Add a meeting Rate this page

A

Good day,.

B

Hey.

C

Good question emily, since we seem to be anticipating uh new people joining today, should we do the quick round table slash, introduce yourself oneself at the beginning, rather than the end like we usually do, or is there any.

D

Preference, um usually when we have our first meeting after a security day event where we get a bunch of new members, we usually do introductions um before, especially if we we have a really light agenda like today, and then um we usually talk about ways that new members can become more involved, and I think one other time that we did it. We had some of the pre-existing members talk about like why they joined and some of the things that they have done to help inspire new members to be more involved.

D

um But it's up to you how you want to do it, I my recommendation, would be have everybody go around introduce themselves as either a new member or what they're doing in the sig.

C

That's a good idea I'll take that advice. Thank you, hello,.

E

Good day, brandon.

A

How's it going um matthew, are you going to be um facilitating.

C

First day sure uh yeah I will just today. Yes, unless anyone wants to grab the mic, since it was just a big event, uh uh whichever works best for the team, I had to turn my video off for just a little bit because I'm balancing a nine month old in my left arm and he keeps trying to kick he's managed to kick my usb thing. Unplugged and I had to restart my vm. So that was a.

C

Thing.

C

So give a couple more minutes before we get things underway and I'll do a little recap at the very end in case anyone uh join leighton wants to introduce themselves.

A

It looks like um so far it looks like the friendly usual usual crowd. So, let's see, maybe people could climb up.

C

Foreign.

C

Okay, good day, everyone we're about four minutes in so I think we'll get things underway. I think my webcam just disconnected. Can I confirm my audio is still coming through.

A

Yeah, we still hear you.

C

Thank you so uh taking a suggestion from emily, we'll change the format just a little bit today, uh since it was just a major event uh cloud native security day the other day, uh but the first thing I just want to ask is: if anyone would like to volunteer to be a meeting minute taker scribe, I posted a link in the group chat to everyone to a link to today's agenda, and if anyone wants to grab the scribe rule, that would be appreciated just so, we can take minutes as we go along.

C

I think. um Oh, we already.

F

Got two.

C

Beautiful, thank you all right. uh So today what uh we will just start things is. I was just gonna go through um alphabetically through the list of attendees and uh whether someone is a new person to seek security and would just like to introduce themselves or mention why they joined or what interested them or.

C

Ultimately, if someone's already been a member of the team for some time now and would like to give just a quick uh elevator pitch spiel of uh why they joined or what they uh gain out of being a member by all means and if uh uh rather not uh just mention, no update and I'll just uh move on to the next attendee.

C

So with that, I'm just going to go alphabetically down the list. Unless anyone wants to jump in uh ash, may I send the mic your.

C

Way.

C

Right so we can sit up I'll move on.

A

Yeah, it looks like a couple: people got uh connecting. Oh.

F

Yeah.

C

I can.

A

Start um so so kind of just a quick introduction. um My name is brandon, I'm from ibm research um and I work on container slash cognitive security stuff. A lot of my background is around image security.

A

So signing encryption and stuff like that, we are also working around trusted platform components, so things like attaching hardware all the way up to the software stack being able to figure out what uh what machines are being run by talking to the tpm and things like that, so that kind of stuff, and so six security is, is um kind of a place where a lot of these discussions also happen. There's I get a lot of the discussions that happen here. um I've also participated in security assessments and things like that. They are really fun experiences.

A

It's something that is easy, something easy to kind of jump into as well other than that. I think we have a ton of other activities that uh I think unbelievable.

A

um We'll talk a little bit about six security day uh and the white paper, so.

C

Thank you, brandon uh ash. uh Would you like to do a quick introduction.

G

uh Yeah sure so I'm ash narker. I am one of the maintainers of the open policy agent and for those who don't know it's a open source general purpose policy engine. uh So if you all want to contribute uh to policy, if you're interested in policy enforcement uh uh reach out to us join the oprah project and if any questions feel free to ask your or on the slack thanks.

C

Thank you ash uh onward dan. Would you like to provide a quick introduction.

