Securing Container Deployments from Build to Ship to Run - August 2017 - Rancher Labs Online Meetup

6. © 2017 Rancher Labs, Inc.© 2017 Rancher Labs, Inc .5 There are rules for a meetup! • We won’t be done on time • Questions are always welcome • Demo, then demo some more • Things will break, be patient #ranchermeetup

8. © 2017 Rancher Labs, Inc.© 2017 Rancher Labs, Inc . Agenda • Quick Rancher Intro – Shannon • Best Practices for Securing your Rancher Deployment – Bill • Continuous Security for Containers - Fei • Demo – Deploying NeuVector on Rancher • Demo – Blocking a Dirty Cow exploit • Building Security into Applications - Mike • Demo – Black Duck - Kalia 7 #ranchermeetup

9. © 2017 Rancher Labs, Inc.© 2017 Rancher Labs, Inc . Rancher Labs 8 #ranchermeetup The most complete container management platform A simplified Linux distribution built from containers, for containers OUR PRODUCTS A project for microservices-based distributed block storage

10. © 2017 Rancher Labs, Inc. A complete container management platform that makes it easy to… 9 INNOVATE WITH CONTAINERS without compromising flexibility by empowering developers with fast access to the latest tools MANAGE APPLICATIONS by simplifying day to day application lifecycle management RUN CONTAINERS with the most complete set of container and infrastructure management capabilities Production ready ✔ 60 million+ downloads ✔ Open platform for innovating ✔ Easy to use interface ✔ Multi-tenant ✔ Role based access ✔ 24X7 support ✔ And more….

11. © 2017 Rancher Labs, Inc. Complete Container Management Platform 10 Application Catalog Container Orchestration and SchedulingUser Mgmt RBAC AD/LDAP SAML Ops Mgmt CI/CD Registries Monitoring Networking Multi-tenant Environments Environment 1 Environment N Infrastructure Services Storage ……. ..Environment 2 Security DNS/LB

14. © 2017 Rancher Labs, Inc. Cloud-Native Security Pipeline Image Signing, e.g. Content Trust User access controls, e.g. registries Code analysis Hardening Image Scanning Open Source Auditing and management Host and kernel security SELinux, AppArmor Secure Docker daemon Access Controls Secrets Management Encryption Auditing w/ Docker Bench Orchestrate – network, security containers Network Inspection & Visualization Layer 7-based Application Isolation Threat Detection Privilege Escalation Detection Container Quarantine Run-Time Vulnerability Scanning Process Monitoring Packet Capture & Event Logging

15. © 2017 Rancher Labs, Inc. Rancher Environment Securing Overlay Networking Limit exposed ports on hosts Layer 7 routing to containers Network Policy Manager Compute NodeCompute NodeCompute Node Load Balancer L B L B L B App A App B Layer 7 routing Overlay Network

19. CONTINUOUS SECURITY FOR CONTAINERS Fei Huang, Co-Founder & CEO, NeuVector Rancher Meetup August 31, 2017

20. Changing Traffic Patterns – And Risks  Traffic Explosion  Open Source Vulnerabilities  Sophisticated Attacks MICROSERVICES E A S T- W E S T T R A F F I C ! ! ! ! DDoS SambyCry Wanna-Crypt

21. E A S T- W E S T T R A F F I C ! ! ! ! Traditional Security Tools Are Blind  Can’t See East-West  Can’t Keep Up  Low Accuracy ZERO-DAY ATTACKS INSIDER ATTACKS

22. Container Network Security  Container-Native ‘Firewall’ - Network Visibility - L7 Inspection  Keeps Pace With Cloud-Native Apps - Scale, Update, New  Fits CI/CD Process, Non-Container Apps & SIEM Tools External & Legacy Apps

23. How Can Container Security Keep Up? 1. Containers are Declarative - Names, labels, dependencies, links, ports, deployment options 2. Behavioral / Machine Learning - Network and container inspection enables auto- learning 3. Whitelist, not Blacklist - Policies define trusted behavior

24. NeuVector Security Container Features  Deploy - Greenfield, Brownfield - Container Visualization  Audit - Docker Bench - Kubernetes CIS Benchmark - Vulnerability scans  Protect - Layer 7 Segmentation / Isolate Applications - Detect Privilege Escalations & Break Outs - Detect Container Threats  Respond - Alert, Block, Quarantine - Capture Sessions & Packets No Agents No Embedding No Coding

