Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Implementing Active Security with Sysdig Falco - Barcelona Software Crafters


Published on

Woah! We have our application deployed in a cluster and ready to manage or fleet of containers. And is really awesome, we can scale them automatically! But, but... WTF?! What does it mean this message about "File below a known binary directory opened for writing"? Which container opened a file under /bin to write in among the other 9813 containers in my deployment?

When you are managing a Docker cluster with a lot of nodes and containers, finding which one originates the alert may be cumbersome. Time matters and the faster we can react to a security issue the better to avoid greater damage.

Automation is an important point in DevSecOps mindset, and in this talk we are going to learn how to implement custom playbooks with Open Source Software and deploy it using serverless technology for deploying an active security system which uses Sysdig Falco for detecting security threats.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Implementing Active Security with Sysdig Falco - Barcelona Software Crafters

  1. 1. Néstor Salceda, Integrations Engineer Barcelona Software Crafters Sept 30th 2018 Implementing Active Security with Sysdig Falco
  2. 2. #SCBCN18 Software Crafters Barcelona - VI Edition
  3. 3. @nestorsalceda • Open Source enthusiast • Security and Monitoring passionate • I work at Sysdig • Daddy of twins • Kubernetes member: Maintainer of Sysdig and Falco Helm charts • Judo, Aikido and other Gendai Budo martial arts lover
  4. 4. Active Security and Response Engine CNCF Flavor: NATS & Kubeless approach AWS Flavor: SNS & Lambda approach Layers of Container Security Agenda What is Sysdig Falco?
  5. 5. • Layers of Container Security
  6. 6. Networking Cluster Container Runtime Host Infrastructure
  7. 7. Vulnerability Management: ● Upstream OS ● Application Vulnerabilities Image / Software Provenance: ● Signed Images / Layers ● Artifact Signing Build
  8. 8. Secure Secrets Anomaly Detection Forensics Service / Container Admittance Runtime
  9. 9. Processes are “scoped” as to what’s expected Container images are immutable, runtime environments often aren’t How do you detect abnormal behavior See containers like isolated processes Anomaly Detection
  10. 10. What is Sysdig Falco?
  11. 11. • Detects suspicious activity defined by a set of rules • Uses Sysdig’s flexible and powerful filtering expressions Behavioral Activity Monitor • Uses Sysdig’s container and orchestrator support Full Support of Containers Orchestration Flexible Notification Methods Open Source Software • Files • STDOUT • Syslog • Execute other programs • And more ... • Welcome contributions • Transparency
  12. 12. Filter expressions A shell is run in a container != host and = bash Overwrite system binaries in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and != blkid and = /dev and != /dev/null Process tries to access camera evt.type = open and = /dev/video0 and not in (skype, webex)
  13. 13. falco_probe Kernel Module Kernel User Syscalls Sysdig Libraries Events Alerting Falco Rules Suspicious Events File Syslog Stdout Filter Expression Shell
  14. 14. Rules - macro: bin_dir condition: in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing ( command=%proc.cmdline" priority: WARNING
  15. 15. More rules implemented in draios/falco-extras repository: ● Traefik ● Redis ● Nginx ● PostgreSQL ● ... Falco ships with a nice default ruleset for best practices: ● Writing files in bin or etc ● Reading sensitive files ● Terminal spawning in a container ● ... Batteries included
  16. 16. Try it out! $ helm install --name sysdig-falco-1 --set fakeEventGenerator.enabled=true stable/falco
  17. 17. Active Security and Response Engine
  18. 18. Breaches may extend for days or weeks before detected Attacks are changing to abuse activities rather than data exfiltration Ephemeral nature of containers may mean you were breached but may never know Many security paradigms are still reactive Current Security Challenges
  19. 19. CNCF Flavor
  20. 20. Don’t let that Kubeless / NATS code spreads in your codebase Command Design Pattern Respect PubSub rules TDD for Playbooks What worked well?
  21. 21. Talk is cheap, show me the code
  22. 22. AWS Flavor
  23. 23. Don’t assume anything from your execution environment If you don’ t test your software, your users will do Welcome changes. Even in late phases. Same old story ...
  24. 24. See it in action!
  25. 25. Functions looks like a good fit for react to monitoring events Do not rely on your infrastructure, make it swappable Containers adds more infrastructure, layers and risks. But we have seen same security threats before: DDoS, Injections ... Just a quick summary
  26. 26. Blog Sysdig Secure Website Join the community Public Slack
  27. 27. Docker Hub GitHub Pull requests welcome! Learn more Wiki Sysdig Docker Usage Report 2018
  28. 28. Moltes gràcies Questions? @nestorsalceda