H

Hi, I'm dan shaw um chair here at uh security, uh been involved in this um now, for you know coming on three years, uh and uh um you know the this sort of draws upon my background uh in in security, and um it's been a great opportunity to sort of blend uh kind of a decade of experience uh on the app side of things, uh and uh you know help ensure that we're building on a solid foundation of security. First.

C

Thank you dan.

C

Next up, we have emily.

B

I am emily fox. I work for the us national security agency. I'm one of the tech leads in security. I am one of the co-chairs for security day and I am the lead for the cloud native security white paper.

C

Thank you emily. Next we have gadi. If I got that right, would you care to introduce yourself.

I

Sure, hey everyone. This is gadi here um by way of background.

I

um Presently, I'm the cto and one of the founders of uh alcide, um which is a company that is purely focused on security for kubernetes and service mesh, so mainly focused on runtime security, security on the kubernetes audit log and everything in between and presently I am participating in the cloud native security white paper.

C

Thank you.

J

Next up, we have justin good day, justin hello, um so I'm just in combat. I am the um cncftoc liaison for six security, as I'm on the trc, and I've been involved with security since um quite a long time ago before it was officially security.

J

um I also maintainer of notary project and interested in supply chain security, in particular, among other things um and um yeah my day, job, I'm at docker working on containers.

C

Thank you justin. Next, we have mark good day.

C

Mark.

C

Welcome I'll come back to you mark if you'd like to do an introduction. uh Next, we have pratik good day.

K

Pradeek, sorry, hey folks, uh myself, pratik lauter. I work for charter communications, which is an isp in the united states. I've been working on some container security stuff at the company, focusing on secrets, management, a bit of service, mesh uh container scanning and things uh things like that. I've attended a few of uh the working group so far, and uh so far it's been uh doing great and I'm eager to get more involved with the community.

C

Thank you. I see mark's uh cameras on there mark. Would you.

E

Like to grab the mic now, sir, hey guys sorry about that, it was hourglass time for me, so I'm uh the innovation security guy at synchrony, but I'm really representing myself in this group. I previously have collaborated with nist on some of their work and also the devops security standard with ieee. So I kind of bring the external standards conversation into these meetings.

C

Thank you mark. Next, I have michelle michelle. Would you like to introduce.

C

Yourself I'll come back to this attendee uh we're all just getting our mics working. uh Next we have ray ray. Would you like to introduce yourself.

L

Hello, uh I am from uh rxm, we are a cloud native consulting training company, I'm also an active participant in the kubernetes project, uh being part of the 118 release team and the current 119 release team as well. I also um actually participate in the in the documentation of kubernetes with the website um and I'm actually here to uh learn more about security to be more security-minded, because as a developer in the past, I haven't always been so.

L

I figured this is a good place to stay.

C

Right agreed, thank you ray uh next, we have robert robert. Would you care to grab the mic.

M

Sure hi uh robert kalia I've been involved with six security for gosh about it, the last year or maybe longer. At this point, I'm co-chair of the policy working group uh where we look at uh specifically kubernetes related policies um and, more broadly, how that maps to different compliance frameworks and policy validation uh for this group, uh specifically uh leading the cloud custodian uh security review process. So I'm I'll get on my soapbox and ask for volunteers.

M

If you want to try the process here at six security to review one of the cncf projects, we're looking for all the help we can get and you can join the the slack channel for sec assessment uh custodian. I think I I put that incorrectly in the notes now that I look at it so I'll correct that. But if anybody wants to to chat or speak up, uh we're happy to have some volunteer help on that effort.

C

Thank you robert. Would it be possible to also throw those links into the group chat here in uh zoom.

M

uh Yes, I'll, uh I think I'll link that to the github issue and I'll probably be the most expedient perfect thanks.

A

Again, I dropped. I dropped the thing for you, oh, but.

C

Thank you and next up we have rowan good.

F

Day, rowan hello, there, uh I'm rowan, I'm the head of security at control, plane we're a cloud native uh security consultancy out of london that was founded by andy martin uh joined security, to try and contribute to the cloud native.

D

Security.

F

White paper that emily is leading.