25. NeuVector Architecture

26. WannaCrypt Example: Detect Ransomware & Port Scanning

27. Example: Demo / Dirty Cow  Exploits Affect Hosts and Containers CVE-2016-5195 Linux Root Escalation Exploit 1. Attacker exploits vulnerable application to inject code 2. Run Dirty Cow to gain root in container 3. Connect to external host 4. NeuVector detects a) root escalation b) unauthorized connection 5. Attacker breaks out to compromise host Demo ‘Kill Chain‘

28. THANK YOU For more information contact us at info@neuvector.com http://neuvector.com

29. Dirty Cow

30. Demo – “One-Click” Deploy

33. Demo – Application Visibility

34. Demo – Application Visibility

35. Demo – “Break Out” Monitoring

36. Demo – “Break Out” Prevention

37. Demo – Logging

39. 8 of the top 10 Software Companies (70 of the top 100) 6 of the top 8 Mobile Handset Vendors 6 of the top 10 Investment Banks 24 Countries 350+ Employees 2,000Customers About Black Duck 40Founded 2002 Of The Fortune 100

40. Automating Five Critical Tasks and Having a Bill of Materials Provide Distinct Advantage INVENTORY Open Source Software MAP Known Security Vulnerabilities IDENTIFTY License Compliance Risks TRACK Remediation Priorities & Progress ALERT New Vulnerabilities Affecting You Visibility AND Control 1 2 3 4 5

41. Open Source Changed the Way Applications are Built 10% Open Source 20% Open Source 50% Open Source Up to 90% Open Source 1998 2005 2010 TODAY Open Source is the modern architectureCustom & Commercial Code Open Source Software

42. Containers can be vulnerable by virtue of the code that runs inside them • OSS components running inside containers represent potential attack vectors • Could cause problems for the application itself • Could cause more problems if the container is running with the –privileged flag set Agile, Containers and DevOps

43. DockerHub Riddled with Vulnerabilities

44. Open Source Adoption in Commercial Software 22% of applications had >50% open source

45. Open Source is Not Risk Free

46. Why Aren’t We Finding These in Testing? • Static analysis • Testing of source code or binaries for unknown security vulnerabilities in custom code • Advantages in buffer overflow, some types of SQL injection • Provides results in source code • Dynamic analysis • Testing of compiled application in a staging environment to detect unknown security vulnerabilities in custom code • Advantages in injection errors, XSS • Provides results by URL, must be traced to source What’s Missing? All possible security vulnerabilities FREAK! Static Analysis Dynamic Analysis

47. Black Duck and NeuVector Continuous Network Security for Containers • Network inspection • Network traffic visibility and segmentation • ‘Layer 7’ application isolation & threat detection • Privilege escalation detection • Container quarantine • Run-time vulnerability scan Dev Build/CI Registry Deploy Run-Time Automated Visibility, Intelligence, and Control for Applications and Containers through Secure DevOps • Scanning of applications and containers • Component discovery and identification (“Bill of Materials”) • Analysis of known security vulnerabilities, license risks, and operational risks • Management of risk policies, enforcement, and remediation • Ongoing alerting of new vulnerabilities and policy violations • Knowledge Base of open source components and their risks Secure DevOps Secure in Production

48. Free Black Duck Container Tools Free Docker Container Security Scanner • https://info.blackducksoftware.com/Security-Scan.html

49. © 2017 Rancher Labs, Inc.© 2017 Rancher Labs, Inc . Latest Release 48 Rancher 1.6.x Key Features: - Rancher EBS volume is now GA - Support ability to add catalogs per environment - Updated compose for new additional fields - Support to update LDAP without disabling auth - Support for RHEL 7.4 - Support for K8s 1.7.2 - Added more fixes to ipsec overlay networking - Enhanced release notes to include rollback instructions and fixes per infrastructure services https://github.com/rancher/rancher/releases

Securing Container Deployments from Build to Ship to Run - August 2017 - Rancher Labs Online Meetup

Du liest eine Vorschau.

Hier ansehen

Securing Container Deployments from Build to Ship to Run - August 2017 - Rancher Labs Online Meetup

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Securing Container Deployments from Build to Ship to Run - August 2017 - Rancher Labs Online Meetup (20)

Aktuellste (20)