►
From YouTube: Detecting cloud and container threats by Marcel Claassen
Description
Containers are awesome. They are fast, agile, and shareable. But how do you create perimeters in the cloud? Can I trust every container's content? Is my container behaving as it should? When containers come and go so fast, how can I catch anomalies? We tackle these questions and enable you to prepare, detect and respond to security threats in containers and Kubernetes without any loss of container benefits.
A
So
that's
me
again,
so
we
have.
We
have
got
voice
that
we
can
start
a
little
bit
earlier
so
that
our
break
will
last
its
normal
time
we're
going
with
Marshall
Classen
Enterprise
sales
engineer
from
systick.
Please
give
it
up
for
Marcel.
B
Good
morning,
everyone
a
lot
of
noise
today,
I,
would
like
to
discuss
with
you
a
little
bit
why
we
do
need
runtime
threat,
detection
in
your
kubernetes
environment
or
container
environment,
and
how
we
can
do
that
with
Falco
the
open
source
software
that
we
are
using
just
a
little
bit
about
myself,
so
as
a
very
more
reset
Master
Class
I'm,
a
sales
engineer
system.
B
Meanwhile,
I
also
keep
myself
busy
with
other
things
like
some
energy,
bundles
ring
equipment
and
containerizing
that
in
my
k2s
cluster,
that
I
have
at
home
at
multiple
multiple
locations,
because
my
wife
has
an
office
somewhere
else.
So
I
misused
that
location
to
put
the
cluster,
of
course,
some
pumping
equipment
for
my
pool
because
I
hated
doing
it
all
myself.
So,
let's,
why
not
automate
it
and,
of
course,
some
security
monitoring
and,
as
you
see
there
this
morning,
I
left
my
home
and
with
the
80
certainty,
it
was
me.
B
I
was
a
person
leaving
here,
but
that's
not
what
I'm
here
for
so.
Basically,
let's
take
a
look
at
the
agenda,
so
why
do
we
need
runtime
security?
That's
the
first
thing
that
we
would
like
to
discuss
after
that:
let's
go
for
introducing
Falco.
So
what
is
Falco?
What
can
we
do
with
that?
I
will
tell
you
a
little
bit
about
the
Falco
rule
engine
and
then
I
will
explain
about
how
we
can
expand
Falco
with
other
plugins
or
sources
and
output
information.
B
So
why
runtime
security?
So
let's
take
a
look
at
this
departure
Hall
of
an
airport
right,
so
we
have
a
lot
of
people
going
in
and
a
lot
of
information
that
needs
to
be
processed
by
us.
So
what
do
we
need?
What
do
we
see?
Are
we
interested
in
what's
happening
there?
Do
we
want
to
keep
things
safe
here
and
that's
the
main
reason
that
we
have
security
as
an
airport
right?
We
want
to
make
sure
everything
is
secure,
but
what
do
we
do
with
all
those
signals?
Because
we
have
a
lot
of
signals
here.
B
We
have
people
scratching
their
heads,
I,
don't
care,
we
have
people
smiling.
Do
we
really
care
about
smiling?
No,
we
don't
then
other
signals
lag.
Is
this
guy
armed?
No,
that's
a
false
positive
right.
We
don't
want
false
positive
of
all
our
signals.
We
only
want
to
make
sure
that
signals
are
correct.
B
So
for
this
guy,
for
instance,
that's
an
armed
guy.
So
this
is
a
threat
for
a
system
and
we
want
to
make
sure
that
this
one
is
detected
so
at
a
departure
hall
or
in
the
security
Center
in
the
airport.
That's
all
arranged
for
us.
We
lead
people
into
the
security
lanes
and
they
are
attract
everyone
one
by
one.
But
how
are
you
going
to
do
that
in
your
kubernetes
environment?
Are
you
container
environment?
B
So
why
do
we
need
runtime
security,
of
course,
to
detect
malicious,
behavior
and
I
know?
All
of
you
probably
are
certain
that
you
built
your
images
with
all
the
pipeline
vulnerability
scanning.
Everything
is
out
of
it.
No
critical
vulnerabilities
left
everything.
What
is
fixed
can
be
fixed.
We
know
all
about
it,
but
are
still
right.