C

Thank you ron. Next up, we have tk good.

L

Atk.

N

Yeah I've been with sex security, I think for a while now um before it became security. I think when it used to be safe group so forth, and my interest is primarily coming from the security aspects of the edge computing.

N

So I am also involved in the ieee next generation, future generation networks for looking at 10 years from now and in between, I suppose, and I've, been working very closely with those things and I'm trying to make sure that they are aligned. Well, I suppose, with the cncf working group, so in case anyone is interested in the ingr.

N

You can look that up in the air, tripoli, the next generation networks- and you will see uh some of the drafts that we are proposing and we're preparing there on the uh things- and uh it's just still at the very initial stage, but we do have some working graph there as well um other than that I present a um a consulting company on the edge computing. Basically so um we're working on these things and to make sure the cyber security is also aligned to the edge side of.

C

It that's pretty much it. Thank you thanks. Thank you, tk and, if you want by all means, feel free to post the links to the drafts and the group chat, if you, if you want to.

N

Yeah, it's actually very easy to google search and ing and ieee, because it's so widely uh known.

C

True, okay, thank you, and next we have vine good evening. Would you care to take the mic.

O

Hi matthew, thank you, hello, everyone, uh my name is vinay venkatraglin. uh I've been part of the uh six security for about five months now since february this year. I guess- and um you know I uh wanted to you- know- contribute to the community bring over. You know 15 years of work in security enterprise.

O

uh You know hybrid cloud cloud experience and uh I've also, I'm also part of a group at palo alto networks called prismacloud, where we help our customers secure across the entire software supply chain.

O

Right, which is you know, through the build, deploy, run phases, so I thought it was very appropriate and the someone one of the contributions I made to the community here is: I presented a security reference architecture which I'm hoping can uh have a place in the cloud native security white paper as well, so very excited to be part of this uh great group. Thank you.

C

Certainly, thank you and one person I'll just uh loop back to because I don't believe they got a chance uh michelle. uh If I got that right, would you care to grab the mic.

P

uh Sure uh we've never done this intro thing before so it freaked me out sorry- um and I mean oh good, I'm in witness protection clearly, so um uh I'm michelle treberka, I work for a large financial institution.

P

um I I worked for another large financial institution before that one and uh I have um I work primarily on a self-hosted kubernetes initiative at this institution um and I'm an architect. If that helps, I don't know what else you need to know.

C

Thank you visit, thank you and uh if there's anyone, I've missed on the list that would like to introduce themselves, I think we're good, but if I've missed you, please feel free to chime in and uh oh may as well introduce myself. My name is matthew jassa, I'm a principal engineer and technical lead for essentially cloud development at my employer, keysight formerlyxia and the cncf security group is kind enough to. Let me facilitate meetings uh now and again and besides that, uh my major interest is just learning the security landscape for kubernetes.

C

I come from more an embedded development background and real-time operating systems, and now that I'm thrown more into the cloud side of things, I find that, just by taking part in these meetings and joining the team, I learn just how much I don't know and how to fill in those gaps as time goes on, so it's definitely helped with my day-to-day career with that said, I think we've got all the introductions out of the way we already have our minute takers here and my intent was to move on to check-in slash presentations we have proposed for today.

C

My understanding is, is there's a post security day update from emily, as well as the white paper schedule bump, and I'm just going to quickly check and see. If there are any updates we have here see, I believe all these were covered in the round table we just had so with that said, I'd like to pass the mic to emily.

B

Hey everyone I want to let you guys know that we had a really awesome cloud native security day at kubecon this year. It was our first virtual event um and with most first-time virtual conferences, we did run into some technical difficulties with the platform, but I think, probably after the first few talks, everything started to work out. Things started to get a little better.

B

um I think it was our first time using that platform, so everything seemed to be going pretty well, but as we move throughout the day, we had about 369 folks join the security day channel for kubecon, um some really good discussions in there and at one point we had 230 viewers for a single talk, um we're waiting from to hear back from the cncf about uh what kind of transparency metrics they're gonna issue about kubecon and cloudnativecon.

