SlideShare a Scribd company logo

Securing the Container Pipeline

Salesforce Engineering
Salesforce Engineering

Talk given by Cem Gürkök, Lead InfoSec Engineer at Salesforce, at DockerCon 16 in June 2016 Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment. In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.

Engineering
1 of 39
Securing the Container Pipeline Cem Gürkök Lead InfoSec Engineer Salesforce @CGurkok
Agenda •  Threats •  Container pipelines and integrity •  Monitoring containers, hosts, apps, networks •  Digital Forensics •  Vulnerability Management •  Hardening •  Demo
Threats
Container Threats & Challenges ​ Run-time • Container exploit and resource exposure (App) • Breaking out of container • Cross-container attacks • Resource overuse (DoS) ​ At-rest or transport • Tampering of images • Unpatched OS or applications
Mitigations
“As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know.” — Donald Rumsfeld
Securing the Pipeline Docker Security Platform Security Access Controls Content Security Monitoring and Response
The Pipeline
Container Pipeline & Security Base OS and Docker File Base OS Image DEV Docker Trusted Registry + Notary Developer RelEng Image DEV Docker Trusted Registry + Notary Continuous Integration PROD Docker Trusted Registry + Notary Running in PROD Monitoring in all steps. 1.  Security Review and Hardening 2.  Signing, Authentication, Image Vulnerability Scans 3.  Authentication, Verification 4.  Signing, Authentication, Image Vulnerability Scans 5.  Authentication 6.  Authentication, Verification 7.  Authentication, Verification, Vulnerability Scans 8.  Incident Response, Digital Forensics, Patching
Access Control: Authentication •  LDAP over SSL for Docker image transactions: •  Users (Devs, RelEng) •  Service accounts •  Mutual TLS Authentication for registry replication Dev Systems Dev Registry Build & Test Master Registry Prod Registry DMZ Services TLS
Container Integrity ​ Docker Trusted Registry (DTR) •  On-premise •  Authenticated transactions with LDAPS authentication •  DEV and PROD user and image separation •  Users will not be able to disable signing validation •  Validation will be transparent to the users
Container Integrity ​ Docker Notary •  Enable Docker Content Trust on consumers •  Can enable signing checks on every managed host •  Signature verification transparent to users Build & Test Notary Master DMZ Services Prod Services Sign Validate Validate
Master Docker Registry DEV DMZ Notary Master LDAPS Auth Notary Signing Dev Docker Registry PROD Mirrored Read-only Registry or Caching Proxy Docker packaged services Mutual TLS Auth HTTPS Pull Validate Dev Systems LDAPS user acct HTTPS Push to Dev Authenticated pulls LDAPS Auth HTTPS Push and Sign HTTPS Pull Sign LDAPS Auth HTTPS Push Already Signed Docker packaged services in DMZ HTTPS No Auth Pull Validate RelEng promotes to DMZ Release case * Andrey Falko, Salesforce Ticketing System
Hardening
Hardening: Host •  Frequent patching •  Install only needed components and libraries (i.e. no gcc or bash) •  Grsecurity/PaX for the kernel •  File system integrity monitoring •  Leverage Linux isolation capabilities!!
Hardening: Container •  Base image and app with latest updates/patches •  Leverage User namespaces (run as low priv user on host) •  Install only needed components and libraries (i.e. no gcc or ssh)
Hardening: Container •  Avoid using Docker with the --privileged flag •  Use --read-only when running containers (immutability) •  Avoid providing access to the docker user and group •  Limit and/or separate host and kernel device access
Hardening: Docker Bench for Security •  Docker Bench for Security to the rescue! • https://github.com/docker/ docker-bench-security •  Checks based on best practices for hosts and containers * https://github.com/docker/docker-bench-security