You
are
running
in
a
deployment
and
what
happened
in
a
deployment.
If
you
spawn
a
container
of
your
image,
the
image
is
running
right,
so
we
can
get
some
drift.
Is
your
application
really
doing
what
it
should
do?
B
Is
there
a
misconfigured
application
in
there
that
is
allowing
under
adversary
to
get
into
your
system
using
a
malformed,
PHP
script,
and
what
about
Theory
exploits
or
unknown
exploits
right?
So
you
want
to
know,
what's
happening
inside
your
environment.
Next,
to
that,
all
the
images
that
you
run
in
your
environment
are
not
always
yours,
so
you
also
are
depending
of
third
parties,
and
you
don't
know
what
what
they
built,
what
they,
what
they've
done.
B
So
you
want
to
know
what's
running
inside
your
environment
after
that,
if
you've
detected
a
thread,
you
want
to
know
what's
going
on,
but
you
also
want
to
be
alerted
upon
that
so
right
away,
preferably
right
away
when
it's
happening
so
not
one
hour
later
or
a
day
later.
Sometimes
you
see
that
or
at
a
report
two
days
later,
that
you
see
otherwise
a
threat,
it's
too
late.
You
want
to
see
it
now
now
it's
happening
now.
You
want
to
see
the
alert
next
to
that
after
the
threat
has
been
rushed.
B
You
want
to
do
some
forensics,
Tech
audit
activity,
get
some
knowledge
about
what
happened
to
see
if
you
can
prevent
it
from
a
futures
and
last
one
not
not
the
least
important,
is
you
need
to
be
compliant
with
a
lot
of
security
Frameworks,
if
your
information
is
your
environment
is
not
correctly
configured,
you
are
not
compliant.
If
you
have
certain
files
that
can
be
written
to
you're,
not
compliant
so
with
Falco,
you
can
detect
what's
happening
on
that.
B
If
you
take
a
look
at
the
runtime
security,
we
all
have
that
applications
that
are
running
and
all
the
applications
are
spawning
their
details
to
the
screen.
So
you
all
recognize
the
output
of
all
the
different
applications
that
you
have,
but
none
of
them
are
confirming
to
a
single
source
of
Truth,
so
they
only
send
out
the
information
that
they're
programmed
to
do
so.
So
if
there
is
a
malicious
activity
in
that
application,
that
is
not
known
as
a
malicious,
malicious
activity.
In
that
certain
application,
they
don't
recognize
it.
B
B
This
might
not
be
the
right
reason
right.
It's
probably
a
good
start,
but
it
won't
help
you.
This
is
a
time
to
introduce
Falco.
So
Falco
is
a
cloud
native
Computing
Foundation
object.
It's
incubating
actually,
and
you
can
consider
that
as
your
security
camera
for
your
containers
and
Cloud,
so
basically
Fargo
is
taking
a
look
at
everything.
That's
happening
in
your
system
on
your
container
level,
but
also
on
cloud
and
other
sources.
B
First
of
all,
where
did
Falco
come
from
from
the
people
that
are
along
around,
and
this
is
here?
Maybe
they
know
about
ether
real
right
so
ethereal,
the
predecessor
of
Wireshark?
That
was
something
around
2000
when
I
was
still
young
and
at
some
point
somewhere
around
2000,
2005,
I,
think
or
something
why
shark
was
created,
and
it
was
basically
due
to
a
naming
discussion
with
the
owner
of
ethereal
and
one
of
the
creators
of
weisha
or
the
co-developers
of
ishark
started.
B
A
new
company
named
sysdig
and
systic
created
the
a
deep
container,
as
it
called
container
forensics
troubleshooting
tool,
basically
based
on
Wireshark,
but
then
specifically
for
containers
out
of
that.
Falco
was
created
and
Falco
basically
was
created
because
he
had
that
static
information
about
container
information
about
this
calls
being
done
and
all
the
kind
of
things,
but
he
wanted
to
have
information
what
was
happening
real
time.
So
Falco
is
a
psychology,
Cloud
native
threat
and
anomaly
detection
tool.
B
Currently,
Falco
is
now
incubation
project
in
the
getup
we
have
over
7K
GitHub
Stars
I
need
a
jacket
because
every
time
it's
changing,
of
course
not
live
counters
by
the
way
and
over
50
million
downloads,
and
we
have
a
lot
of
contributors
in
that
space
because
it's
an
open
source
Community
right,
but
you
see
the
names
there.
