►
From YouTube: Defend: Container Security Weekly Group Discussion
Description
Weekly meeting for the Defend:Container Security group
A
Welcome
to
the
defend
teams,
container
security
group,
weekly
synchronous
discussion:
we
have
a
fairly
full
agenda
today,
so
we've
extended
our
meeting
to
be
an
hour
and
I
am
going
to
let
Sam
take
over
I
apologize.
If
it's
talking
for
like
an
hour
and
a
half
straight.
So
just
looking
at
the
agenda,
it
looks
like
we're.
Gonna,
be
jumping
right
into
planning
breakdown
unless,
if
Sam
or
anyone
else
had
any
other
discussion
or
questions
that
they
want
to
talk
about.
First
I
tell.
B
A
Alan's
been
working
on
a
lot
of
the
thread:
insights
with
us.
The
work
for
the
MVC
for
first
class
vulnerability
is
up
until
sort
of
this
week
and
Wayne
just
explained
in
the
earlier
today
that
Alan's
gonna
start
to
contribute
here
on
the
container
security
group
long
term.
So
we're
excited
to
have
you
here
Alan.
You
just
can't
get
enough
meetings
with
me
today.
D
All
right
sounds
good
well
just
to
dive
right
in
I.
You
know
so
really
everything
here
that
were
discussing
today,
currently
isolated
for
the
13.0
milestone,
but
I
just
wanted
to
start
at
the
top.
I
ordered
these
in
terms
of
like
most
well-defined,
two
least
well-defined
just
so
we
can
hopefully
knock
out
these
first
ones
and
get
them
out
of
the
way,
so
the
first
two
are
metrics
for
cilium
and
for
Wow.
Really.
D
The
issue
here
is
that
our
usage
King
does
not
collect
any
metrics
for
cilium,
and
the
metrics
that
it
does
collect
for
laughs
are
inaccurate.
So,
in
order
for
us
to
start
measuring
the
value
of
these
features
that
we've
released,
we
need
to
start
actually
recording
and
reporting
some
information
there.
So
I
can
share
my
screen
and
talk
just
a
little
bit
about
both
of
these
and.
D
Sure,
yeah
they're,
pretty
much
identical
or
very,
very
similar
anyway,
so
for
both
of
them
were,
we've
decided
that
we
want
to
measure
usage
for
these,
not
in
terms
of
like
the
number
of
user
clicks.
So
you
know
a
lot
of
the
rest
would
get
loud.
Usage
peeing
is
recording
the
number
of
clicks
or
user
actions
that
take
place.
D
Kind
of
the
analogy
that
I
share
in
this
case
is
like
with
a
microwave
that
makes
great
sense
to
measure
the
value
of
your
microwave
based
off
of
how
many
times
a
user
actually
physically
interacts
with
it,
but
for
your
home
security
system
or
even
for
your
network,
you
know
router
at
home.
You
know
the
measure
of
value
is
very
different
from
how
many
times
you
interact
with
it.
In
fact,
in
a
way,
it's
a
good
thing
if
you
don't
interact
with
it
a
lot.
D
Its
value
more
comes
just
from
the
fact
that
it's
on
and
functioning
and
working-
and
you
know
preventing
bad
stuff
from
happening
so
again
for
both
of
these
they're,
pretty
much
identical,
we're
looking
through
mod
security,
the
total
number
of
packets
that
we've
analyzed
the
number
of
packets
that
we've
analyzed
and
found
to
be
anomalous.
The
number
of
environments
where
it's
installed
and
turned
on
the
number
of
environments
where
it's
installed
and
turned
off,
and
then
the
number
of
environments
where
it's
not
installed
at
all.
D
And
so
we
don't
necessarily
have
to
have
all
five
of
these
as
distinct
statistics.
If
it's
possible
to
derive
some
of
these
from
other
statistics
that
we
have
that's
perfectly
acceptable.