Hardening: Vulnerability Management ​ Image Scans with tools, such as Docker Security Scanning: • Operating System • Application source code and libraries ​ Network Scans with traditional vuln scanners: • Discovery • Exposed services ​ Auto and Manual source code audits * “Securing the Software Supply Chain with Docker, ” May 2016, Nathan McCauley
Hardening: Vulnerability Management •  Scanning •  Docker Images •  Applications •  Remediation •  Prioritization and SLAs for Patching •  Relaunching containers after patching Δt
Monitoring
Network Infrastructure •  Bridged networking on Host •  Containers assigned VNICs, IP addresses, and hostnames •  Containers isolated via VLANs (i.e. DB, Web App) •  Tap interface for monitoring •  Security Policies per VLANs and Zones
Network Infrastructure
Monitoring: Network ​ Network traffic captured for: • Inter-container communications • Host communications • Resource communications (i.e. DB, Public Internet) ​ Network traffic sent to: • IDS (Intrusion Detection System) • Netflow generator • Output sent to SIEM for analysis
Monitoring: Hosts ​ Logs: • All host logs are saved • SIEM agents consume and forward the logs from hosts • Monitoring, Dashboarding, Alerting at SIEM Host SIEM
Monitoring: Containers & Apps •  Logs are monitored similar to host •  OS + Application logs •  Network activity monitoring •  IP address assignments •  Netflows •  IDS (Intrusion Detection System) •  Raw Network Traffic Capture
Monitoring: Host, Containers & Apps ​ Disk activity monitoring • File system integrity • Run time layer monitoring ​ Memory monitoring • Docker and container process activity • Process integrity: Engine + Container
Digital Forensics
Digital Forensics •  Incident Response Plan/Policies •  Live/Post-mortem Memory Forensics •  Disk Forensics •  Network Monitoring/Forensics
Disk Forensics •  Build supertimeline to have integrated view of events •  Data Sources: •  Raw Disk Image •  Log Files •  Binaries •  Tools •  The Sleuth Kit: File system analysis •  Plaso: Build supertimeline •  dd: Raw disk image dd Sleuth Kit Plaso
Memory Forensics Why Memory Forensics? • Nothing can hide in memory! • Faster artifact discovery vs. disk forensics
Memory Forensics ​ Analyze host memory • Live /dev/*mem • VM memory file • Memory dump/sample ​ Tools: • Analysis (most OS and sample format): • The Volatility Framework • Memory sampling on Linux: LiME, linpmem LiME linpmem
Memory Forensics: Process Hierarchy •  pstree_hash [new]: View Docker processes in a tree view based on the PID hash table vs. linked list •  Use case: Detect rogue or injected child processes/containers
Memory Forensics: Temporary File Systems •  tmpfs: lists and recovers tmpfs file systems from memory •  Use case: monitor file systems
Memory Forensics: Loaded Libraries •  linux_proc_maps: shows process memory maps, their permissions and original file paths (executable and libraries) •  Use case: Detect Shared Library Injections
Memory Forensics: Process Integrity •  process_compare [new]: Detect if user space binary has been tampered with in memory (in memory binary vs. on disk) [5] •  Works when binary symbols can’t be extracted
Summary Platform Security Isolation Hardening Best Practices Vulnerability Scans Content Security Registry Notary Image/Code Signing Image/Code Scanning Access Controls LDAPS User Authentication System Authentication Monitoring and Response IR Plan & Testing Vulnerability Management Network Logs Forensics
thank y u
References 1.  “CIS Docker 1.6 Benchmark,” Center for Internet Security 2.  “Introduction to Container Security,” Docker.com 3.  “Understanding and Hardening Linux Containers,” NCC Group 4.  “The Volatility Framework,” https://github.com/volatilityfoundation/volatility 5.  “Identifying the Unknown in User Space Memory,” Andrew White 6.  “LiME,” https://github.com/504ensicsLabs/LiME 7.  “linpmem,” http://www.rekall-forensic.com/docs/Tools/ 8.  “The Sleuth Kit,” http://www.sleuthkit.org/ 9.  “Plaso,” https://github.com/log2timeline/plaso

