Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
20160221 va interconnect_pub
1. Vulnerability Advisor
for Your Images (& Instances)
Canturk Isci
IBM Research, NY
@canturkisci
SAD-7286
Sun Feb 21, 11:00 AM
Wed Feb 24, 4:00 PM
2. Please Note:
2
• IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole
discretion.
• Information regarding potential future products is intended to outline our general product direction and it should not be relied on in
making a purchasing decision.
• The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any
material, code or functionality. Information about potential future products may not be incorporated into any contract.
• The development, release, and timing of any future features or functionality described for our products remains at our sole
discretion.
• Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual
throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the
amount of multiprogramming in the user’s job stream, the I/O configuration, the storage configuration, and the workload processed.
Therefore, no assurance can be given that an individual user will achieve results similar to those stated here.
3. - Provide unmatched deep, seamless visibility for our users
- Drive operational insights to solve real-world pain points (Security & Compliance)
- Provide unmatched deep, seamless visibility for our users
- Drive operational insights to solve real-world pain points (Security & Compliance)
Built-in Monitoring & Analytics Designed for Cloud
4. Seamless: Built-in Monitoring & Logging for Containers
”Users do not have to do anything to get this visibility. It is already there by default”
Container Cloud
Docker Hosts
App
Cont
.App
Cont
.App
Cont
.App
Cont
.
Docker Hosts
App
Cont
.App
Cont
.App
Cont
.App
Cont
.
Docker Hosts
App
Cont
.App
Cont
.App
Cont
.App
Cont
.
Metrics & Logs
Bus
Multitenant
Index
Logmet
Svc
Provisioning
Tenancy Info
State
Events
Built-in in every compute node, all geos
Enabled by default for all users in all prod
O(10K) metrics/s & logs/s
Current State
6. Key Advantages
Key Advantages
Container Cloud
App
Cont
.App
Cont
.App
Cont
.App
Cont
.
Why Built-in Monitoring
magicmagic
Monitoring built into the platform
not in end-user systems
No complexity to end user
(They do nothing, all they see is the service)
No agents/credentials/access
(nothing built into userworld)
Works out of the box
Makes data consumable
(lower barrier to data collection and analytics)
Better Security for end user
(No attack surface, in userworld)
Better Availability of monitoring
(From birth to death, inspect even defunct guest)
Guest Agnostic
(Build for platform, not each user distro)
Decoupled from user context
(No overhead/side-effect concerns)
Monitoring done right for the
processes of the Cloud OS
7. Deep Visibility: What We Actually Collect (and Annotate)
- OS Info
- Processes
- Disk Info
- Metrics
- Network Info
- Packages
- Files
- Config Info
From Container/VM
- Docker metadata
(docker inspect)
- CPU metrics
(/cgroup/cpuacct/)
- Memory metrics
(/cgroup/memory)
- Docker history
Docker Runtime
Config
Annotator
Vulnerability
Annotator
Compliance
Annotator
Password
Annotator
SW
Annotator
Licence
Annotator
- Audit Subsystem
- Syscall Tracing
- System Integrity
Platform
8. Deep Visibility Operational Insights/Analytics Solve Real Problems
- OS Info
- Processes
- Disk Info
- Metrics
- Network Info
- Packages
- Files
- Config Info
From Container/VM
- Docker metadata
(docker inspect)
- CPU metrics
(/cgroup/cpuacct/)
- Memory metrics
(/cgroup/memory)
- Docker history
Docker Runtime
Config
Annotator
Vulnerability
Annotator
Compliance
Annotator
Password
Annotator
SW
Annotator
Licence
Annotator
- Audit Subsystem
- Syscall Tracing
- System Integrity
Platform
Index (Data)
Vuln. &
Compl.
Analysis
Secure
Config
Analysis
Forensic
Security &
Compl.
Pipeline
Service
Remediation
Service
9. Deep Visibility Operational Insights/Analytics Solve Real Problems
- OS Info
- Processes
- Disk Info
- Metrics
- Network Info
- Packages
- Files
- Config Info
From Container/VM
- Docker metadata
(docker inspect)
- CPU metrics
(/cgroup/cpuacct/)
- Memory metrics
(/cgroup/memory)
- Docker history
Docker Runtime
Config
Annotator
Vulnerability
Annotator
Compliance
Annotator
Password
Annotator
SW
Annotator
Licence
Annotator
- Audit Subsystem
- Syscall Tracing
- System Integrity
Platform
Index (Data)
Vuln. &
Compl.
Analysis
Secure
Config
Analysis
Forensic
Security &
Compl.
Pipeline
Service
Remediation
Service
This Session:
Vulnerability
Advisor
Also Now:
Remediation
Service
10. Vulnerability Advisor: User Stories
How can I identify my vulnerable/non-compliant images
before they go live?
How can I detect and block systems with password access
configurations and weak passwords?
- OS Info
- Processes
- Disk Info
- Metrics
- Network Info
- Packages
- Files
- Config Info
From Container/VM
- Docker metadata
(docker inspect)
- CPU metrics
(/cgroup/cpuacct/)
- Memory metrics
(/cgroup/memory)
- Docker history
Docker Runtime
Config
Annotator
Vulnerability
Annotator
Compliance
Annotator
Password
Annotator
SW
Annotator
Licence
Annotator
- Audit Subsystem
- Syscall Tracing
- System Integrity
Platform
11. Vulnerability Advisor for Your Images
Annotators
(Vuln, Compl, Passwd,
Config, SW, Notif,…)
Data Pipeline Index (Data)
ImgCrawlers
OpAnalytics Data Pipeline
Docker Hosts
App
Cont.
