Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Container Runtime Security with Falco, by Néstor Salceda

59 views

Published on

In any Cloud Native architecture there’s a seemingly endless stream of events that happen at each layer. These events can be used to detect abnormal activity and possible security incidents, as well as providing an audit trail of activity.

In this talk we’ll cover how we extended Falco to ingest events beyond just host system calls, such as Kubernetes audit events or even application level events. We will also show how to create Falco rules to detect behaviors in these new event streams. We show how we implemented Kubernetes audit events in Falco, and how to configure the event stream.

Published in: Technology
  • High paying Twitter jobs? $25 per hour, start immediately  http://t.cn/AieX6y8B
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Container Runtime Security with Falco, by Néstor Salceda

  1. 1. Container Runtime Security Detection with Falco Néstor Salceda. Integrations Team Lead. Cloud Native & Edge Computing Summit Israel , Nov 12th 2019
  2. 2. @nestorsalceda • Open Source enthusiast • I work at Sysdig • Daddy of twins • Judo & Aikido aficionado • Kubernetes member: Sysdig and Falco Helm Charts & Operators • kubectl-capture plugin author • securityhub.dev lead engineer • Falco contributor
  3. 3. Agenda CONTAINER RUN-TIME SECURITY ANOMALY DETECTION USING FALCO A QUICK VIEW OF FALCO RULES ACTIVE SECURITY: DEMO OF KUBERNETES RESPONSE ENGINE
  4. 4. Container Run-time Security
  5. 5. • Establish trust boundaries (dev vs prod) • Identify, minimise and harden attack surfaces • Reduce scope and access • Layer protections and defenses • Traceability and test How to do security?
  6. 6. • Many security paradigms are still reactive • No tools inside the container • Breaches may extend for days or weeks before detected • Attacks are changing to abuse activities rather than data exfiltration (crypto haXx0rz!) • Ephemeral nature of containers means that in the event of a security breach you may never know How containers changed the game?
  7. 7. • Containers are isolated processes • Processes are scoped as to what’s expected • Image scanning is necessary but not enough • Container images are immutable, runtime environments often aren’t • How do you detect abnormal behavior? Detect intrusion in containers
  8. 8. Anomaly detection using Falco
  9. 9. • Detects suspicious activity defined by a set of rules • Securityhub.dev • Uses Sysdig’s flexible and powerful filtering expressions Behavioral Activity Monitor • Uses Sysdig’s container and orchestrator support • It also can receive events from the K8s audit log Full Support of Containers Orchestration Flexible Notification Methods Open Source Software • Files • STDOUT • Syslog • gRPC • Execute other programs • And more ... • CNCF Sandbox Project • Welcome contributors • Transparency & Governance Falco
  10. 10. Falco extended architecture FILTER EXPRESSION SYSDIG LIBRARIES MODULE / eBPF PROBE ALERTING FALCO RULES WEB SERVER USER KERNEL EVENTS AUDIT LOGS & METADATA SUSPICIOUS EVENTS SHELL STDOUT FILE gRPC 13
  11. 11. CUSTOM APP CONTAINER NGINX CONTAINER FALCO CONTAINER Kernel Instrumentation HOST / OS KERNEL SYSTEM CALLS Deployment 14
  12. 12. • clone() and execve() give you insight into process and commands • open(), close(), read() and write() functions offer visibility on I/O • socket(), connect(), and accept() give insight into network Syscalls for observability?
  13. 13. A quick view of Falco Rules
  14. 14. - list: bin_dirs items: [/bin, /sbin, /usr/bin, /usr/sbin] - macro: bin_dir condition: fd.directory in (bin_dirs) - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING yaml file containing Macros, Lists, and Rules Falco rules
  15. 15. Falco ships with a several rules which implements best practices for containers: • Writing files in /bin or /etc • Reading sensitive files • Terminal spawn in a container • ... Batteries included
  16. 16. • A platform for discovering, sharing and using Cloud-Native resources related to Kubernetes security • Browse existent security best practices and componentes or use cases • Contribute just creating a PR securityhub.dev
  17. 17. Active Security with Kubernetes Response Engine
  18. 18. • Responding to security incidents should not be an improvised or non-scripted activity • It is important that workflows and action-plans are created in advance, so that the team’s response to an incident is consistent, focused and repeatable Trusting humans again?
  19. 19. Response engine on Kubernetes https://sysdig.com/blog/container-security-orchestration-falco-splunk-phantom/ PUBLISH TO TOPIC FALCO-NATS SIDECAR LINUX PIPE FALCO CONTAINER FALCO DAEMONSET EVENTS K8S METADATA KUBERNETES NODES kubelet API APPLICATION DEPLOYMENTS EXECUTE REACTION i.e. kill the offending pod F(x) F(x) F(x) WEBHOOK NOTIFICATION SUBSCRIBE TO 1..N TOPICS kubernetes
  20. 20. ‫רבה‬ ‫!תודה‬

×