This
is
only
a
very
few
of
them
that
are
contributing
to
Falco
to
being
a
real-time
thread.
Detection
engine
for
your
cloud
in
kubernetes,
environment.
B
A
little
bit
in
repetition,
but
Falco
is
the
open
source
for
real-time
detection
of
threats
and
Harmony
detection
Etc.
So
how
does
that
function?
This
is
very
high
level
overview.
Basically
a
Falco
or
the
crazy
Falco
think
there
is
only
one
source
of
truth
in
your
system
and
that's
the
ciscals.
So
we
can
depend
on
all
kind
of
information
like
logging,
information
from
ngx
or
whatever
application
that
you're
running,
but
they
miss
certain
information.
So
Falco
is
using
all
the
system
calls.
B
B
So
our
hosts
our
containers,
something
during
that
they
don't
the
process
is
being
spawned,
is
something
changing
the
environment,
our
conflict
maps
or
something
like
that
in
your
kubernetes
environment
being
called
our
kubernetes
API
calls
being
called
that
are
not
able
to
be
called
or
shouldn't
be
called
our
users
legitimate
on
not
spawning
a
shell
inside
a
container
that
can
be
done
via
the
cube,
Cube
control
commands,
or
that
can
also
be
done,
for
instance,
from
a
malicious
PSP
file
right
or
anything
like
that.
B
B
So
if
you
talk
about
what
this
Fogo
is
running,
so
basically,
this
is
an
overview
of
what
the
architecture
is.
A
Falco
Falco
will
be
installed
on
your
system
using
a
kernel
probe
or
an
ebpf
module
if
you
of
using
evpf,
if
you
don't
like
any
kernel
probes
from
that
point
on,
is
taking
all
the
events
in
your
system.
It's
like
HOSA,
metrics
data
promises
and
things,
but
specifically
for
us
important
security
events.
It
doesn't
matter
what
runtime
you're,
using
if
you're,
using
Docker,
container,
D
or
cryo,
or
anything
like
that.
B
We
will
see
all
the
information
on
that
specific
node.
You
can
install
Falco
using
a
single
application
as
a
on
a
host
which,
for
a
cluster,
is
possibly
also
probably
also
more
easy
to
install
it
as
a
demon
set,
and
we
provide
options
there
for
installing
it
as
a
demon
set.
So
your
complete
cluster
is
directly
protected
when
installing
it.
B
So
what
do
we
need
to
think
about
when
output
is
being
generated?
So
the
initial
Falco
representation,
the
default
Falco
installation-
is
basically
only
giving
you
information
on
an
output
basis
like
this
right,
so
fire
syslog,
like
the
notice
a
shell,
was
spawned
in
a
container
with
an
attached
terminal
warning.
Netcut
runs
in
a
container
that
allows
remote
code
execution.
B
So
basically,
this
is
the
default
set
of
Fargo
I
will
in
a
later
stage.
I
will
tell
you
also
about
plugins
that
will
give
you
the
possibility
to
get
extended
data
information
and
also
correlation
with
other
clusters
together,
because,
basically,
the
negative
part
between
quotes
of
our
quiz
that
this
standard
installation
Fargo
is.
It
is
running
on
a
single
cluster.
So
if
you
multiple
clusters,
you
need
to
go
to
multiple
instances
and
get
multiple
data
sources
to
get
collected.
Data.
B
So
what
I
hear
I
have
just
a
simple
installation
here,
a
Unix
terminal,
hopefully
it's
readable
and
what
I
have
here
is
basically
initially,
where
I
installed
Falco
on
Linux,
nothing
specific,
just
Falco
installation,
pretty
straightforward,
and
what
I'm
going
to
do
now
is
that
I'm
going
to
start?
Oh.
B
B
And
I'm,
going
to
here
open
up
a
till
I
see
a
color
tail
is
always
nice
and
let's
say
that
I
want
to
write
below
a
binary
directory.
You
don't
want
that
in
your
container
right.
You
don't
want
any
writing
below
binary
directories
or
something
like
that.
So
let's
do
that
and
I
see
that
there
is
a
event
right
away.