As
long
as
at
the
end
of
the
day,
we
have
this
information
available
to
us
in
a
reasonable
degree
that
it's
accurate
so
again,
mod
security
and
solium.
You
know
you've
got
the
same
less
after
cilium,
so
moans.
You
three
have
security.
B
E
Get
one
quick
question
about
the
total
numbers
of
packets?
Are
we
saying
total
number
overall
over
the
time
or
in
the
last
30
days,
for
example,
I'm
not
sure
if,
if
we
remove
some
statistics
after
after
a
certain
amount
of
time,
but
maybe
maybe
will
be
better
to
keep
the
total
number
of
packets
that
were
anonymized
or
analysed
during
the
last
30
days,
yeah.
D
So
that's
a
good
question
and
I:
don't
know
how
usage
King
works
in
general,
but
most
of
usage
being
again
is
monitoring
user
actions
like
clicks
and
I.
Don't
know
how
I
don't
know
the
frequency
at
which
those
are
aggregated
and
then
sent
off
by
I
mean
I,
suppose
it's
possible.
They
send
up
a
usage
ping
for
each
click,
but
I
can't
imagine
how
that
would
be
scalable.
B
It
seems
to
be
something:
that's
not
that
information
is
not
well
known
at
good
lab.
It's
not
not.
The
folks
notice,
some
some
other
folks
having
similar
questions
about
other
similar
things.
So
I
did
post
some
links
Allen
in
the
issue
based
on
some
recent
discussions,
but
I
think
you're,
surely
ask
your
questions
about
how
all
that
works,
and
but
you're
probably
have
to
I.
Don't
think
anybody
in
defendants
gonna
know
the
answers.
Until
you
know,
then
you
can
educate
the
residents.
E
Okay,
I'll
I'll,
try
to
know
the
reason
I'm
asking
because,
for
example,
for
further
statistics
for
laughs,
like
total
trafficker,
animalist
traffic,
oh
I
know
that
we
are
getting
that
from
elasticsearch
I'm,
pretty
sure
that
we
will
not
have
the
data
for
offer.
Let's
say
for
a
year,
I
believe
their
attention
is
like
ninety
days
or
something
like
that.
E
F
E
D
It's
probably
worth
figuring
out
how
the
rest
of
usage
being
works,
I
seriously,
I,
don't
think
it's
a
year,
or
it's
probably
like
once
a
day
would
be
my
best
guess,
based
off
of
the
data
that
I've
seen.
So
in
that
case,
we'd
want
to
do
you
know
over
the
last
24
hours
just
to
keep
our
statistic
as
consistent
as
we
can
with
the
rest
of
usage,
King,
but
I.
Think
it's
worth
getting
an
answer
to
that
question
is
how
does
you
see
screen
work?
B
B
B
C
A
question:
if
I
can
please
I,
haven't
done
any
technical
discourse
and
showing
self,
if
sounds
I,
think
savin
achievable
with
our
current
capabilities
and
specifically
concerned
about
Eike
drop
metrics
for
salim
involved,
because
those
have
been
collected
by
the
environments
that
don't
really
control.
In
some
cases
it
will
be
installed
like
let's
say
in
terms
of
parameters
that
he
will
collect
the
metrics
they
might
be
not
even
under
control
of
us.
They
can
be
connected
to
the
system
as
an
external
service.
C
Not
in
a
way
collected
by
us,
if,
strictly
speaking,
what
is
happening
is
we're
all
users
to
install
necessary
infrastructure
and
then
we're
all
use
it
to
send
us
information
about
this
infrastructure
and
then
based
on
that,
we
present
data
in
both
cases
for
Wharf
and
silom.
But
we
are
not
directly
collecting
anything
ourselves,
so
we
don't
store
anything
on
our
infrastructure.
C
Everything
is
located
in
the
users
question
in
some
cases,
even
not
in
a
user
question,
so
I'm
just
concerned
how
we're
going
to
do
that
and
on
top
of
that
I
know
we
discussed
involved,
but
for
cilium
collecting
on
and
off
traffic
right
now,
it's
really
problematic,
which
is
because
we
are
not
having
a
state
of
that
in
the
system
and
I
know.