B

So we can get more information about how wide of an audience we reached with all of the awesome presentations from all of our great presenters.

B

I will be running a virtual retrospective of security day and the security events channel, and then we can close out that ticket and create a new issue for security day 2020 north america as another virtual event. So, if you are interested in potentially presenting um get ready, we will hopefully be putting that call out once we coordinate everything with cncf again.

B

So that's the update for security day and then next update. So I updated the cloud native security white paper with a new schedule. um All of our dates have been bumped out about a week to allow um the writers and the contributors to have a little bit more time to put in some content with kubecon consuming everybody's time last week wanted to make sure that we had plenty of time to get as much information pulled together and that's about all. I.

C

Have thank you emily. Does that effectively cover both the two topics, then yep, okay, but thank you with that. I'm just going to double check the check-ins. I don't believe we have any sig representatives with any check-ins today.

C

Okay, so we do not have any additional pr's or presentations, so I was just going to ping a couple people here on the call to see if they wanted to provide additional info on the items they previously covered. So I have uh what mark underwood noted here on this ir 8006 cloud computing forensic science challenges uh mark. Did you want to go into any additional detail there or all good.

E

So yeah I'll just make it quick. I don't want to uh give these. Let me shut up this other meeting.

E

I don't want to give these two uh products from nist uh too much presentation, but they reflect sort of uh sub disciplines in the work that we do in this group that we don't always give a lot of attention to. So one of them is a cloud forensics. So there's uh this is not a standards document. It's kind of just a technical report on that subject and the other one is actually a tool.

E

It's an installable executable that tries to treat the cyber supply chain as a uh as a graph, basically with multiple nodes in it. Where each node is you know, some facet of the uh supply chain could be another open source project could be a person could be a subcontractor and so on dubious, whether that tool is really a great idea, but it gets you thinking about alternative ways of looking at this nist has some other documents around cyber supply chain.

E

It's it's a real problem, especially for bigger organizations, to try to manage down if you're heavily invested in tooling, to solve security issues. um You're, confronted with a problem that your lesser capable organizations offer often offer a greater risk to you. So that's it just a couple suggestions.

C

Thank you mark, and then I believe we have one last thing on here and then we'll just open the floor. If anyone wants to grab the mic so robert there was the mention of needs cloud custodian, security, reviewers. Is there anything else? We would like to add to that or it's already all covered in the previous discussion.

M

I know I'm happy to reiterate: we'd love to have folks participate in the security assessment process. So if you've been curious about it or you've kind of watched from the sidelines, it's a it's. A very low risk way to participate kind of roll up sleeves a little bit. But the ask is very low and of course, the more volunteers we can get the more we can distribute the load.

M

So if you have any interest at all, please don't don't hesitate to join the slack channel or comment on the github issue and I'll reach out to you or or speak up now.

K

I'm curious what type of assessment is involved like I've not done any uh assessments previously. So I'm just curious. What does the work involve.

M

Yeah, so the process that we here in the sig have laid out as the assessment process is really reviewing uh documentation provided by the project, in this case cloud custodian on how they manage security, how their how their project aligns with some of the common practices, the cii initiatives- and you know we as a team- will review that documentation, see that it maps to expectations, discuss what those expectations are and then really come back with a a some feedback to the project that we will review with the toc uh and present to the toc.

M

And uh you know what came out of that in previous uh assessment rounds with folks like opa and key cloak, and such a set of maybe concrete recommendations around either documentation or implementing different cii initiative improvements. You know getting to a certain badge or adding some additional tooling or- and I think in a couple of cases, some github issues to the project around a particular threat that was identified.

K

I see yeah that that helps a lot and I think brandon sent some links as well, so I'll check out. Those uh definitely sounds interesting, I'll reach out to you on directly on slack for that great fantastic. Thank you.

C

Okay, with that exchange, we've covered all the items we have on the agenda so far for today. So at this point, I'd just like to open the floor. If anyone would like to bring up any specific pr's that require attention or if there's anything else that needs to be raised, here's your chance so yeah, I just thought sorry go ahead.

