►
From YouTube: Breakout Session: Detecting Anomalous Kubernetes Activity with Falco - Husni Alhamdani
Description
Security is the first and foremost thing everyone is concert about. Everything is moving towards containers these days, working with a large crowd needs security as well. security enhancement would be the next things to consider to implement, in this talk Husni (Certified Kubernetes Security Specialist) will brings one of the tools in runtime security its call Falco (de facto Kubernetes threat detection engine), in this talk he will cover an introduction and concept of the Falco itself, kind of threat, example behavior or activity rules and lastly about how to implement & to integrate it to Kubernetes and the underlying infrastructure
A
A
A
Unusual
activities
in
I
disease
Clusters
using
Valco
Q10.
This
is
a
little
profile
of
Pokemon
Aisah.
Yes,
I
am
a
caesarea
ehem.
Then
here
I
have
some
certifications
from
Sir
and
a
scholarship
for
Vita.
Why
is
there
or
I'm
Stonefisher
news
about
the
latest
certification
from
Bernice
and
the
need?
Yesterday
I
had
the
opportunity
to
become
a
beta
tester
for
the
scholarship
I'm
sad
that
I
got
some
scholarships
at
the
CF
W
event
from
Handsome,.
Then
there's
the
Koni
letter
group
and
North
America
in
person
and
there's
support.
A
For
the
agenda.
Please,,
this
is
afrogie..
It
seems
like
there's
information
about
what
Valco
is.
Valco
is
what
it
is
and
why
we
need,
and
it's
important
to
apply
Valco
to
me.
pastor
after
it's
created
non
then
there's
Valco
in
kubernetes,
so
implementation
in
kubernetes
later
What's,
the
contents
of
the
cluster
and
other
combed
friends,
then
there's
forkorus.
How
do
we
later
write
the
rules
from
event
sources
that
Valco
supports?
A
Maybe
a
story
if
you
show
step
by
step,
installation
and
configuration
from
the
factories
themselves
and
then
later
I'll
try
to
show
you
the
demo
and
there's
alcohol
Lex
and
the
last
Kennedy
session
Okay
first
I'll
try
to
tell
you
some
about
security
or
what
approach
is
used
to
observe
1
infrastructure.
So
what's
the
security
approach
and
there's
also
best
practice
the
static
from
pragmatically
regarding
Security
and
what
security
can
we
often
apply
in
kubernetes
key
security
offroad?
There
are
two:
there
are
prevention
and
detections
So.
A
If
preventions
are
called
something
like
this,
then
we
prevent
an
action
so
that
it
doesn't
work
So.
If
there
is
an
attack
or
brains
against
one
seat,
infraction
that
we
use
to
give
venot
au
eh
handles
the
ending,
then
there
is
studiopress.
The
second
is
detections
in
detection.
Here
we
use
postfix
Where.
A
We
can
monitor
and
check
if
there
is
any
unusual
activity
outside
of
the
pleci
that
we
write
and
in
this
detection
we
can
also
make
notifications
directly
so
that
the
user
or
us
as
the
owner
of
infaq,
knows
about
these
attacks
and
the
detections
earlier
are
what
we
will
show
in
this
shop
then,
based
on
a
pragmatic
security
concept
method
called
the
Forces
of
Cloud
nitip
security.
There
is
Cloud
Cluster,
container
and
Hi,.
So
if
we
want
to
do
security
against
Kubernetes,,
we
need
these
four
legers
that
we
need
to
prepare
for
security,.
A
Respective
provider
Meanwhile,
on
the
Cluster
side,
we
can
do
hardening
on
the
Cluster
components,,
for
example,
from
the
house
Master
side
and
Oz
aworker,.
We
can
do
Gening
on
all
sides,,
starting
from
networking
or
from
the
internal
Cluster,.
That's
sad,,
uh,
simple.
As
that,
you
can
use
documents
from
Ice
or
the
center
of
internet
security.
A
A
Then
insert
security.
In
Kubernetes,.
Maybe
friends
are
already
experiencing
decline
with
the
full
set
of
open
source
tools
that
can
be
used.
So.
If
authenticated
on
or
authorized,,
you
can
use
Air
Bab
Robes
access
control
for
hardening
on
the
networking
side,.
We
can
pay
for
it.
On
the
Kubernetes
networking
side,,
you
can
use
resources.
A
for
Kernel,
hardening,
ito.com
or
Evermore
for
Ning
images.
You
can
use
wifi
and
for
sports
jackets
that
are
sensitive
to
sensitive
data.
You
can
use
scripts
or
you
can
also
use
other
open-source
tools
to
select
thin
objects
like
subscribe
or
Fort
and
DC
are
more
focused
on
a
series
of
security.
That
is
using
factors
and,
of
course,
there
are
other
methods
for
security
that
can
be
applied,
not
only
what
I
mentioned
here.