Lucas
did
a
lot
of
Investigation
in
terms
of
statistic
for
more
security
for
installation
and
he
had
quite
a
few
problems
and
I
think
right
now
it
just
works
on
a
button
click.
C
So
when
he
user
clicks
a
button
on
installation
of
more
security
in
coercive
settings,
listened
stared
back
into
the
github
analytical
analytics
collection
system-
that's
how
it
works
is,
but
at
the
same
time
this
won't
work
for
sillim
again,
because
psyllium
doesn't
have
a
button
right
now.
So
my
tur
question
is:
can
we
actually
break
down
that
it's
our
technical
investigation?
Second
one!
There
is
an
issue
for
the
psyllium
I.
Think
it's
next
on
the
agenda
about
getting
an
on/off
States
for
psyllium
I.
C
D
D
And
I
don't
think
that's
a
problem.
So
again,
I
don't
know
how
often
usage
King
runs.
That's
a
question
we
need
to
answer
but
say
it
runs
once
a
day
right
as
part
of
that
I.
Don't
think,
there's
a
problem
if,
instead
of
pulling
from
get
labs
database
and
said
we
just
reach
out
to
the
cluster,
to
grab
those
stats
once
a
day,
if
you
did
into
usage
ping
I'm.
C
Not
sure
if
it's
a
problem
or
not
but
I'm
slightly
concerned,
if
we're
allowed
to
do
that
in
terms
of
analytics
can
be
actually
desired,
permission
go
and
grab
stats
out
of
users
classes
this
way
because
for
other
stats
it
happens
like
let's
say
on
click.
So
it's
implicit
user
action
and
we
have
an
agreements
that
we
collect
implicit
actions
on
the
webpage,
but.
C
D
B
So
Arthur
I've
assigned
this
one
to
you
and
made
it
say
it
depends
on
the
psyllium
on
all.
First
so
I'd
say
it's,
you
know
work
on
psyllium
on
off.
First
next
I
know
you
have
about
other
things
in
flight
and
you're
still
catching
up
from
being
off
for
three
weeks,
so
perhaps
should
be
based
on
that
move.
The
psyllium
metrics
to
thirteen
one
that
we
likely
won't
get
to
it,
since
we
need
the
on
off
thing.
First,.
B
I'm
sorry
I
guess:
first
art
there's
no
Arthur
suit,
so
I
signed
it
to
you:
listen
you're,
okay,
with
it
the
psyllium
metrics,
but
basically
don't
work
on
it
until
after
we
have
psyllium
on
off
yeah
planned
out
and
is
that
reasonable,
Arthur
yeah?
Okay,
so
is
moving
that
to
thirteen
one,
the
psyllium
metrics.
Ok
with
you
soon.
D
C
D
Sounds
like
we're
not
ready
to
move
it.
It
sounds
like
we're
not
ready
to
mark
it
as
either
deliverable
or
stretch.
It
sounds
like
we're
not
ready
to
move
it
off,
planning
breakdown.
So
why
don't
we
just
leave
it
in
that
workflow
state
and
next
steps
I'll
reach
out
to
legal
and
see
if
I
can
get
some
answers
to
unblock
the
issue
or
not,
and
we
can
come
back
and
discuss
it
again
next
week.
C
G
Yeah
exactly
I
always
think
when
I
saw
the
MVC
first
I
was
thinking
that
tracking
the
installation
and
on
and
off
would
be
easier
than
the
other
ones.
So
we
could
have
a
MVC
with
that
and
have
this
deliberate
and
then
work
on
the
you
think.
That's
a
little
bit
more
sensitive
for
as
a
follow-up
free,
but
as
we
are
pushing
forward
I'm,
okay
with
them.