A

No, I don't want to just add a quick note. um I think for those that I knew that we have a new members kind of section, that's in the readme. That should be helpful.

A

Also, there were mentions of slack as well, so we have on cncf um slack and the channel is security and within that channel. Actually, if you go into um go into one of the um the pins as well, there are a couple sub um stack channels. Six security events stretch all those things, um so those um are about specific things. For example, sex security events is uh for cognitive, security day and stuff, like that. uh There are a few that are not there right now.

A

I will try and post it in such as um there's some um about the white paper as well. I think I'll update that, but the sag channel is also a good resource and feel free to just ask questions, and then you know we'll try our best to help helpful in providing clarification.

O

Thanks brandon, maybe I had a question I wanted to follow up on a comment that mark made. Sorry, I didn't follow the latter part of your argument.

O

You mentioned that there are the standards and there are some tools and those tools are not quite effective or they don't work. Could you elaborate on that.

L

Please.

O

Sorry tk was that for me, underwood yeah.

E

Mark this is vinay here sorry I I.

O

Just wanted to try to clarify your the latter part of your argument. uh You mentioned something to the effect that there are standards. There are tools, but these tools are not quite effective, which actually opens up another kind of a threat vector for uh enterprises. Is that what you said.

E

Right so th the there are two uh artifacts released this last week by nist. uh There are other ones that I wasn't calling out in this in this particular meeting that are worth talking about in this context, but I'm not I haven't listed them all there. I'm lazy, I guess, uh but of the two that they offered up here. One of them is actually it's an installable executable and it tries to do a representation of uh supply chain and what I, my critique of that simply is.

E

uh It doesn't try to represent the semantic space or the technology space of the kind of relationships between these nodes. So a node, that's a person and a node that is a third party application like say, salesforce right, a sas application or uh our sap hosted internally.

E

On a you, know, internal cloud or uh like a security tools, another yet another example. Now, typically those are cloud-based. So each one of these things, if you represent them as a node, they have a complicated type of dependencies or an ai world. We would call these attributes or properties, so it's an unsophisticated uh graph representation, but because there's nothing else better. Right now, and because nist is influential in this space, it's a good place to start to get people thinking about it.

E

So it kind of depends on the sophistication of the organization, whether you can lead people along uh useful, a fruitful path of saying, okay. This is you know a starting point. Now, maybe we can identify our risk register where we think our biggest threats are our most unstable elements of our supply chain. That could be people you just on boarded in a regulated business like the one where I work.

E

We're also worried about the ones where we get audited regularly, because, even though the risks might be low, we'd have to report out on a regular basis on those things, so that might be elevated concerning if the risk is low so trying to do a better assessment of that graph then becomes a worthwhile enterprise.

E

But then a deeper dive looks at things like threat models, and how do you share information like intelligence that you might have you know in a fortune, 500 organization or in a large government organization with people down your supply chain? You know: do you share it directly and just say we heard about this threat, and here it is, you know, fyi.

E

You might actually not be permitted to do that in your proprietary agreements with your contractors, because that they're selling that to you, you can't just give it away to someone else. Also, you might have information where you don't want to tell them about your own vulnerabilities right, because you have uh information sharing restrictions, so there's a filter going on that's bi-directional, and so, uh although you really want to automate alerting up and down the supply chain, realistically, that's not feasible in many settings you need to. You know both have contractual and also automated intermediaries.

E

Think of these as agents in a kind of ai way. These agents need to be intermediaries between your principles of sharing with the supply chain and vice versa. So all of this is happening in a mix where we're all trying to automate things in order to be more efficient and deal with the deluge of alerts, and traditionally there is no automated up and down chain alerting in information security. This is kind of a uh you know.

E

You get on the phone with talk to some and talk to somebody or you get on slack and you tell them hey. We heard about this bad actor and they might be going after you too, and occasionally you might have sector wide sharing like a utility sector or finance, you know and they have their own interest groups, but that's not real time. It tends to be, you know, periodic meetings and, and that sort of thing, so that's the stuff I know about. I know, there's stuff, that's dark sharing that goes on.

