Container Security with Microsoft
Defender
Rahul Khengare
18th Mar 2023
DevOps-Pune Meetup Group

About Me
Sr. Staff Engineer, Zscaler
◎ Cloud Security/DevOps/DevSecOps/SRE
◎ Blogger (oss-world, thesecuremonk)
◎ Co-Organizer
○ DevOps-Pune, DevSecOps-Pune
◎ Open Source Software and CIS Contributor
◎ Past Organization: Cloudneeti, Motifworks, NTT Data
◎ https://www.linkedin.com/in/rahulkhengare

Agenda
◎ Need for Container Security
◎ Overview of Microsoft Defender for Cloud
◎ Microsoft Defender Capabilities
◎ How it works
◎ Demo

How you are securing the
container workloads?

Known Practices
◎ Use of private registry and trusted images
◎ Continuous Vulnerability scanning of images (Trivy, Encore)
◎ Limit container privileges
◎ Use of network segmentation
◎ Implement least privilege access (RBAC)
◎ Logging and Monitoring
◎ Implement runtime security for threat detection
◎ Preventive and detective policies - Kyverno
◎ Security and Compliance Audits
◎ Certificates, securing endpoints
◎ Many More …

“
93% experienced at least one security incident in their Kubernetes
environments in the last 12 months
- State of Kubernetes security report
* Kubernetes adoption, security, and market trends report 2022

Microsoft Defender
What it is?
Capabilities?
How it works?

Overview of Microsoft Defender for container
◎ Cloud Native solution to
○ Improve
○ Monitor
○ Maintain
the security of your clusters, containers,
and their applications.
◎ Multi-cloud Supports K8s offering and
registries from different CSP like EKS, GKE,
ECR
◎ Kubernetes Native Deployment at Scale
◎ Provides Security Alerts and
Remediation Capabilities
RUN TIME
Threat Detection
ENVIRONMENT
HARDENING
Cluster
Configurations
Vulnerability
Container Image
Container
Security

Environment Hardening
9
◎ Continuous monitoring of your Kubernetes clusters
○ Wherever they're hosted [AWS - EKS, Azure - AKS, GCP - GKE, On-Premise (using
ARC)]
○ Continuously assess clusters to provide visibility of misconfigurations
○ Provide Guidelines to mitigate the issues
◎ Kubernetes data plane hardening
○ Azure Policy add on
◉ Extends Gatekeeper v3, required to apply at-scale auditing, enforcements and
safeguards on clusters in a centralized, consistent manner.
○ Defender Daemonset
◉ Deployed to each worker node, collects security-related data and sends it to
Defender for analysis. Required for runtime protections and security
capabilities

Environment Hardening
10

Vulnerability Assessment
11
◎ Supports Azure ACR and AWS ECR
◎ Triggers
○ On push
○ Recently pulled
○ On import
○ Continuous scan based on
an image pull and for
running images
◎ View and remediate findings
◎ Disable specific findings like
severity below medium, non
patchable findings

Runtime Threat Protection
12
◎ Provides real-time threat protection
◎ Generates alerts for suspicious activities
◎ Threat protection at the cluster level
○ Provided by the Defender agent and analysis of the Kubernetes audit logs.
◎ Threat protection at Host level
◎ Monitors the attack surface of multi cloud Kubernetes deployments based on
MITRE ATT&CK® matrix for Containers
◎ Examples:
○ Exposed Kubernetes dashboards, High-privileged roles, Sensitive mounts
○ Anomalous secret access, Detected suspicious file download, Possible
backdoor detected

Runtime Protection - Alerts
13

How it works
14
◎ Defender for Containers receives and analyzes:
○ Audit logs and security events from the API server
○ Cluster configuration information from the control plane
○ Workload configuration from Azure Policy
○ Security signals and events from the node level
◎ Components deployed
○ Azure Policy add on
◉ Extends Gatekeeper v3, required to apply at-scale auditing, enforcements and
safeguards on clusters in a centralized, consistent manner. [azure-policy,
azure-policy-webhook]
○ Defender Profile Daemonset
◉ Deployed to each node provides the runtime protections and collects signals
from nodes using eBPF technology. [Microsoft-defender-collector-ds,
microsoft-defender-publisher-ds, microsoft-defender-collector-misc]

How it works for AKS
15

How it works for EKS
16

How it works for GKE
17

Demo
Defender in Action…

Thanks!
Any questions?

References
◎ Microsoft Defender for container
◎ Runtime alerts for Kubernetes cluster
◎ Azure provided container recommendations
◎ Vulnerable K8s for testing
◎ Azure Policies for K8s