D
D
D
We
even
be
scoped
this
to
just
turning
it
on
and
off
versus
installing
or
uninstalling.
So
I
wanted
to
ask
in
this
meeting.
So
one
question
I
have,
is
you
know
right
now,
I
have
got
that
SPECT,
where
we
let
users
install
and
uninstall
and
then
also
either
enable
or
disable
if
we
were
to
reduce
the
scope
further
and
pick
just
one
of
these
two
I'm
relatively
indifferent
between
them,
but
if
their
preference
from
engineering
or
a
desire
to
reduce
the
scope-
and
you
just
want
to
please
to
first
for.
G
G
A
little
bit
of
more
advanced
the
user,
then
just
clicking
the
button
to
saw
in
Jeanette's,
for
example,
so
but
on
the
same
time
enable
in
disabling
I
a
big
a
little
and
don't
the
solution
always
change
that
going
to
equip
CTL
and
disabling
the
a
couple
of
flags
over
there.
So
I
would
stick
with
two,
but
I.
Think
Carter
has
more
context
so
that
so
I
OB
can
add
some
I'm.
C
G
G
C
C
D
C
B
C
Cinemas
highly,
it's
really
hard
to
do
it.
Those
flags
that
you
saw
it's
just
the
very
cold
them
in
the
config
files.
They
will
translate,
like
I,
think
you're
talking
about
llamo
files
that
control
most
application
installations-
those
flags-
maybe
just
not
precisely
worded-
but
they
will
essentially
install
and
uninstall
Scylla
from
the
cost.
They
don't
have
disabling
capabilities
and
to
answer
your
question,
if
it's
possible
or
not
it's
really
hard
to
do
because
silliman
Stassi
and
I
plug
in
the
new
configures
your
cabinets,
casa,
to
use
it
and
forward
everything
to
Salome
so
disabling.
C
D
C
C
I
mean
I'm
fine
to
share
with
anyone.
It's
not
like
I
want
our
wishes,
but
yeah
I
also
have
concerns
about
this
one,
because
you
probably
all
know
that
we
depend
on
the
cost
of
location,
Susilo
and
those
I
had
the
control
of
different
groups
and
I
went
to
check
they're
working
on
the
return
in
the
state
of
the
installation,
but
controlling
installation
from
the
UI
is
really
complicated.
I'm,
not
saying
that
we
shouldn't
do
that,
but
if
it
will
go,
we
essentially
will
do
what
investigation
works.
That,
naturally,
will
belong
to
the
restoration
team.
C
D
So
I
don't
have
a
problem
doing
work
in
in
their
space
right
I
mean
we
would
be
the
ones
doing
the
work,
even
though
it's
in
the
area
that
they
own,
like
I'm
fine
with
that
I
just
want
to
make
sure
that
we
get
the
experience
right
and
I
know
Andy,
provided
you
know
two
different
options
for
us
and
I'm
a
little
bit
unsure.
You
know
how
to
proceed,
wanted
to
get
feedback
from
everyone
here
on.
You
know
the
preference
between
the
two.
D
C
C
It's
not
that
it's
not
true
from
my
understanding
that
there
this
interface
stays
in
place.
It's
just
we'll
be
working
under
the
hood
differently,
though
just
a
bit
and
change
them
yeah.
It
won't
be
bound
to
the
database
fields
anymore.
It
will
be
working
differently,
but
interface
will
still
be
in
place.
It's
not
going
to
be
gone
anytime
soon,.
C
F
C
Just
for
now,
but
again
the
idea
behind
classifications
environment
with
cost
implications
synonyms
that
cilium
my
require
more
settings
on
the
user
side
and
by
a
lot
of
settings.
I'm
I'm
talking
about
a
lot
of
settings
and
what
we
essentially
did
with
Salim
is.
We
are
allowed
to
change
any
help,
chat
setting
during
Salim
deployment,
and
they
all
said
that
the
Hubble
deployment
went
on
to
that.