So
there
are
still
many
cash
methods,
Haven't
gone
to
Valco
itself.
A
We
will
first
discuss
what
is
a
security
chain
So,
for
example,
if
we
inform
our
containers
Maybe,
we
've
done
Accord
scanning,,
we've
done
image,
Ning,
we're
also
probably
doing
silent
applause
and
what
needs
to
be
very
critical
is
if
we
don't
implement
it,,
namely
on
the
side
of
the
security
chain,.
That
is,
the
security
chain
will
actively
protect
it
to
prevent
unreasonable
activities.
A
A
Also
called
Project
chain
he's
also,
I
drip
try
tag,
search,
engine
Rev
or
I'm
Bridgestone
enzyme,
so
everything
related
to
the
detection
of
attacks
or
trips
at
that
time
was
made
by
the
system
company
system,
then
under
the
auspices
of
2018
orange
CV,
and
now
it's
at
the
sense
incubation
level,
then
Valco.
This
is
also
The
First
series
of
security
projects
that
joined
here,
FB
Oliver
Twist.
A
A
Followed
and
if
the
rules
or
do
activities
outside
the
rules
that
we
write
or
violate
the
rules
that
we
write,
later,
Falcao
will
detect
and
send
the
device
to
the
user
or
to
the
infraorder.
Then
Why
should
we
use
it
if
we
can
also
start
serious
videos
of
Kyai
Midi
files.
So
every
time
there
is
an
abnormal
activity,
we
can
immediately
accept
or
subtle
or
notification
here.
I
can
also
use
the
rules
from
PWI
or
miss
the
vulnerabilities
and
exposure
folder.
A
A
A
A
So
I,
then
next
vakoou
implementation
in
Puber,
netes
I
analogize
like
this.
So
there
is
an
infra
meat
queue
for
the
Master
community
and
the
note
time,
then
there
is
a
Cluster
curette
with
a
blue
color,
so
we
implement
it
on
both
sides
of
the
cluster
and
DC
Android.
So,
on
the
Cluster
side,
we
are
to
detect
the
grave
administrator
bag
Meanwhile
for
the
Android
infra
link
to
detect
unusual
activity
in
fractured
water,,
this
component,
for
example,.
A
If
it
is
filled
with
Kubernetes,
the
interaction,
for
example,,
we
can
read
all
comments
from
user
Socks,
proxies,
etc.
Like
certain
objects
or
cryptochain
then
carry
out
certain
activities
on
Manchester
then
do
a
detection
prayer
on
the
underline
side
invite
viewers
we
can
detect.
If
there
is
a
change
on
the
amicell
side
of
the
blender
control
component
of
something
Kubernetes,
there
is
a
user
who
makes.
A
A
Then
vaporous
consists
of
three
elements,
so
there
are
the
rules
themselves.
Then
there
are
the
Swiss
macros
that
are
taken
care
of
in
the
palace.
We
can
write
down
what
conditions
we
want
to
be
Hi
if
the
conditions
Al
are
met
or
the
conditions
If.
We
write
what
we
write,.
The
plot
will
be
avoided
by
the
laptop,.
Then
there
are
Marvels..
Marvells
is
actually
to
make
things
easier,,
so
we
can
use
macros,
for
example,.
The
Map
account
here
has
a
virus
like
this,,
so
we
can
summarize.
A
Being
here
we
can
use
it
in
other
rules,
so
it's
shorter
then
write
this
to
store
a
collection
So.
For
example,
we
have
a
collection
or
a
list
of
special
ones
that
are
allowed,
so
we
just
have
to
enter
it.
For
example,
the
public
law
subsystem
Paddle
Pop.
Let's
take
a
look
at
the
example:
Later
read
the
nasyid
that
is
supported
by
kubernetes
and
that
was
supported
by
the
OSIS
call
quite
a
lot
before
here.
I
just
tried
to
take
a
few
samples.
So.
A
If
the
internet,
for
example,
the
twitter.net
gift
becomes
to
retrieve
user
data,
who
performed
certain
actions,
then
there
is
Virgo
sports
news,
but
to
take
the
name
from
the
port,
defragmented
name
takes
the
name
from
Fremont
or
gift
tagged
with
a
helmet
to
check
the
target,
for
example,,
what
style
of
music,
Rip,
repack,,
assets,,
etc.
Then.
There
is
even
Ester
Elementary
School
to
retrieve
data,.
The
action
was
carried
out
in
Indonesia,.
Where
then,
the
racist
call
is
supported
by
films
with
discounts..
A
There
are
quite
a
lot
here,
for
example,
share
enter
for
process
ID,
then
process
named
argument
and
guide.
First
Hi.
There
are
many
more
friends
can
check
on
the
link
below
then
here
are
examples
or
examples
from
the
activity
community.