Recommended

Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOpsSalesforce Engineering
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Docker & Daily DevOps
Docker & Daily DevOpsDocker & Daily DevOps
Docker & Daily DevOpsSatria Ady Pradana
 
Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoSysdig
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemNabeel Ahmed
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 

Recommended

Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOpsSalesforce Engineering
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Docker & Daily DevOps
Docker & Daily DevOpsDocker & Daily DevOps
Docker & Daily DevOpsSatria Ady Pradana
 
Behavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoBehavioural activity monitoring on CoreOS with Sysdig Falco
Behavioural activity monitoring on CoreOS with Sysdig FalcoSysdig
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
From zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemFrom zero to SYSTEM on full disk encrypted windows system
From zero to SYSTEM on full disk encrypted windows systemNabeel Ahmed
 
Csw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCsw2016 wang docker_escapetechnology
Csw2016 wang docker_escapetechnologyCanSecWest
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Jose Manuel Ortega Candel
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...Docker, Inc.
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesSam Bowne
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolationallingeek
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
Kali presentation
Kali presentationKali presentation
Kali presentationZain Ul abadin
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images SecurityJose Manuel Ortega Candel
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 

More Related Content

What's hot

Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityJérôme Petazzoni
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...Docker, Inc.
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure ContainersSysdig
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesSam Bowne
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolationallingeek
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalationjakx_
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 

What's hot (20)

Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
How to Secure Containers
How to Secure ContainersHow to Secure Containers
How to Secure Containers
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
 
Docker: Aspects of Container Isolation
Docker: Aspects of Container IsolationDocker: Aspects of Container Isolation
Docker: Aspects of Container Isolation
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
 
Container security
Container securityContainer security
Container security
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
Kali presentation
Kali presentationKali presentation
Kali presentation
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017
 
Level Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege EscalationLevel Up! - Practical Windows Privilege Escalation
Level Up! - Practical Windows Privilege Escalation
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images Security
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 

Similar to Securing the Container Pipeline

Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!Sysdig
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Containers and security
Containers and securityContainers and security
Containers and securitysriram_rajan
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoringVinay Krishna
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers SecurityStephane Woillez
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsDevOps.com
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
 
Using Docker in production: Get started today!
Using Docker in production: Get started today!Using Docker in production: Get started today!
Using Docker in production: Get started today!Clarence Bakirtzidis
 

Similar to Securing the Container Pipeline (20)

Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok Securing the Container Pipeline at Salesforce by Cem Gurkok
Securing the Container Pipeline at Salesforce by Cem Gurkok
 
WTF my container just spawned a shell!
WTF my container just spawned a shell!WTF my container just spawned a shell!
WTF my container just spawned a shell!
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Container Security
Container SecurityContainer Security
Container Security
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Securing Docker Containers
Securing Docker ContainersSecuring Docker Containers
Securing Docker Containers
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
Containers and security
Containers and securityContainers and security
Containers and security
 
Fluentd and docker monitoring
Fluentd and docker monitoringFluentd and docker monitoring
Fluentd and docker monitoring
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Docker Containers Security
Docker Containers SecurityDocker Containers Security
Docker Containers Security
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
Enhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical DeploymentsEnhancing OpenShift Security for Business Critical Deployments
Enhancing OpenShift Security for Business Critical Deployments
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 
Using Docker in production: Get started today!
Using Docker in production: Get started today!Using Docker in production: Get started today!
Using Docker in production: Get started today!
 

