • Judo, Aikido and other Gendai Budo martial arts lover and practicioner

Slide 3

Slide 3 text

Anomaly Detection in run-time: Falco Active Security: Kubernetes Response Engine Forensics: Sysdig Inspect Current challenges of Container Security Agenda Layers of Container Security

Slide 4

Slide 4 text

• Container Security Challenges

Slide 5

Slide 5 text

Breaches may extend for days or weeks before detected Attacks are changing to abuse activities rather than data exfiltration (crypto mining) Ephemeral nature of containers means that in the event of a security breach you may never know Many security paradigms are still reactive Main Challenges

Slide 6

Slide 6 text

• Layers of Container Security

Slide 7

Slide 7 text

Which layers? Runtime Build Infrastructure

Slide 8

Slide 8 text

Networking: Filtering, Istio, Calico ... Cluster Security: RBAC, Audit Events, Security Policies, Affinity, Network Policies ... Container Runtime: SELinux, AppArmor, CIS Benchmarks, InSpec ... Host Security: SecComp, SELinux, AppArmor, Resource Constraints ... Infrastructure

Slide 9

Slide 9 text

Vulnerability Management: ● Image Scanning: Sysdig Secure, Anchore, Clair ● Upstream OS ● Application Vulnerabilities Image / Software Origin: ● Signed Images / Layers ● Artifact Signing ● Trusted Registries Build

Slide 10

Slide 10 text

Secure Secrets: How secrets are stored or used? Anomaly Detection: Someone altered my runtime environment? Forensics: What happened if compromised? Service / Container Admission: What is allowed to run? Runtime

Slide 11

Slide 11 text

Processes are “scoped” as to what’s expected Container images are immutable, runtime environments often aren’t How do you detect abnormal behavior? See containers like isolated processes Anomaly Detection

Slide 12

Slide 12 text

Containers are highly volatile: Imagine Grisom doing CSI stuff without the corpse What did happen inside the container? When a security incident has already happened Forensics

Slide 13

Slide 13 text

What is Falco?

Slide 14

Slide 14 text

• Detects suspicious activity defined by a set of rules • Uses Sysdig’s flexible and powerful filtering expressions Behavioral Activity Monitor • Uses Sysdig’s container and orchestrator support Full Support of Containers Orchestration Flexible Notification Methods Open Source Software • Files • STDOUT • Syslog • Execute other programs • And more ... • CNCF Sandbox Project • Welcome contributions • Transparency & Governance

Slide 15

Slide 15 text

falco_probe Kernel Module Kernel User Syscalls Sysdig Libraries Events Alerting Falco Rules Suspicious Events File Syslog Stdout Filter Expression Shell

Slide 16

Slide 16 text

Filter expressions A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)

Slide 17

Slide 17 text

Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING

Slide 18

Slide 18 text

More rules implemented in draios/falco-extras repository: ● Traefik ● Redis ● Nginx ● PostgreSQL ● ... Falco ships with a nice default ruleset for best practices: ● Writing files in bin or etc ● Reading sensitive files ● Terminal spawning in a container ● ... Batteries included

Slide 19

Slide 19 text

Requests made by anonymous user Attach to cluster-admin Role Service Account Created in Kube Namespace Create / Modify ConfigMaps which exposes secrets K8s Audit Events Support

Slide 20

Slide 20 text

Try it out! $ helm install --name sysdig-falco-1 --set fakeEventGenerator.enabled=true stable/falco

Slide 21

Slide 21 text

Active Security

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

See it in action!

Slide 24

Slide 24 text

Start a capture Network isolate Demisto/Phantom integration Delete a pod Playbooks Available Forbid that a node schedules more pods Slack notification

Slide 25

Slide 25 text

Forensics

Slide 26

Slide 26 text

Correlate events to reconstruct the attack Blameless Post-Mortem incident report Capture system calls using Sysdig Forensics

Slide 27

Slide 27 text

The ephemeral nature of containers changes the rules Security offers us an opportunity to be proactive Containers add more infrastructure, layers and risks. But we have seen same security threats before: DDoS, Injections ... Just a quick summary

Slide 28

Slide 28 text

Do you want work with me? Monitoring / Security Open Source Remote

Slide 29

Slide 29 text

Blog https://www.sysdig.com/blog/tag/falco Sysdig Secure https://www.sysdig.com/product/secure Website https://www.sysdig.com/opensource/falco https://falco.org Join the community Public Slack https://slack.sysdig.com https://slack.sysdig.com/messages/falco

Slide 30

Slide 30 text

Docker Hub https://hub.docker.com/r/falcosecurity/falco GitHub https://github.com/falcosecurity/falco Learn more Wiki https://github.com/falcosecurity/falco/wiki Sysdig Docker Usage Report 2018 https://sysdig.com/blog/2018-docker-usage-report

Slide 31

Slide 31 text

Eskerrik Asko Questions? [email protected] @nestorsalceda