Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Container Runtime Security with Falco

Effective security requires a layered approach. If one layer is comprised, the additional layers will (hopefully) stop an attacker from going further. Much of container security has focused on the image build process and providing providence for the artifacts in a container image, and restricting kernel level tunables in the container runtime (seccomp, SELinux, capabilities, etc). What if we can detect abnormal behavior in the application and the container runtime environment as well? In this talk, we’ll present Falco - an open source project for runtime security - and discuss how it provides application and container runtime security. We will show how Falco taps Linux system calls to provide low level insight into application behavior, and how to write Falco rules to detect abnormal behavior. Finally we will show how Falco can trigger notifications to stop abnormal behavior, notify humans, and isolate the compromised application for forensics. Attendees will leave with a better understanding of the container security landscape, what problems runtime security solves, & how Falco can provide runtime security and incident response.

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

Container Runtime Security with Falco

  1. 1. @mfdii Container Runtime Security with Falco
  2. 2. @mfdii Layers of Container Security Runtime Build Infrastructure
  3. 3. @mfdii Infrastructure Security Network Storage Host Cluster Container Runtime
  4. 4. @mfdii Infrastructure
  5. 5. @mfdii Build Security Network Storage Host Cluster App Code App Runtime Libraries OS App Code App Runtime Libraries OS App Code App Runtime Libraries OS Container Runtime
  6. 6. @mfdii Build - - - -
  7. 7. @mfdii Runtime Security Network Storage Host Cluster App Code App Runtime Libraries OS App Code App Runtime Libraries OS App Code App Runtime Libraries OS Container Runtime
  8. 8. @mfdii Runtime
  9. 9. @mfdii Sysdig Falco
  10. 10. @mfdii Anomaly Detection - - - -
  11. 11. @mfdii Sysdig Falco • • • • •
  12. 12. @mfdii Home Security Analogy • • • • `
  13. 13. @mfdii Home Security Analogy • • `
  14. 14. @mfdii Home Security Analogy • • • • • `
  15. 15. @mfdii Home Security Analogy • • `
  16. 16. @mfdii Quick examples
  17. 17. @mfdii Falco architecture `
  18. 18. @mfdii Falco Rules ■ ■ ■
  19. 19. @mfdii Falco rules - macro: bin_dir condition: fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) - list: shell_binaries items: [bash, csh, ksh, sh, tcsh, zsh, dash] - rule: write_binary_dir desc: an attempt to write to any file below a set of binary directories condition: bin_dir and evt.dir = < and open_write and not package_mgmt_procs output: "File below a known binary directory opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)" priority: WARNING
  20. 20. @mfdii Falco rules
  21. 21. @mfdii Falco rules • •
  22. 22. @mfdii Conditions and Sysdig Filter Expressions fd - File Descriptors process - Processes evt - System Events user - Users group - Groups syslog - Syslog messages container - Container info fdlist - FD poll events k8s - Kubernetes events mesos - Mesos events span - Start/Stop markers evtin - Filter based on Spans
  23. 23. @mfdii Quick examples
  24. 24. @mfdii Alerts and outputs •
  25. 25. @mfdii A Custom Falco Rule - rule: Node Container Runs Node desc: Detect a process that’s not node started in a Node container. condition: evt.type=execve and container.image startswith node and proc.name!=node output: Node container started other process (user=%user.name command=%proc.cmdline %container.info) priority: INFO tags: [container, apps]
  26. 26. @mfdii A Custom Falco Rule - rule: Node Container Runs Node desc: Detect a process that’s not node started in a Node container. condition: evt.type=execve and container.image startswith node and proc.name!=node output: Node container started other process (user=%user.name command=%proc.cmdline %container.info) priority: INFO tags: [container, apps] Something is executing a program In a container based on the Node image And the process name isn’t node
  27. 27. @mfdii Extending Rules/Macros/Lists +
  28. 28. @mfdii Installing Falco • • • • • • • • • •
  29. 29. @mfdii Installing Falco on Kubernetes • $ helm install --name sysdig-falco-1 stable/falco • • • • • • •
  30. 30. @mfdii How can you use Falco?
  31. 31. @mfdii Response Engine & Security Playbooks ● ● ● ○ ○ ○ ● ○ ○ ○ ○
  32. 32. @mfdii Response Engine & Security Playbooks
  33. 33. @mfdii Response Engine & Security Playbooks Falco Detects abnormal event, Publishes alert to NATS Subscribers receive Falco Alert through NATS Server Kubeless receives Falco Alert, firing a function to delete the offending Kubernetes Pod https://sysdig.com/blog/oss-container-security-runtime/
  34. 34. @mfdii Functions for Operations - - - - - -
  35. 35. @mfdii SIEM with EFK ● ○ ○ ● ○ ○ ○ ●
  36. 36. @mfdii SIEM with EFK Falco Detects abnormal event, Publishes alert to NATS Subscribers receive Falco Alert through NATS Server Kubeless receives Falco Alert, firing a function to delete the offending Kubernetes Pod
  37. 37. @mfdii SIEM with EFK
  38. 38. @mfdii Demo Demo
  39. 39. @mfdii Join the community
  40. 40. @mfdii Learn more • • • •
  41. 41. @mfdii Thank you! Thank You

×