More from Salesforce Engineering

Locker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackLocker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackSalesforce Engineering
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudTechniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudSalesforce Engineering
 
Predictive System Performance Data Analysis
Predictive System Performance Data AnalysisPredictive System Performance Data Analysis
Predictive System Performance Data AnalysisSalesforce Engineering
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveAspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveSalesforce Engineering
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteA Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteSalesforce Engineering
 
Implementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesImplementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesSalesforce Engineering
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Engineering
 
Global State Management of Micro Services
Global State Management of Micro ServicesGlobal State Management of Micro Services
Global State Management of Micro ServicesSalesforce Engineering
 
Apache BookKeeper Distributed Store- a Salesforce use case
Apache BookKeeper Distributed Store- a Salesforce use caseApache BookKeeper Distributed Store- a Salesforce use case
Apache BookKeeper Distributed Store- a Salesforce use caseSalesforce Engineering
 

More from Salesforce Engineering (20)

Locker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With WebpackLocker Service Ready Lightning Components With Webpack
Locker Service Ready Lightning Components With Webpack
 
Scaling HBase for Big Data
Scaling HBase for Big DataScaling HBase for Big Data
Scaling HBase for Big Data
 
Techniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the CloudTechniques to Effectively Monitor the Performance of Customers in the Cloud
Techniques to Effectively Monitor the Performance of Customers in the Cloud
 
Predictive System Performance Data Analysis
Predictive System Performance Data AnalysisPredictive System Performance Data Analysis
Predictive System Performance Data Analysis
 
Apache HBase State of the Project
Apache HBase State of the ProjectApache HBase State of the Project
Apache HBase State of the Project
 
Hit the Trail with Trailhead
Hit the Trail with TrailheadHit the Trail with Trailhead
Hit the Trail with Trailhead
 
HBase/PHOENIX @ Scale
HBase/PHOENIX @ ScaleHBase/PHOENIX @ Scale
HBase/PHOENIX @ Scale
 
Scaling up data science applications
Scaling up data science applicationsScaling up data science applications
Scaling up data science applications
 
Aspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already HaveAspect Oriented Programming: Hidden Toolkit That You Already Have
Aspect Oriented Programming: Hidden Toolkit That You Already Have
 
Monitoring @ Scale in Salesforce
Monitoring @ Scale in SalesforceMonitoring @ Scale in Salesforce
Monitoring @ Scale in Salesforce
 
Performance Tuning with XHProf
Performance Tuning with XHProfPerformance Tuning with XHProf
Performance Tuning with XHProf
 
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache CalciteA Smarter Pig: Building a SQL interface to Pig using Apache Calcite
A Smarter Pig: Building a SQL interface to Pig using Apache Calcite
 
Implementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 MilesImplementing a Content Strategy Is Like Running 100 Miles
Implementing a Content Strategy Is Like Running 100 Miles
 
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief OverviewSalesforce Cloud Infrastructure and Challenges - A Brief Overview
Salesforce Cloud Infrastructure and Challenges - A Brief Overview
 
Koober Preduction IO Presentation
Koober Preduction IO PresentationKoober Preduction IO Presentation
Koober Preduction IO Presentation
 
Finding Security Issues Fast!
Finding Security Issues Fast!Finding Security Issues Fast!
Finding Security Issues Fast!
 
Microservices
MicroservicesMicroservices
Microservices
 
Global State Management of Micro Services
Global State Management of Micro ServicesGlobal State Management of Micro Services
Global State Management of Micro Services
 
The Future of Hbase
The Future of HbaseThe Future of Hbase
The Future of Hbase
 
Apache BookKeeper Distributed Store- a Salesforce use case
Apache BookKeeper Distributed Store- a Salesforce use caseApache BookKeeper Distributed Store- a Salesforce use case
Apache BookKeeper Distributed Store- a Salesforce use case
 

Recently uploaded

VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
EduAI - E learning Platform integrated with AI
EduAI - E learning Platform integrated with AIEduAI - E learning Platform integrated with AI
EduAI - E learning Platform integrated with AIkoyaldeepu123
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHC Sai Kiran
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEroselinkalist12
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
Effects of rheological properties on mixing
Effects of rheological properties on mixingEffects of rheological properties on mixing
Effects of rheological properties on mixingviprabot1
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 

