More Related Content

Similar to Container Security Using Microsoft Defender(20)


Recently uploaded(20)

Container Security Using Microsoft Defender

  1. Container Security with Microsoft Defender Rahul Khengare 18th Mar 2023 DevOps-Pune Meetup Group
  2. About Me Sr. Staff Engineer, Zscaler ◎ Cloud Security/DevOps/DevSecOps/SRE ◎ Blogger (oss-world, thesecuremonk) ◎ Co-Organizer ○ DevOps-Pune, DevSecOps-Pune ◎ Open Source Software and CIS Contributor ◎ Past Organization: Cloudneeti, Motifworks, NTT Data ◎
  3. Agenda ◎ Need for Container Security ◎ Overview of Microsoft Defender for Cloud ◎ Microsoft Defender Capabilities ◎ How it works ◎ Demo
  4. How you are securing the container workloads?
  5. Known Practices ◎ Use of private registry and trusted images ◎ Continuous Vulnerability scanning of images (Trivy, Encore) ◎ Limit container privileges ◎ Use of network segmentation ◎ Implement least privilege access (RBAC) ◎ Logging and Monitoring ◎ Implement runtime security for threat detection ◎ Preventive and detective policies - Kyverno ◎ Security and Compliance Audits ◎ Certificates, securing endpoints ◎ Many More …
  6. “ 93% experienced at least one security incident in their Kubernetes environments in the last 12 months - State of Kubernetes security report * Kubernetes adoption, security, and market trends report 2022
  7. Microsoft Defender What it is? Capabilities? How it works?
  8. Overview of Microsoft Defender for container ◎ Cloud Native solution to ○ Improve ○ Monitor ○ Maintain the security of your clusters, containers, and their applications. ◎ Multi-cloud Supports K8s offering and registries from different CSP like EKS, GKE, ECR ◎ Kubernetes Native Deployment at Scale ◎ Provides Security Alerts and Remediation Capabilities RUN TIME Threat Detection ENVIRONMENT HARDENING Cluster Configurations Vulnerability Container Image Container Security
  9. Environment Hardening 9 ◎ Continuous monitoring of your Kubernetes clusters ○ Wherever they're hosted [AWS - EKS, Azure - AKS, GCP - GKE, On-Premise (using ARC)] ○ Continuously assess clusters to provide visibility of misconfigurations ○ Provide Guidelines to mitigate the issues ◎ Kubernetes data plane hardening ○ Azure Policy add on ◉ Extends Gatekeeper v3, required to apply at-scale auditing, enforcements and safeguards on clusters in a centralized, consistent manner. ○ Defender Daemonset ◉ Deployed to each worker node, collects security-related data and sends it to Defender for analysis. Required for runtime protections and security capabilities
  10. Environment Hardening 10
  11. Vulnerability Assessment 11 ◎ Supports Azure ACR and AWS ECR ◎ Triggers ○ On push ○ Recently pulled ○ On import ○ Continuous scan based on an image pull and for running images ◎ View and remediate findings ◎ Disable specific findings like severity below medium, non patchable findings
  12. Runtime Threat Protection 12 ◎ Provides real-time threat protection ◎ Generates alerts for suspicious activities ◎ Threat protection at the cluster level ○ Provided by the Defender agent and analysis of the Kubernetes audit logs. ◎ Threat protection at Host level ◎ Monitors the attack surface of multi cloud Kubernetes deployments based on MITRE ATT&CK® matrix for Containers ◎ Examples: ○ Exposed Kubernetes dashboards, High-privileged roles, Sensitive mounts ○ Anomalous secret access, Detected suspicious file download, Possible backdoor detected
  13. Runtime Protection - Alerts 13
  14. How it works 14 ◎ Defender for Containers receives and analyzes: ○ Audit logs and security events from the API server ○ Cluster configuration information from the control plane ○ Workload configuration from Azure Policy ○ Security signals and events from the node level ◎ Components deployed ○ Azure Policy add on ◉ Extends Gatekeeper v3, required to apply at-scale auditing, enforcements and safeguards on clusters in a centralized, consistent manner. [azure-policy, azure-policy-webhook] ○ Defender Profile Daemonset ◉ Deployed to each node provides the runtime protections and collects signals from nodes using eBPF technology. [Microsoft-defender-collector-ds, microsoft-defender-publisher-ds, microsoft-defender-collector-misc]
  15. How it works for AKS 15
  16. How it works for EKS 16
  17. How it works for GKE 17
  18. Demo Defender in Action…
  19. Thanks! Any questions?
  20. References ◎ Microsoft Defender for container ◎ Runtime alerts for Kubernetes cluster ◎ Azure provided container recommendations ◎ Vulnerable K8s for testing ◎ Azure Policies for K8s