Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / Cloud Native SecurityCon EU 2022 / 19 May 2022
Cloud Native Computing Foundation / Cloud Native SecurityCon EU 2022 / 19 May 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Keynote: Why Wait? Find Cloud Risks and Threats in Real Time with Stream Detection - Loris Degioanni

Description

Keynote: Why Wait? Find Cloud Risks and Threats in Real Time with Stream Detection- Loris Degioanni, Sysdig

Cloud service providers offer cost-effective and efficient collection and storage of cloud logs, which is a rich source of data for devops and security teams. Copying logs out of the cloud to query them later is expensive and complex to manage. With stream detection you can find risks and threats in real time and fix issues faster while saving time and money.

Loris will share how you can utilize Falco's real-time telemetry in your cloud-native environment to enable smarter alerts faster and stay ahead of bad actors and malicious attacks.

A

Good morning, everyone, my name, is uh loris dejani, I'm cto and founder. At sysdig. Sysdig is a leading provider in container kubernetes and cloud security and, of course, we're hiring.

A

Today, I'm going to talk about detecting threats in cloud environments and in particular in cloud infrastructures, and I want to start by just you know, recapping, you know what you can do in with the majority of cloud providers. Typically, cloud providers offer standardized opinionated facilities for collection of logs from different services that are ideal for collecting information that can be used to detect threads in cloud infrastructures.

A

For example, in amazon we have cloudtrail. Every cloud provider has similar services and cloud. Trade is very nice because it automatically collects in a standard format logs from multiple services and puts them in a cheap storage, for example s3 on aws.

A

Now what we do after that is a little bit more complicated, because this log needs to be essentially collected, parsed and treated in some way and very often the way people hunt for threats in these logs is they take them? They move them to a login backend, which requires both bandwidth cost and storage. Cost and then they essentially create alerts or rules, or something like that.

A

Based on that, I argue- or I propose a better way to do this and a way that is based completely on open source and it's based on falco, which is a cloud native foundation incubating project, and the best way to that I have to describe falco is falco. Is the security camera for modern apps? Falco is deployed by many many thousands of users around the world? From you know, small single single machine deployments to giant scale deployments in some of the of the biggest companies in the world and falco is based on some core principles.

A

The idea of collecting granular data traditionally coming from containers and for system calls using, for example, ebpf as a source of collection.

A

The idea of enriching this data with context, for example, kubernetes metadata context, the the idea of having uh robust defaults and something that works very well out of the box to detect threats into runtime security, but also have a nice language for extensibility and falco is optimized for real time and runtime security.

A

It's simple and is designed to work at the edge and move as little data as possible.

A

Falco traditionally works for containers and virtual machines and sits on every single endpoint and is able to capture the data from multiple containers by sitting in the kernel of the of the operating system, and these these are some examples of detections of rules that you have with falco. You know a shell is running in a container.

A

Somebody is modifying a system binary. Somebody is trying to escape a container and so on and so forth. So very granular, real-time detection. That's why I call it a security camera. What we've done recently as falco community is with extended falco. This diagram shows, essentially you know. The flow of information from falcon typically uh historically falco is capturing system calls using either a kernel module or an ebpf probe.

A

We've extended it through a plug-in system so that it's essentially possible now to collect it to arbitrary sources and we've created, for example, a plug-in for cloudtrail, and now, thanks to this plugin, you can very easily take falco connected automatically to your source of logs in cloudtrail and without having to copy the data without having to put them in a sim tool or in a login tool, and so on.

A

Falco in real time can just see at the stream of events that cloudtrail is producing, and this is an example, for example, of overall uh I'm not trying to teach you the falco syntax, it's not r, but this is not the scope here, but, as you can see, this is a rule that detects a console again without multi-factor authentication and, as you can see you know, uh the condition is typically like the the the rule, the the actual filter, that falco looks uh in in the events and, as you can see, it's pretty readable and allows you to express uh essentially falco rules using clutter events.

A

Of course, you can write your own cloud, real events you don't have to, because falco comes equipped with a nice set of default rules that allow you to detect a bunch of stuff, including configuration changes, unusual behavior from from users, data exfiltration, for example, from history buckets somebody may be making an extra bucket public or somebody accessing sensitive data on the bucket. All of this kind of stuff is already part of the default rules that you get when you deploy falco for cloudflare security.

A

To summarize, uh we have something that uh compared to maybe the traditional way of doing things. First of all leverages a tool that is a cncf tool that is free as a free beer and free as free speech is real time and responsive. So it doesn't need to index the data. It doesn't need to treat the data before it generates the alerts, but is able to in few seconds essentially to notify you when there's something wrong going in your cloud infrastructure- and this is a very good complement to like.

A

I don't know cloud security, posture management tools that maybe look at apis and do this kind of stuff, because the use of uh real-time security and runtime security with falco is very uh instantaneous and uh and immediate, uh provides full coverage, and it's very interesting because now with falco, you have protection both for the workloads for the containers and with the same tool with the same syntax with the same deployment. You also have coverage for the cloud infrastructure, where very often your kubernetes, your containers, your virtual machines, run falco is efficient.

A

Therefore, it's very cheap, don't doesn't store. Data requires very little cpu, because it's uh it's very optimized for, like ebpf system called treatment, it's scalable.

A

So it's designed to work at scale in big infrastructures and, of course you know it allows to avoid expensive copies and data movements, so it's also very affordable. I could keep talking about that, but uh I think I just concluding by giving you some pointers. uh The first one is the falco website. The second one is the community, where uh myself and all of the other falco contributors and maintainers get together. We have a slack channel.

A

We have a weekly zoom call and we're always welcome to see both new contributors, but also new users that give us feedback. So these are the links. Thank you for listening and happy security.