Néstor Salceda, profile picture
Uploaded byNéstor Salceda
98 views

Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona

Néstor Salceda, an integrations engineer at Sysdig, discussed implementing active security with Sysdig Falco during a meetup in Barcelona on September 27, 2018. The presentation covered the layers of container security, including vulnerability management, anomaly detection, and behavioral activity monitoring using configurable rules. Salceda emphasized the importance of proactive security measures in the ephemeral container environment and invited contributions to the open-source project.

Embed presentation

Download to read offline
Néstor Salceda, Integrations Engineer Docker Barcelona Meetup Sept 27th 2018 Implementing Active Security with Sysdig Falco
@nestorsalceda • I work at Sysdig • Security and Monitoring passionate • Open Source enthusiast • Daddy of twins • Kubernetes member: Maintainer of Sysdig and Falco Helm charts • Judo, Aikido and other Gendai Budo martial arts lover
Active Security and Response Engine CNCF Flavor: NATS & Kubeless approach AWS Flavor: SNS & Lambda approach Layers of Container Security Agenda What is Sysdig Falco?
• Layers of Container Security
Networking Cluster Container Runtime Host Infrastructure
Vulnerability Management: ● Upstream OS ● Application Vulnerabilities Image / Software Provenance: ● Signed Images / Layers ● Artifact Signing Build
Secure Secrets Anomaly Detection Forensics Service / Container Admittance Runtime
What is Sysdig Falco?
• Detects suspicious activity defined by a set of rules • Uses Sysdig’s flexible and powerful filtering expressions Behavioral Activity Monitor • Uses Sysdig’s container and orchestrator support Full Support of Containers Orchestration Flexible Notification Methods Open Source Software • Files • STDOUT • Syslog • Execute other programs • And more ... • Welcome contributions • Transparency
Filter expressions A shell is run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
falco_probe Kernel Module Kernel User Syscalls Sysdig Libraries Events Alerting Falco Rules Suspicious Events File Syslog Stdout Filter Expression Shell
More rules implemented in draios/falco-extras repository: ● Traefik ● Redis ● Nginx ● PostgreSQL Falco ships with a nice default ruleset for best practices: ● Writing files in bin or etc ● Reading sensitive files ● Terminal spawning in a container Batteries included
Rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
Try it out! $ helm install --name sysdig-falco-1 --set fakeEventGenerator.enabled=true stable/falco
Active Security and Response Engine
Breaches may extend for days or weeks before detected Attacks are changing to abuse activities rather than data exfiltration Ephemeral nature of containers may mean you were breached but may never know Many security paradigms are still reactive Current Security Challenges
CNCF Flavor
Don’t let that Kubeless code spreads in your codebase Command Design Pattern Respect PubSub rules TDD with Playbooks What worked well?
Talk is cheap, show me the code
AWS Flavor
Don’t assume anything from your execution environment If you don’ t test your software, your users will do Welcome changes. Even in late phases. Same old story ...
See it in action!
Functions looks like a good fit for react to monitoring events Do not rely on your infrastructure, make it swappable Containers adds more infrastructure, layers and risks. But we have seen them before: DDoS, Injections ... Just a quick summary
Moltes gràcies Questions? nestor@sysdig.com @nestorsalceda

More Related Content

PDF
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
byNéstor Salceda
 
PDF
Securing your Kubernetes applications
byNéstor Salceda
 
PDF
Container Security Mmanagement
bySuresh Thivanka Rupasinghe
 
PDF
Docker Security - Secure Container Deployment on Linux
byMichael Boelen
 
PDF
Container Security Deep Dive & Kubernetes
byAqua Security
 
PPTX
Host Intrusion Detection like a Boss
byAndré Lima
 
PDF
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
bySysdig
 
ODP
OpenShift & SELinux with Dan Walsh @rhatdan
byOpenShift Origin
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
byNéstor Salceda
 
Securing your Kubernetes applications
byNéstor Salceda
 
Container Security Mmanagement
bySuresh Thivanka Rupasinghe
 
Docker Security - Secure Container Deployment on Linux
byMichael Boelen
 
Container Security Deep Dive & Kubernetes
byAqua Security
 
Host Intrusion Detection like a Boss
byAndré Lima
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
bySysdig
 
OpenShift & SELinux with Dan Walsh @rhatdan
byOpenShift Origin
 

What's hot

PPTX
Hug #9 who's keeping your secrets
byCameron More
 
PDF
Securing your Container Environment with Open Source
byMichael Ducy
 
PDF
How abusing the Docker API led to remote code execution same origin bypass an...
byAqua Security
 
PPTX
Security best practices for kubernetes deployment
byMichael Cherny
 
PDF
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
byDavid Timothy Strauss
 
PDF
Kubernetes - Security Journey
byJerry Jalava
 
PDF
FOSE 2011: DNSSEC and the Government, Lessons Learned
byNeustar, Inc.
 