Spawned
from
syslog
error
file
known
binary,
Direction
renamed
removed.
B
I
can
also
go,
for
instance,
like
a
modify
LD
preload
files,
see
if
that's
happening
and
basically
there's
a
lot
of
information
that
I
can
directly
get
out
of
it.
For
instance,
also
what's
important
case
for
container
organization,
environments
nowadays
is
protect
against
crypto
minus.
Let's
take
a
look.
What
crypto
miners
can
do
and
I
can
see
directly
here
that
critical
possible
binder
running
in
there?
B
So
you
may
think
that
this
is
all
set
up
by
me
and
I'll
program
it
or
some
of
that,
but
Falco
comes
out
of
the
box
with
quite
a
number
of
rules.
So
if
you
install
Falco
all
these
rules
that
you
see
all
these
events
that
are
getting
spawned
are
default,
you
do
have
the
possibility
to
create
your
own
rules.
Additionally,
to
that,
but
there's
an
extensive
set
already
available.
B
A
bit
more
detailed
structure,
so
business
I,
would
focus
functioning.
This
is
called
events
that
we
just
saw
is
going
to
be
one
of
the
focal
sources.
As
you
see
here,
and
then
it's
going
into
the
rule
engine,
so
the
rule
engine
is
basically
determining
what's
happening
in
the
system.
Is
this
worst
of
being
spawned
the
second,
the
ciscals
all
Cisco
is
relevant
and
that
is
basically
spawning
unalert
via
rgrpc
file?
Stand
it
out
we're
using
now
syslog
HTTP,
but
we
will
get
to
that
in
a
minute.
B
So
how
does
a
rule
look
like
that?
This
is
how
a
rule
looks
like.
So
we
took
a
rule
here
from
the
top
warning
symboling
created
with
the
sensitive
file.
We
see
the
commandsf
ETC
Shadow
to
slash
TMP,
slash
Marshall,
so
I'm
copying
a
symbolic
link
of
the
Shadow
file.
So
how
does
it
rule
then?
Look
like
so
a
rule
always
has
a
few
constructions.
The
rule
name
description,
the
condition
this
is
basically
the
part
where
it's
all
about.
B
The
condition
is
where
the
ciscals
are
interacting,
with
the
Falco
engine
to
get
all
the
details
and
then
the
output
and
basically
the
output,
is
just
a
resemblance
of.
What
do
you
want
to
see
in
this
case
in
your
Sizzler
file?
We're
adding
a
priority,
and
we
can
add
some
tags
and
tags
can
be
important
for
your
compliance,
because
maybe
you
want
to
be
gdpr
compliant
and
that's
one
of
the
reasons
that
you
need
to
have
that.
So
you
can
add
gdpr
tag
to
that.
B
If
you
take
a
look
at
the
condition
here,
you
see
that
there's
a
create
simple
link
and
sensitive
file
names
and
there
we
are
using
macros.
So
macro
basically
can
be
used
to
tell
to
ease
up
the
the
use
of
rules,
and
you
can
see
that
this
macro
creates
simlink
as
a
condition
that
event.type
is
in,
and
then
you
see
the
same
link
and
see
Sim
link
ads
as
the
syscalls
that
are
being
detected
event
directory
in
so
it's
input
file.
So
we
need
to
have
that
information.
B
We
can
also
make
use
of
lists
and
basically
lists
are
basically
giving
you
the
possibility
to,
for
instance,
Target
the
sensitive
file
names
in
this
case,
giving
you
an
overview
like
my
sensitive
file.
Names
are
Etc
Shadow,
sewers,
palm.com
and
the
PV
quality.com
files.
So
basically,
if
any
of
those
files
is
being
touched
as
being
simple,
like
link
is
being
created,
you
get
an
alert
being
raised
in
your
system.
So
this
is
basically
how
you
set
up
system,
this
very
basic
rule.
B
B
Some
popular
rules
here
like,
for
instance,
best
practices,
update
package
manager,
modify
been
usable
I'm
not
going
through
all
of
them
because
you
read
yourself
previous
container
is
a
nice
one
privilege,
shell
terminal
shell
so
comprise
Parts
like
we
want
to
know.
If
Cube
control
exact
attach
is
being
used.