E

That's besides that, but you know in the uh what, in the ethos of cloud native, you really want to have full transparency about supply, chain, information sharing and vulnerability. So that's a longer version of this topic, which is a deep one got it.

O

Thank you so much so great work. But operationalization is it's a very tall. Ask.

M

There is sharing that's going on, but from what I've seen firsthand that takes more of the approach of hey. You know you guys send your your sim alerts to my sim and there doesn't there's not a lot of structure to that.

M

So having some sort of graphic or graph structure to you know what alerts am I sending you and what am I supposed to do with that on the receiving end, and how does that map to my you know, ato or how does that map to my risk con wine, I mean I, I haven't seen anything that that specific or concrete that would help me operationalize.

M

What am I supposed to do with this? This fire hoses of events that I'm getting from my vendors or that I'm asking my vendors to give me.

O

See that brings up a great point. I mean I don't know if we have time, but maybe just one last comment on that is there is: is there a there is no open standard right, even all the threat, data intel etc across so many different providers? It's all proprietary.

O

Is there like an open source or open standard rather for threat that can actually so you know here is the format. Here's how it looks, here's how I can ingest it- and here is how I can operationalize it does anybody know of anything. Is that I don't know if it's.

M

Thread but is oval xc cdf. I think maybe some of that I might have to go refresh where they have specific mappings.

P

There is actually, as I recall, mitre has some standards around threat, intelligence, information and threat data. I mean there's the cvs, there's the scoring uh mechanisms um like cbs s3, cwes stuff, like that, um where you have calculators but you're talking about the actual format of the information and how it's uh transferred, correct, yep,.

E

Yeah but it never really got hold, I'm afraid.

P

I'm sorry which standard.

E

It's an oasis standard for uh cyber ops, interoperability that tries to do that, but I think the current best hope for that is the the miter universal ontology project, and you know what they come out from that. So that's a derivative of the other minor projects but they're trying to be a little more formal about it. I I I try to keep track of the stan where that is, but it's not usable and none of the vendors are doing anything with it. Beyond trying to do attack miter attack mapping, I mean there is sticks right.

P

And that was the one that comes to my mind on the threat intel side. I thought they had something for um the way you collect um specific uh testing output. I I'm not finding it.

E

Though yeah and you know, the challenge is there's so many challenges with this. You know: do you trust information you get up and down the supply chain, and uh you know there's the reputation problem. There's the standardization problem and also the the nature of the threat, depends on what you do as a business right.

E

So the supply chain threat for health care is not the same as the one you have for a finance business and even in finance, it's not the same between uh the uh the credit markets, like credit card offerings and uh uh the the venture capital. Folks right, it's uh you know there they've got a big logging standard around what they're trying to do. There that's got federal funding, but uh that turns out not to be very usable for somebody that that sells credit cards. So there's a domain dependent part of this. That's that's important too.

N

I mean there is, there is some open source things. I think we all know of that's the ow asp, which is the application related security threat. So there is a good log there and it's continuously being updated online community and might end just like.

N

Miter.

C

Okay, we got a 10 second uh gap of crickets. uh Is there anything else anyone else yeah pardon would like to add or bring up.

E

Yeah, if there was interest in this general topic, you know I could try to put together. You know a more comprehensive presentation and walk through that. You know I really did do some more homework. Instead of this slapdash presentation, I just laid on you.

I

I would be interested in seeing.

I

That.

A

um Can I open a presentation issue and assignment to you all right? Thank you.

E

Yeah we'll work on the dates tbd right.

C

Okay, that point, I think, we've covered all the major points and gave everyone a good chance to. I think I see one or two more people that weren't on the call initially so before you wrap things up. If there's anyone that's joined part way through. If you would like to introduce yourself whether you're, a new member or just getting to know six security or an existing member feel free to grab the mic. Now, if you'd like to.

C

I see capil there. Would you like to grab the mic.

C

I'm good alright, in that case, that's a wrap for today. We'll see you everyone next week and until then stay healthy.

K

Cheers.

K

You.
youtube image
From YouTube: CNCF SIG Security 2020-08-26

Description

CNCF SIG Security 2020-08-26