This document discusses runtime security on Azure Kubernetes Service (AKS). It begins by introducing AKS and how it simplifies Kubernetes deployment and management. It then discusses the security concerns with containers and the need for runtime security. Runtime security involves monitoring activity within containers to detect unwanted behaviors. The document outlines how Sysdig provides runtime security for AKS through its agents that collect syscall data and Kubernetes audit logs. It analyzes this data using policies to detect anomalies and threats across containers, hosts, and Kubernetes clusters. Sysdig also integrates with other tools like Falco and Anchore to provide breadth and depth of security.

1. Getting Started with
Runtime Security on
Azure Kubernetes Service
Eric Carter
Director, Partner Marketing
Sysdig

2. | Sysdig Inc.
Kubernetes: Default OS for Cloud
• Speed innovation
• Drive efficiency
UI
APPLICATION
DATABASE
COMPUTE
DATA
2
Kubernetes
Microservices
Cloud

3. | Sysdig Inc.
Azure Kubernetes Service (AKS)
• Managed Kubernetes on Microsoft Azure
• Designed to simplify the deployment,
management, and operations of Kubernetes
• Automated upgrades, patches
• High reliability and availability
• Easy and secure cluster scaling
• Self-healing
• API server monitoring
• Control plane at no charge
3

4. | Sysdig Inc.
Security Concerns
4
Sysdig 2021 container security and usage report:
Shifting left is not enough – January 13, 2021
https://sysdig.com/blog/sysdig-2021-container-security-usage-report/

5. | Sysdig Inc.
What is Runtime?
5

6. | Sysdig Inc.
What is Container Runtime Security?
• Protection for running containers and
application environment
• Analysis of activity - containers, hosts,
network connections, files, etc.
• Detection and prevention of unknown,
unexpected, and unwanted behavior
6
Key workflow for securing production containers and Kubernetes

7. | Sysdig Inc.
What’s happening inside?
Where is it happening?
Where did it go?
Visibility
Challenges
with
Containers

8. | Sysdig Inc.
Runtime Security for Azure Containers
Azure / AKS Host (node)
Container
1
Container
2
Container
3
Observe runtime events from syscall data
actions,
enforcement
Event details
HosteBPF Program / kernel module
ContainerVision™
Filter with rules
8

9. | Sysdig Inc.
Viewing Data with Kubernetes Context
9
Distributed container workloads
service
1
service
2
service
3
service
4
Organized view of services, apps, pods, etc.
ServiceVision™
“Show me security events by namespace and pod”
AKS / Kubernetes
Metadata

10. | Sysdig Inc.
Sysdig
Agent
API calls
Users
Workloads
Interactions with the
Kube API registered
K8s audit log events
checked against policies Security Events
e.g., RBAC tampering
Activity Audit
e.g., Kubectl exec
Kubernetes
Audit Log
Kube API activity logs
automatically ingested
Runtime Security
Policies
Example Detections
● Did someone store credentials in
a configmap versus secrets?
● Who is exec’ing into a pod and
modify a file? Where was it
initiated from?
● Are users escalating privileges via
RBAC?
Sysdig Secure
Devops Platform
AKS
Incorporating AKS Audit Log Data
10

11. | Sysdig Inc.
Kernel
eBPF Probe
Falco
K8s audit logs Syscall data
Open-Source Falco
Kernel
eBPF Probe
K8s audit logs Syscall data
Sysdig Secure
Sysdig
Secure
● Alert on malicious events
● DIY responses
● Alert on malicious events
● Automatic remediation
● OOB policies (MITRE detection,
compliance, FIM etc)
● K8s native prevention
● SIEM forwarding
● Alerting integrations
Sysdig Secure
Devops Platform
11
Runtime Security Based on Falco

12. | Sysdig Inc.
Why Sysdig for Runtime Security?
Depth
○ Open source Falco based detection engine
○ Out of the box, community driven rules
○ Save time with OOB policies or create custom
policies
Breadth
○ Combine data sources - syscalls, audit logs,
kubernetes context
Single policy interface
○ Detect threats across containers, hosts,
Kubernetes/AKS
○ Manage ‘Policy as code’
Secure containers, Kubernetes and cloud services
Sysdig Secure
Sysdig Monitor
Anchore Engine
12

13. | Sysdig Inc.
Runtime Security for Payment Processing
▸ Difficulty scaling visibility
across cloud environments
▸ No way to effectively police
and audit activity
▸ Proving PCI compliance
Challenge
▸ SaaS-based security and
monitoring with Sysdig
▸ Automated runtime analysis
& intrusion detection
▸ Activity auditing from syscall
data & K8s audit logs
Solution
▸ Achieved results in minutes
with fast onboarding
▸ Improved communication
between DevOps & security
▸ Simplified achieving PCI
compliance
▸ Reduced operational
overhead by 50%
Results
13
Deliver modern payment solutions
with containers and Kubernetes
• Container Platform Engineering
• Cloud Security Architect

14. Demo!

15. | Sysdig Inc.
Sysdig
Secure
Sysdig
Monitor
Security built on open
source foundation
Deep visibility to run
apps confidently
Scale simply with SaaS
and DevOps integrations
Secure containers, Kubernetes and cloud services
Sysdig Secure DevOps Platform
Anchore Engine
15

16. What next?
Take a test drive! https://sysdig.com/trial
Join us for future sessions!
Download security and monitoring guide
https://sysdig.com/partners/microsoft-azure/