So
here
are
two
examples
of
rules,
so
here
there
is
a
list
in
the
form
of
a
collection
of
any
new
Space,
and
here
the
list
is
the
beauty
of
new
Space.
Then
the
rules
Creep
this
our
new
Space
So
in
the
first
roll.
This
tool
will
go
to
Trigger
when
there
is,.
A
Let's
look
at
the
conditions
section
when
there
is
a
kubernetes
event
and
glue
Space,
and
it
take
action
here
in
the
form
of
a
macro.
Sis
Riya
means
the
dialog
seat,
creates
and
not
presents
the
target
name.
This
is
finally
Ajik.
The
target
name
is
not
in
the
element.
The
special
thing
here
is
a
note
So.
A
If
there
is
a
namespace
creation
outside
of
this
list,
then
Valco
will
trigger
it
and
will
give
an
output
in
the
form
at
the
salon
in
space
credit
by
who
is
the
user
and
what
special
accompanying
then
we
might
be
able
to
do
something
like
warming
or
info.
Yes,
we
do
too
the
problem.
Is
we
direct
it
as
me?
Benitez
audit,
because
the
afternoon
event
is
from
the
audit
community
and
we
can
do
the
default
packing
reasonable
comments.
Then
the
example
of
the
second
rule
is
in
the
form.
A
I
am
sad
news.
The
playmen
are
folded,
so
then
this
will
be
triggered.
If
the
condition
is
there
is
a
creature
to
the
top
activities.
Activity,
NK
delete
means
vcl3x
and
the
target,
for
example,
is
deployment
and
the
response
is
successful.
So
the
output
later
forgot
my
message:
they
added
it
earlier
by
the
user,
What's
the
name
What's,
the
other
duck
and
sperm,.
A
What's
the
chord
response,
and
what's
the
design
later
and
in
detail,,
we
can
set
it
ourselves
with
a
cover
and
or
something
else,
and
the
source
or
context
is
the
same
as
the
bag,.
So
here's
the
anatomy,,
then
the
definition
is
not
darunnaim,.
The
description
of
the
condition,,
the
output
is
not
text,,
and
here
it
is,
for
example,
for
the
school
activity.
So
here
is
a
rule
where
this
roll
will
be
triggered.
A
If
there
is
an
incoming
SSA
connection
to
the
host
or
cm,
we
are
outside
the
allowed
da
above
so
this
condition
is
inflection
NSS
support
and
not
allow
access
archos.
So
it
is
outside
of
the
typical
If.
It
has
been
allowed,.
The
output
will
change
to
a
message
like
this,
and
the
fication
land
will
be
sent
directly
by
the
album.
A
A
So
all
you
have
to
do
is
add
the
hassle
and
then
install
the
account
make
sure
the
audit.log
parameter
weighs
2
and
the
sexix.me
factor
parameter
is
just
to
for
even
though
love
and
then
what
we
have
to
mix
is
make
sure
the
webserver
the
one
hit
is
active,
so
observer
enable
is
the
same
as
that.
Then
the
pot
can
use
the
default
port
and
audit
and
the
point
is
we
can
Set
it
on
the
audience
point.
This
happens.
A
A
Then
eh
I
have
given
that
the
audit
is
active
and
has
been
integrated
with
Valco
and
Valco
rules
can
already
use
this
one.
So
all
activities
from
the
user
or
activities
from
the
community
go
to
the
Buster
itself
will
be
recorded
by
the
audit
community
and
will
be
sent
to
the
photo
and
processed
by
Valco
and
the
Rus
and
Trigger.
If
it
should
be
appropriate
or
fulfilled
from
here,
I
will
show
a
sige
demo.
A
Y,
while
on
the
one
above
I
tried
to
do
a
new
non-specific
build,
for
example,
Dedek
in
specific
fade,
we
try
to
wait
for
the
card
in
the
chapter
from
here.
A
warning
appears
immediately.
The
diesel
uninspired
size
is
dummy
admin
because
I
use
user
admin
and
the
inverse.
If
CD
and
the
sustenance
is
here
awnings,
then
we
can
check
Here.
The
sales
are
from
pressing
audit.
A
A
A
So
later,
please
check
again
for
the
rules
which,
by
default
already
exist
and
friends,
can
use
or
write
the
special
button
you
want
after
we
install
and
integrate
the
Saudi
Fortification
sign
and
m
and
alcohol.
We
can
also
integrate
it
to
send
output
from
faculty
at
the
speed
of
the
farm
that
friends
or
the
office
use,
for
example,,
we
can
send
it
to
Flag
for
modification
slide
or
to
Google
Chat
notifications
through
time
and
also
for
Amisha
to
send
to
ceiling.
Logging
can
be
to
elasticsearch
or
even
okay,.