Pci
nist
Frameworks
can
be
used,
some
known
availabilities
that
we
know
about
like
the
the
top
one
Cube
control
copy
right,
it's
or
the
container
Escape
vulnerabilities,
that's
all
being
part
of
rule
set
of
Falco
by
default.
B
B
What
else
can
you
do?
Besides
going
into
syslog
calls?
We
only
had
a
lot
of
ciscalls
but
that's
reduced
to
the
to
the
local
level
right.
In
some
cases,
you
don't
even
have
access
to
Cisco
whether
you
need
to
have
other
precautions,
but
we
also
have
the
possibility
to
extend
Falco
with
plugins
to
use
other
sources
like
the
bottom
Parts
in
here
Fargo
plugins.
B
Initially,
this
Falco
was
only
using
ciscals
and
had
a
few
built-in
plugins
like
the
kubernetes
order,
locks
was
defaulted
again
and
the
AWS
cloudtrail
was
also
default
again,
but
that
was
basically
the
only
plugins
that
you
could
use
in
the
Falco
System
since
last
year
we
built
a
complete
new
system
that
just
allows
us
to
use
plugins
in
generic,
so
the
kubernetes
audit
lock
and
a
cloud
trail
of
course
moved
to
the
other
sources.
B
What
do
we
provide
for
rules
now?
This
is
just
a
simple
example.
So
AWS
cloudtrail
we
have
Azure
log
analytics
gcp,
Cloud
log
kubernetes
order
along
us
already
said:
Docker
Twitter
OCTA.
Basically
every
streaming
instance
can
be
added
as
a
plugin
to
Falco.
You
can
build
your
own
rules
around
it
and,
of
course
the
syntax
is
a
little
bit
different
because
for
a
streaming
instance
is
different
as
pharmaceutical
lenses.
But
it's
easy
to
write
your
own
rules.
B
The
text
that
I've
shown
you
right
not
very
well
readable.
So
that's
a
little
bit
difficult.
So
as
we
take
a
look
at
output
files,
then
we
would
like
to
take
a
look
at
Falco
sidekick.
For
instance,
here
Falco
sidekick,
Falco
sidekick
allows
you
to
add
external
output
regulations.
So
if
I
go
to
the
overview
here
it
it
collects
the
Falco
events,
not
only
from
the
node
that's
running
on,
but
from
multiple
nodes.
B
You
can
use
the
Falco
sidekick
as
a
collector
for
all
the
events
that
you
get
there
and
you
get
all
the
output
where
you
can
forward
it
to,
for
instance,
a
slack
you
can
do
it
to
teams
as
a
notification
area.
B
We
can
use
also
Spider
bet
for
our
node
red
for
some
sword
capabilities
or
you
can
do
Cloud,
Watch
Lock
feedback
into
Cloud
watch,
so
basically
I
I
added
a
number
of
them
and
the
bottom
part,
but
the
list
was
is
much
longer
and
so
basically
it's
very
easy
in
Fargo
sidekick
to
configure
sources.
B
C
B
So,
just
showing
you
what
the
difference
is
to
enable
Falco
sidekick
as
an
output
mechanism,
so
I'm
going
to
show
you
what
the
original
Falco
file
was
configuration
file
and
what
the
new
Falco
configuration
file
is
and
see
that
basically
I
only
set
a
Json
output
to
true.
So
basically,
instead
of
bare
text,
I'm
using
Json
output
and
I
enabled
the
URL
to
some
URL
to
localhost
2002.
That's
where
my
sidekick
instance
is
running.
B
You
see
already
at
the
bottom
part
of
my
my
color
tail
cordant,
always
nice.
Of
course,.
B
So
this
is
defaulted
sidekick
console
and
you
see
now
that
information
is
being
spawned
inside
Falco
sidekick.
So
basically
it's
giving
you
a
good
understanding
of
what's
happening,
it's
giving
you
overview
of
what
can
be
done
and
what
should
be
done
and
you
can
filter
and
search
for
the
all
the
information
that
is
in
your.
What
was
the
output
of
your
console.
So
let's
take
a
look
at
the
dashboard.
It's
giving
you
also
priorities
and
if
I
now
do
a
say,
let's
try
a
kill-known,
malicious
process
or
something
like
that.