PDF
Container Security
byJie Liau
 
PPTX
2016 TTL Security Gap Analysis with Kali Linux
byJason Murray
 
ODP
Certificate based access type in openstack Manila @ openstack paris nov. 2014
byDeepak Shetty
 
PDF
Custom Rules & Broken Tools
byNotSoSecure Global Services
 
PPTX
Kali Linux - Falconer
byTony Godfrey
 
PDF
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019
byJanith Malinga
 
PDF
IPv6 Threat Presentation
byjohnmcclure00
 
PDF
RSA APJ Velociraptor Lab
byVelocidex Enterprises
 
PDF
Modern Reconnaissance Phase on APT - protection layer
byShakacon
 
PDF
Open Source Software - Please Drink Responsibly
byDaniel Sauble
 
PDF
Automating Security Response with Serverless
byMichael Ducy
 
PDF
Using IPS for Web Protection
byConferencias FIST
 
PDF
London HUG 19/5 - Kubernetes and vault
byLondon HashiCorp User Group
 
Hug #9 who's keeping your secrets
byCameron More
 
Securing your Container Environment with Open Source
byMichael Ducy
 
How abusing the Docker API led to remote code execution same origin bypass an...
byAqua Security
 
Security best practices for kubernetes deployment
byMichael Cherny
 
Don't Build "Death Star" Security - O'Reilly Software Architecture Conference...
byDavid Timothy Strauss
 
Kubernetes - Security Journey
byJerry Jalava
 
FOSE 2011: DNSSEC and the Government, Lessons Learned
byNeustar, Inc.
 
Container Security
byJie Liau
 
2016 TTL Security Gap Analysis with Kali Linux
byJason Murray
 
Certificate based access type in openstack Manila @ openstack paris nov. 2014
byDeepak Shetty
 
Custom Rules & Broken Tools
byNotSoSecure Global Services
 
Kali Linux - Falconer
byTony Godfrey
 
Practical security monitoring with ELASTIC STACK by Janith Malinga econ2019
byJanith Malinga
 
IPv6 Threat Presentation
byjohnmcclure00
 
RSA APJ Velociraptor Lab
byVelocidex Enterprises
 
Modern Reconnaissance Phase on APT - protection layer
byShakacon
 
Open Source Software - Please Drink Responsibly
byDaniel Sauble
 
Automating Security Response with Serverless
byMichael Ducy
 
Using IPS for Web Protection
byConferencias FIST
 
London HUG 19/5 - Kubernetes and vault
byLondon HashiCorp User Group
 

Similar to Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona

PDF
Docker Runtime Security
bySysdig
 
PDF
WTF my container just spawned a shell!
bySysdig
 
PDF
Falco docker barcelona
bymateobur
 
PPTX
How to Secure Containers
bySysdig
 
PDF
Container Runtime Security with Falco, by Néstor Salceda
byCloud Native Day Tel Aviv
 
PDF
Falco meetup OpenShift
byStephane Woillez
 
PDF
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
byContainerDay Security 2023
 
PDF
Sysdig Open Source Intro
byMichael Ducy
 
PDF
CI / CD / CS - Continuous Security in Kubernetes
bySysdig
 
PDF
David container security-with_falco
byLorenzo David
 
ODP
Continuous Security
bySysdig
 
PDF
Container Runtime Security with Falco
byMichael Ducy
 
PDF
Sysdig Tokyo Meetup 2018 02-27
byMichael Ducy
 
PDF
Image Scanning Best Practices for Containers and Kubernetes
byDevOps.com
 
PPTX
You're monitoring Kubernetes Wrong
bySysdig
 
PDF
Let's Do Bad Things to Unsecured Containers
byGene Gotimer
 
PDF
The Container Security Checklist
byLibbySchulze
 
PDF
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
byChristopher Doman
 
PPTX
Docker_Security_Complete_Guide for audit
byCseManit
 
PDF
Fun with FUSE
byKernel TLV
 
Docker Runtime Security
bySysdig
 
WTF my container just spawned a shell!
bySysdig
 
Falco docker barcelona
bymateobur
 
How to Secure Containers
bySysdig
 
Container Runtime Security with Falco, by Néstor Salceda
byCloud Native Day Tel Aviv
 
Falco meetup OpenShift
byStephane Woillez
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
byContainerDay Security 2023
 