Recently uploaded (20)

young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
EduAI - E learning Platform integrated with AI
EduAI - E learning Platform integrated with AIEduAI - E learning Platform integrated with AI
EduAI - E learning Platform integrated with AI
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECH
 
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETEINFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
INFLUENCE OF NANOSILICA ON THE PROPERTIES OF CONCRETE
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
Effects of rheological properties on mixing
Effects of rheological properties on mixingEffects of rheological properties on mixing
Effects of rheological properties on mixing
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 

Securing the Container Pipeline

  • 1. Securing the Container Pipeline Cem Gürkök Lead InfoSec Engineer Salesforce @CGurkok
  • 2. Agenda •  Threats •  Container pipelines and integrity •  Monitoring containers, hosts, apps, networks •  Digital Forensics •  Vulnerability Management •  Hardening •  Demo
  • 4. Container Threats & Challenges ​ Run-time • Container exploit and resource exposure (App) • Breaking out of container • Cross-container attacks • Resource overuse (DoS) ​ At-rest or transport • Tampering of images • Unpatched OS or applications
  • 6. “As we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know.” — Donald Rumsfeld
  • 9. Container Pipeline & Security Base OS and Docker File Base OS Image DEV Docker Trusted Registry + Notary Developer RelEng Image DEV Docker Trusted Registry + Notary Continuous Integration PROD Docker Trusted Registry + Notary Running in PROD Monitoring in all steps. 1.  Security Review and Hardening 2.  Signing, Authentication, Image Vulnerability Scans 3.  Authentication, Verification 4.  Signing, Authentication, Image Vulnerability Scans 5.  Authentication 6.  Authentication, Verification 7.  Authentication, Verification, Vulnerability Scans 8.  Incident Response, Digital Forensics, Patching
  • 10. Access Control: Authentication •  LDAP over SSL for Docker image transactions: •  Users (Devs, RelEng) •  Service accounts •  Mutual TLS Authentication for registry replication Dev Systems Dev Registry Build & Test Master Registry Prod Registry DMZ Services TLS
  • 11. Container Integrity ​ Docker Trusted Registry (DTR) •  On-premise •  Authenticated transactions with LDAPS authentication •  DEV and PROD user and image separation •  Users will not be able to disable signing validation •  Validation will be transparent to the users
  • 12. Container Integrity ​ Docker Notary •  Enable Docker Content Trust on consumers •  Can enable signing checks on every managed host •  Signature verification transparent to users Build & Test Notary Master DMZ Services Prod Services Sign Validate Validate
  • 13. Master Docker Registry DEV DMZ Notary Master LDAPS Auth Notary Signing Dev Docker Registry PROD Mirrored Read-only Registry or Caching Proxy Docker packaged services Mutual TLS Auth HTTPS Pull Validate Dev Systems LDAPS user acct HTTPS Push to Dev Authenticated pulls LDAPS Auth HTTPS Push and Sign HTTPS Pull Sign LDAPS Auth HTTPS Push Already Signed Docker packaged services in DMZ HTTPS No Auth Pull Validate RelEng promotes to DMZ Release case * Andrey Falko, Salesforce Ticketing System
  • 15. Hardening: Host •  Frequent patching •  Install only needed components and libraries (i.e. no gcc or bash) •  Grsecurity/PaX for the kernel •  File system integrity monitoring •  Leverage Linux isolation capabilities!!
  • 16. Hardening: Container •  Base image and app with latest updates/patches •  Leverage User namespaces (run as low priv user on host) •  Install only needed components and libraries (i.e. no gcc or ssh)
  • 17. Hardening: Container •  Avoid using Docker with the --privileged flag •  Use --read-only when running containers (immutability) •  Avoid providing access to the docker user and group •  Limit and/or separate host and kernel device access