B
B
You
see
here
that
my
notification,
like
the
file
below
non-binary,
is
also
spawned
to
Slack.
So
basically,
this
is
showing
you
how
easy
it's
set
up
to
get
into
focal
sources
to
the
rule.
Engine
output
via
sidekick,
for
instance,
to
several
sources
where
you
can
get
direct
EU
threat.
Events
entire
to
different
platforms,.
B
B
D
Go
ahead
thanks,
Can
it
just
three
parts:
threads
also
prevent
them.
C
B
I'm
not
sure
if
I
understand
your
question
right,
but
but
Focus
sidekick
basically
is
doing
that.
The
Falco
engine
is
re-routing
all
the
event
messages
to
the
to
the
processor
of
sidekick
and
then
Sidekick
is
basically
the
the
receiver
of
the
messages
and
responsible
for
spawning
it
to,
for
instance,
slack
and
what
I
also
did,
and
that
was
this.
The
tool
that
I've
shown
you
is
sidekick
UI
and
that's
basically,
the
follow-up
of
sidekick
so
sidekick
spawning
to
slack
and
two
sidekick
UI
in
the
examples
that
I've
shown
yeah.
So.
C
E
Hi
I
was
wondering
if
you
do
not
enable
ebpf.
What
are
the
downsides
if
you
just
use
it
without
that.
B
So
so
it's
either
ebpf
or
kernel
probes,
so
you
don't
need
both
of
them.
One
of
them
is
sufficient.
So
by
default
the
Falco
installation
is
using
the
kernel
probes.
If
evpf
is
available,
it
will
use
that
one.
But
you
have
options
to
configure
that.
B
Yeah,
okay,
that's
a
good
one!
So
basically
Falco
is
so
I'm
working
at
systic
right.
So
sizik
is
the
Enterprise
platform
around
Fargo,
so
we
do
see
and
the
Enterprise
platform
around
Fargo
we're
using
it
as
a
runtime
threat
detection
engine
in
systic
and
the
main
threads
that
we
see
is
a
lot
of
private
shells
being
spawned
inside
container.
B
If
we
talk
about
the
threats
from
the
outside
insights,
often
a
thread,
maybe
not
a
real
threat,
maybe
false
positive,
that's
going
into
Cube
CTL
someone
spawning
a
terminal
sharing
container
just
to
take
a
look
at
the
environment.
It's
okay
or
something
like
that.
But
the
most
threats
that
we
see
from
outside
is
more
starting
with
a
privileged
shell
from
the
outside,
like,
for
instance,
when
starting
with
love4j
or
something
you
said,
get
a
privilege.
Shell
and
the
follow-up
actually
cost.
B
A
private
shell
on
its
own
is
not
a
threat,
but
the
follow-up
action
is
like
curl
and
starting
a
netconnect
netcut
or
something
like
that.
That's
the
real
threat.
So
basically
I've
shown
you
single
events,
but
in
most
cases
it's
a
chain
of
commands
right.
So
not
only
one.
F
So
is
there
an
option
to
forward
I
saw
that
Focus
can
be
deployed
like
a
demon
set
or
something
to
collect
the
logs
from
each
host.
So
is
there
an
option
to
ship
the
logs
to
something
like
a
syslaw
collector
without
the
sidekick,
or
do
you
need
this
as
an
intermediary
to
collect
the
logs
and
then
forward
it
for
it,
something
like
Splunk
or
datadog
or
whatever?
Okay,.
B
B
A
Thank
you
very
much
Marcel.
It
was
definitely
interesting
by
a
number
of
questions
and
the
questions
that
I
didn't
let
go.
Ladies
and
gentlemen,
we
are
going
to
have
a
12
minutes,
break
we're
going
to
restart
at
10
45.
Here,
no
sorry
at
11,
45
I
got
I'm
Italian,
so
I
got
my
times
wrong.
A
One
thing
that
I
must
ask
you
there
is
a
workshop
at
the
moment
running.
Is
that
correct?
So
please,
when
you
go
downstairs,
go
downstairs
and
go
outside
through
the
smoking
area
left
and
there
you
will
get
in
from
the
sponsors
area.
Thank
you
very
much.
We
see
you
again
in
a
little
over
12
min.