Sysdig Open Source Intro
byMichael Ducy
 
CI / CD / CS - Continuous Security in Kubernetes
bySysdig
 
David container security-with_falco
byLorenzo David
 
Continuous Security
bySysdig
 
Container Runtime Security with Falco
byMichael Ducy
 
Sysdig Tokyo Meetup 2018 02-27
byMichael Ducy
 
Image Scanning Best Practices for Containers and Kubernetes
byDevOps.com
 
You're monitoring Kubernetes Wrong
bySysdig
 
Let's Do Bad Things to Unsecured Containers
byGene Gotimer
 
The Container Security Checklist
byLibbySchulze
 
The Ultimate Guide to Docker & Kubernetes Forensics and Incident Response.pdf
byChristopher Doman
 
Docker_Security_Complete_Guide for audit
byCseManit
 
Fun with FUSE
byKernel TLV
 

Recently uploaded

PDF
diznijevi junaci na paradi panini album.pdf
byStefanFilipovic9
 
PPTX
Social media app presentation snapgram.pptx
byrayessafa21
 
PPTX
A QUIZ ABOUT THE HISTORY OF MICROSOFT WORD
byzoenadiajara1
 
PPTX
Introduction to Multi-dimentional array.pptx
byOmar Fernandez
 
PDF
WAN-IFRA World Press Trends 2025-26 key insights
byDamian Radcliffe
 
PPTX
Analysis Intelligence in Cyber Protection.pptx
byOmar Fernandez
 
PDF
GTI Solution Overview.pdf useful for security solution
by33fastfast
 
PPTX
How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx
bynaloskihristo
 
diznijevi junaci na paradi panini album.pdf
byStefanFilipovic9
 
Social media app presentation snapgram.pptx
byrayessafa21
 
A QUIZ ABOUT THE HISTORY OF MICROSOFT WORD
byzoenadiajara1
 
Introduction to Multi-dimentional array.pptx
byOmar Fernandez
 
WAN-IFRA World Press Trends 2025-26 key insights
byDamian Radcliffe
 
Analysis Intelligence in Cyber Protection.pptx
byOmar Fernandez
 
GTI Solution Overview.pdf useful for security solution
by33fastfast
 
How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx
bynaloskihristo
 

Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona

  • 1.
    Néstor Salceda, IntegrationsEngineer Docker Barcelona Meetup Sept 27th 2018 Implementing Active Security with Sysdig Falco
  • 2.
    @nestorsalceda • I workat Sysdig • Security and Monitoring passionate • Open Source enthusiast • Daddy of twins • Kubernetes member: Maintainer of Sysdig and Falco Helm charts • Judo, Aikido and other Gendai Budo martial arts lover
  • 3.
    Active Security andResponse Engine CNCF Flavor: NATS & Kubeless approach AWS Flavor: SNS & Lambda approach Layers of Container Security Agenda What is Sysdig Falco?
  • 4.
  • 5.
  • 6.
    Vulnerability Management: ● UpstreamOS ● Application Vulnerabilities Image / Software Provenance: ● Signed Images / Layers ● Artifact Signing Build
  • 7.
  • 8.
  • 9.
    • Detects suspiciousactivity defined by a set of rules • Uses Sysdig’s flexible and powerful filtering expressions Behavioral Activity Monitor • Uses Sysdig’s container and orchestrator support Full Support of Containers Orchestration Flexible Notification Methods Open Source Software • Files • STDOUT • Syslog • Execute other programs • And more ... • Welcome contributions • Transparency
  • 10.
    Filter expressions A shellis run in a container container.id != host and proc.name = bash Overwrite system binaries fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write Container namespace change evt.type = setns and not proc.name in (docker, sysdig) Non-device files written in /dev (evt.type = create or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null Process tries to access camera evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
  • 11.
  • 12.
    More rules implementedin draios/falco-extras repository: ● Traefik ● Redis ● Nginx ● PostgreSQL Falco ships with a nice default ruleset for best practices: ● Writing files in bin or etc ● Reading sensitive files ● Terminal spawning in a container Batteries included
  • 13.
    Rules - macro: bin_dir condition:fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
  • 14.
    Try it out! $helm install --name sysdig-falco-1 --set fakeEventGenerator.enabled=true stable/falco
  • 15.
  • 16.
    Breaches may extendfor days or weeks before detected Attacks are changing to abuse activities rather than data exfiltration Ephemeral nature of containers may mean you were breached but may never know Many security paradigms are still reactive Current Security Challenges
  • 17.
  • 19.
    Don’t let thatKubeless code spreads in your codebase Command Design Pattern Respect PubSub rules TDD with Playbooks What worked well?
  • 20.
  • 21.
  • 22.
    Don’t assume anythingfrom your execution environment If you don’ t test your software, your users will do Welcome changes. Even in late phases. Same old story ...
  • 23.
    See it inaction!
  • 24.
    Functions looks likea good fit for react to monitoring events Do not rely on your infrastructure, make it swappable Containers adds more infrastructure, layers and risks. But we have seen them before: DDoS, Injections ... Just a quick summary
  • 25.