Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
0 likes43 views
The document outlines an approach to container security integrating open-source solutions with enterprise tools. It discusses creating and applying Falco rules for monitoring and detecting vulnerabilities, configuration management, and incident response within cloud-native environments. Additionally, it highlights the benefits of using Sysdig Secure for comprehensive cloud and container security, emphasizing real-time threat detection and compliance management.
![Create your own rules
6
Rules
- macro: my_monitored_dir
condition: fd.directory in (my_monitored_directories)
- list: my_monitored_directories
items: [/tmp]](https://image.slidesharecdn.com/container-securityletsseefalcoandsysdiginactionstefantrimborn-230310123744-6b68d921/85/Container-Security-Let-s-see-Falco-and-Sysdig-in-Action-by-Stefan-Trimborn-6-320.jpg)
![Introducing…
7
Rules
- rule: Write below my monitored dir
desc: an attempt to write to any file below a set of my monitored
directories
condition: >
evt.dir = < and open_write and my_monitored_dir
and not package_mgmt_procs
output: >
Hey Admin - File below a monitored directory opened for writing
(user=%user.name user_loginuid=%user.loginuid
command=%proc.cmdline file=%fd.name parent=%proc.pname
pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id
image=%container.image.repository)
priority: ERROR
tags: [filesystem, mitre_persistence]](https://image.slidesharecdn.com/container-securityletsseefalcoandsysdiginactionstefantrimborn-230310123744-6b68d921/85/Container-Security-Let-s-see-Falco-and-Sysdig-in-Action-by-Stefan-Trimborn-7-320.jpg)
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
- 1. How to approach Container Security from Open Source to Enterprise Stefan Trimborn Enterprise Sales Engineer Source Run
- 3. Why not both! OSS based Enterprise Solution
- 4. Creating a Falco rule and apply it
- 5. Out of the Box Rules Rules Update packages Modify /bin /usr Write below /etc Read sensitive file DB spawned proc Change namespace Privileged container Sensitive mount Terminal shell Best practices FIM (File Integrity) Privileged pod ConfigMap creds kubectl exec/attach Role changes audit PCI NIST Compliance CVE-2019-11246 kubectl cp CVE-2019-5736 runc breakout CVE-2019-14287 sudo bypass Vulnerabilities K8s control plane Nginx Elasticsearch Redis HAproxy Rook MongoDB PostgreSQL Cloud Native Stack
- 6. Create your own rules 6 Rules - macro: my_monitored_dir condition: fd.directory in (my_monitored_directories) - list: my_monitored_directories items: [/tmp]
- 7. Introducing… 7 Rules - rule: Write below my monitored dir desc: an attempt to write to any file below a set of my monitored directories condition: > evt.dir = < and open_write and my_monitored_dir and not package_mgmt_procs output: > Hey Admin - File below a monitored directory opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline file=%fd.name parent=%proc.pname pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id image=%container.image.repository) priority: ERROR tags: [filesystem, mitre_persistence]
- 10. Let’s do this!
- 11. Let’s do this!
- 15. 15 Sweet! All the infos we need to remediate!
- 17. Hello Sidekick! - Outputs https://github.com/falcosecurity/falcosidekick ● Chat (Slack, Teams, Google Chat,...) ● Metrics (Datadog, Influxdb, StatsD, Prometheus,...) ● Alerting, ● Logs (Elasticsearch,Loki...) ● Object Storage, ● Message Queue ● Email ● Web ● and more!
- 18. 18 https://github.com/falcosecurity/plugins There is more: Falco Plug-Ins!
- 19. Great! But… ● DIY - Installation, Roll Outs, Rule Updates, etc. ● Extra Work - No UI by default, No Plug-Ins ● Focus on Runtime Detection ● Community Support
- 21. The best of both worlds ● Based on Falco - No need to start from scratch ● Based on OSS - Prometheus, OPA, Falco - Reuse your skills ● More than Runtime Detection - it’s a full CWAPP and CSPM Solution ● No manual management: UI, Plugins, Rules OOTB ● Premium Support based in Europe!
- 22. Configuration Management Infrastructure as Code Validation Vulnerability Management Threat Detection Incident Response •CI/CD pipelines, registries, and hosts •Prioritization based on in-use vulns • Capture detailed record for forensics • Block malicious containers / processes • CSPM / cloud misconfigurations • Cloud Inventory CODE BUILD RUN RESPOND Supply Chain Security Compliance • Cloud threat detection • Workload runtime security • Drift prevention • Block risky configs Securing VMs, Hosts, Kubernetes and Cloud Services Identity and Access Management • CIEM / least privilege • Prioritization based on in-use permissions
- 23. Shall we have a closer look at Sysdig Secure? • Prioritize what matters • Detect threats in real time • Fix fast with context Software Vulnerabilities Configuration & Access Risks Runtime Threats Compliance Cloud Infrastructure Containers/Kubernetes
- 24. 24 Curios? Want to discuss or see more? Visit us at sysdig.com Or contact me at: [email protected]
- 25. Cloud and Container Security from Source to Run