  • 18. Hardening: Docker Bench for Security •  Docker Bench for Security to the rescue! • https://github.com/docker/ docker-bench-security •  Checks based on best practices for hosts and containers * https://github.com/docker/docker-bench-security
  • 19. Hardening: Vulnerability Management ​ Image Scans with tools, such as Docker Security Scanning: • Operating System • Application source code and libraries ​ Network Scans with traditional vuln scanners: • Discovery • Exposed services ​ Auto and Manual source code audits * “Securing the Software Supply Chain with Docker, ” May 2016, Nathan McCauley
  • 20. Hardening: Vulnerability Management •  Scanning •  Docker Images •  Applications •  Remediation •  Prioritization and SLAs for Patching •  Relaunching containers after patching Δt
  • 22. Network Infrastructure •  Bridged networking on Host •  Containers assigned VNICs, IP addresses, and hostnames •  Containers isolated via VLANs (i.e. DB, Web App) •  Tap interface for monitoring •  Security Policies per VLANs and Zones
  • 24. Monitoring: Network ​ Network traffic captured for: • Inter-container communications • Host communications • Resource communications (i.e. DB, Public Internet) ​ Network traffic sent to: • IDS (Intrusion Detection System) • Netflow generator • Output sent to SIEM for analysis
  • 25. Monitoring: Hosts ​ Logs: • All host logs are saved • SIEM agents consume and forward the logs from hosts • Monitoring, Dashboarding, Alerting at SIEM Host SIEM
  • 26. Monitoring: Containers & Apps •  Logs are monitored similar to host •  OS + Application logs •  Network activity monitoring •  IP address assignments •  Netflows •  IDS (Intrusion Detection System) •  Raw Network Traffic Capture
  • 27. Monitoring: Host, Containers & Apps ​ Disk activity monitoring • File system integrity • Run time layer monitoring ​ Memory monitoring • Docker and container process activity • Process integrity: Engine + Container
  • 29. Digital Forensics •  Incident Response Plan/Policies •  Live/Post-mortem Memory Forensics •  Disk Forensics •  Network Monitoring/Forensics
  • 30. Disk Forensics •  Build supertimeline to have integrated view of events •  Data Sources: •  Raw Disk Image •  Log Files •  Binaries •  Tools •  The Sleuth Kit: File system analysis •  Plaso: Build supertimeline •  dd: Raw disk image dd Sleuth Kit Plaso
  • 31. Memory Forensics Why Memory Forensics? • Nothing can hide in memory! • Faster artifact discovery vs. disk forensics
  • 32. Memory Forensics ​ Analyze host memory • Live /dev/*mem • VM memory file • Memory dump/sample ​ Tools: • Analysis (most OS and sample format): • The Volatility Framework • Memory sampling on Linux: LiME, linpmem LiME linpmem
  • 33. Memory Forensics: Process Hierarchy •  pstree_hash [new]: View Docker processes in a tree view based on the PID hash table vs. linked list •  Use case: Detect rogue or injected child processes/containers
  • 34. Memory Forensics: Temporary File Systems •  tmpfs: lists and recovers tmpfs file systems from memory •  Use case: monitor file systems
  • 35. Memory Forensics: Loaded Libraries •  linux_proc_maps: shows process memory maps, their permissions and original file paths (executable and libraries) •  Use case: Detect Shared Library Injections
  • 36. Memory Forensics: Process Integrity •  process_compare [new]: Detect if user space binary has been tampered with in memory (in memory binary vs. on disk) [5] •  Works when binary symbols can’t be extracted
  • 39. References 1.  “CIS Docker 1.6 Benchmark,” Center for Internet Security 2.  “Introduction to Container Security,” Docker.com 3.  “Understanding and Hardening Linux Containers,” NCC Group 4.  “The Volatility Framework,” https://github.com/volatilityfoundation/volatility 5.  “Identifying the Unknown in User Space Memory,” Andrew White 6.  “LiME,” https://github.com/504ensicsLabs/LiME 7.  “linpmem,” http://www.rekall-forensic.com/docs/Tools/ 8.  “The Sleuth Kit,” http://www.sleuthkit.org/ 9.  “Plaso,” https://github.com/log2timeline/plaso