App
Cont.
App
Cont.
App
Cont.
Docker Hosts
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
Docker Hosts
App
VM
App
VM
App
VM
App
VM
Docker Hosts
App
VM
App
VM
App
VM
App
VM
App
VM
App
VM
App
VM
App
VM
Compute
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
Logging,
Monitoring,
Alerting
Metrics + state
Logs + events
Static state Vulnerability
Advisor
Container
Image
Registry
Currently in Bluemix
12. Vulnerability Advisor for Your Images and Instances
Annotators
(Vuln, Compl, Passwd,
Config, SW, Notif,…)
Data Pipeline Index (Data)
ImgCrawlers
OpAnalytics Data Pipeline
Docker Hosts
App
Cont.
App
Cont.
App
Cont.
App
Cont.
Docker Hosts
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
Docker Hosts
App
VM
App
VM
App
VM
App
VM
Docker Hosts
App
VM
App
VM
App
VM
App
VM
App
VM
App
VM
App
VM
App
VM
Compute
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
App
Cont.
Logging,
Monitoring,
Alerting
Metrics + state
Logs + events
Static state Vulnerability
Advisor
Container
Image
Registry
Live state
Additional
Image
Repos
Future Research
13. DEMO TIME
This Session
This Session
Vulnerability Advisor, Policy Mgr
Go to Bluemix Catalog
See VA Image Status
(Safe, Caution, Blocked)
Go to Create View
Explore Status Details
(Vulnerabilities, Policy Violations)
Browse Policy Manager
(Policy Settings, Deployment Impact)
Change Org Policies
Override Policies
(Don’t do it)
See Weak Password Discovery
Update Image in Local Dev
Fix Policy Violation
Tomorrow
Tomorrow
Built-in Monitoring & Logging
DeveloperWorks SmartBar Session
Agentless System Crawler
4:00pm
14. Getting Started: Let’s Go to London
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
15. Deployment Status
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy
16. Deployment Status
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution
17. Deployment Status
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
18. Create View
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
Click on Image to go to Create View
See Verdict Details and Explore Options
Click on Image to go to Create View
See Verdict Details and Explore Options
19. Vulnerability Advisor Report
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
Click on Image to go to Create View
See Verdict Details and Explore Options
Click on Image to go to Create View
See Verdict Details and Explore Options
View Vulnerability Advisor Report:
Discovered Vulnerabilities | Policy Violations
View Vulnerability Advisor Report:
Discovered Vulnerabilities | Policy Violations
20. Vulnerability Advisor Report
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
Click on Image to go to Create View
See Verdict Details and Explore Options
Click on Image to go to Create View
See Verdict Details and Explore Options
View Vulnerability Advisor Report:
Discovered Vulnerabilities | Policy Violations
View Vulnerability Advisor Report:
Discovered Vulnerabilities | Policy Violations
21. Policy Manager and Deployment Impact
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
Click on Image to go to Create View
See Verdict Details and Explore Options
Click on Image to go to Create View
See Verdict Details and Explore Options
View Vulnerability Advisor Report:
Discovered Vulnerabilities | Policy Violations
View Vulnerability Advisor Report:
Discovered Vulnerabilities | Policy Violations
Policy Manager and Deployment ImpactPolicy Manager and Deployment Impact
22. Policy Manager and Deployment Impact
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
Click on Image to go to Create View
See Verdict Details and Explore Options
Click on Image to go to Create View
See Verdict Details and Explore Options
View Vulnerability Advisor Report:
Discovered Vulnerabilities | Policy Violations
View Vulnerability Advisor Report:
Discovered Vulnerabilities | Policy Violations
Policy Manager and Deployment Impact
Change Org Policy and Observe Impact
Policy Manager and Deployment Impact
Change Org Policy and Observe Impact
23. Policy Override
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Login to Bluemix London
(https://console.eu-gb.bluemix.net/)
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
Go to Catalog and Look for Containers
Hover over containers to see VA verdict:
Safe to Deploy | Deploy with Caution | Blocked
Click on Image to go to Create View
See Verdict Details and Explore Options
Click on Image to go to Create View
See Verdict Details and Explore Options
View Vulnerability Advisor Report:
Discovered Vulnerabilities | Policy Violations
View Vulnerability Advisor Report:
Discovered Vulnerabilities | Policy Violations
Policy Manager and Deployment Impact
Change Org Policy and Observe Impact
Policy Manager and Deployment Impact
Change Org Policy and Observe Impact
Create View > Click One-time Override
Name your risky container and deploy
Create View > Click One-time Override
Name your risky container and deploy
27. Notices and Disclaimers Con’t.
27
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not
tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the
ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained h erein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other
intellectual property right.
IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®,
FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG,
Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®,
PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®,
StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International Business
Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
28. Thank You
Your Feedback is Important!
Access the InterConnect 2016 Conference Attendee Portal to complete your
session surveys from your smartphone, laptop or conference kiosk.
SAD-7286 :
IBM Research Day Demo:
Vulnerability Advisor for Your Images
(and Instances)
@canturkisci
Hinweis der Redaktion
Seamless -> opword | Implicit monitor me | Colors status