In any Cloud Native architecture there’s a seemingly endless stream of events that happen at each layer. These events can be used to detect abnormal activity and possible security incidents, as well as providing an audit trail of activity.
In this talk we’ll cover how we extended Falco to ingest events beyond just host system calls, such as Kubernetes audit events or even application level events. We will also show how to create Falco rules to detect behaviors in these new event streams. We show how we implemented Kubernetes audit events in Falco, and how to configure the event stream.
5. • Establish trust boundaries (dev vs prod)
• Identify, minimise and harden attack surfaces
• Reduce scope and access
• Layer protections and defenses
• Traceability and test
How to do security?
6. • Many security paradigms are still reactive
• No tools inside the container
• Breaches may extend for days or weeks before detected
• Attacks are changing to abuse activities rather than data
exfiltration (crypto haXx0rz!)
• Ephemeral nature of containers means that in the event of
a security breach you may never know
How containers changed the game?
7.
8.
9. • Containers are isolated processes
• Processes are scoped as to what’s expected
• Image scanning is necessary but not enough
• Container images are immutable,
runtime environments often aren’t
• How do you detect abnormal behavior?
Detect intrusion in containers
12. • Detects suspicious activity
defined by a set of rules
• Securityhub.dev
• Uses Sysdig’s flexible and
powerful filtering
expressions
Behavioral
Activity
Monitor
• Uses Sysdig’s container
and orchestrator support
• It also can receive events
from the K8s audit log
Full Support of
Containers
Orchestration
Flexible
Notification
Methods
Open
Source
Software
• Files
• STDOUT
• Syslog
• gRPC
• Execute other programs
• And more ...
• CNCF Sandbox Project
• Welcome contributors
• Transparency &
Governance
Falco
16. • clone() and execve() give you insight into process and
commands
• open(), close(), read() and write() functions offer visibility on I/O
• socket(), connect(), and accept() give insight into network
Syscalls for observability?
18. - list: bin_dirs
items: [/bin, /sbin, /usr/bin, /usr/sbin]
- macro: bin_dir
condition: fd.directory in (bin_dirs)
- rule: write_binary_dir
desc: an attempt to write to any file below a set of binary directories
condition: bin_dir and evt.dir = < and open_write and not
package_mgmt_procs
output: "File below a known binary directory opened for writing
(user=%user.name command=%proc.cmdline file=%fd.name)"
priority: WARNING
yaml file containing Macros, Lists, and Rules
Falco rules
19. Falco ships with a several rules which implements
best practices for containers:
• Writing files in /bin or /etc
• Reading sensitive files
• Terminal spawn in a container
• ...
Batteries included
20. • A platform for discovering, sharing and using
Cloud-Native resources related to Kubernetes
security
• Browse existent security best practices and
componentes or use cases
• Contribute just creating a PR
securityhub.dev
22. • Responding to security incidents should not be an
improvised or non-scripted activity
• It is important that workflows and action-plans are
created in advance, so that the team’s response
to an incident is consistent, focused and
repeatable
Trusting humans again?
23. Response engine on Kubernetes
https://sysdig.com/blog/container-security-orchestration-falco-splunk-phantom/
PUBLISH TO TOPIC
FALCO-NATS
SIDECAR
LINUX PIPE
FALCO CONTAINER
FALCO DAEMONSET
EVENTS
K8S
METADATA
KUBERNETES NODES
kubelet API
APPLICATION DEPLOYMENTS
EXECUTE REACTION
i.e. kill the offending pod
F(x) F(x) F(x)
WEBHOOK
NOTIFICATION
SUBSCRIBE TO
1..N TOPICS
kubernetes