So
we
are
talking
about
the
world
of
values
and
classifications
are
always
used
to
change.
That
default.
Installation
is
fine
for
many
cases,
but
not
for
all.
C
Two
different
platforms,
AWS
in
Google
Cloud,
those
will
require
different
flags
and
by
default
we
can't
derive
those
for
X
easily,
so
yeah
it's
similar
to
evolve,
but
not
really
in
a
way
that
it
might
require
many
adjustments
before
installation.
That's
why
I'm
a
bit
concerned
that
any
kind
of
interface
that
we
have
right
now
is
not
gonna
cut
it.
That's
why
maybe
as
an
option,
we
should
engage
with
substations
him
and
see
how
staff
going
in
there
and
because
they
UI
was
marked
as
next
four
to
seven
releases.
D
Yeah
and
I
mean
I,
don't
think
this
is
a
one
way
road
for
where
we
put
all
of
the
management
features,
because
I
think
it's
a
reasonable
threat
to
have
the
installation
here
on
this
page.
But
perhaps
you
know
we
do
the
Advanced
Settings
of
the
rural
configuration
you
know
in
the
UI,
for
that
can
be
separate
in
the
security
and
compliance
page,
so
that
you
know
I
think
it
would
be
logical
to
say.
D
Ok,
like
I'm,
going
to
install
this
into
my
kubernetes
cluster
here,
you
know:
I
go
to
operations
kubernetes
just
to
install
it
in,
but
then
all
of
that
advanced
management
might
happen
outside
of
their
element.
Security.
Compliance
doesn't
necessarily
have
to
be
that
way,
but
I
think
we're
leaving
ourselves
flexibility.
C
My
side
concern
again
is
just
by
default
like
if
you
will
just
go
and
say,
install
psyllium.
It's
not
gonna
install
correctly,
because
there
is
a
crucial
for
X
that
is
required,
your
installation
right
before
the
installation
we
need
to
know
which
cost
of
installing
on
because
installation
to
Google
Cloud
is
completely
different
from
Amazon
Cloud,
so,
where
I
now
do
like,
don't
try
to
derive
this
information
from
anywhere.
We
just
ask
user.
Hey,
said
a
casa
type
setting
in
your
config
file,
so
the
flow
is
different.
D
C
C
D
Yeah
that
sounds
great,
so
I
think
next
steps
on
this
one
right
now,
it's
InDesign
just
because
we
don't
have
the
moxx
quite
finalized,
but
the
feedback
today
has
been
great
like
even
just
knowing
that
we
need
to
prompt
for
that
value.
That's
helpful!
So
it
sounds
like
we
decided
on
auction.
One
next
steps,
I
think
Andy.
You
will
be
on
you
to
further
the
mocks
here
and
then
maybe
we
can
bring
it
back
again
for
the
next
meeting
and
at
that
point
it
should
be
pretty
much
done
and
ready
for
grooming
I.
D
D
D
B
Separate
out
the
why
on
was
a
I'm
saying
correctly
first
off
and
then
let's
talk
about
the
how
and
how
influences
the
you
know
the
why?
But
the
why
is
and
I
started
out
with
just
as
my
initial
MS,
why
are
we
looking
at?
Was
a
Falco
seemed
like
a
great
solution?
The
last
time
you
look
at
it,
but
of
course,
was
prior
to
you
being
at
gate
lab
Sam,
as
we
look
through
all
the
analysis
that
you
did
and
the
features
the
security
features.
B
In
most
cases,
not
in
all
cases
in
most
cases
was
has
more
breadth
of
security
features
to
protect
our
customers
to
detect
various
types
of
attacks
been
Falco.
There
are
some
things
that
felt
good,
especially
in
ease
of
installation
in
a
kubernetes
environment
that
was
does
not
do,
but
in
terms
of
the
security
features.
Wazza
has
many
more
that
meet
our
needs.
So
before
we
deal
with
that,
how
we
would
do
it,
which
is,
of
course
a
big
influencer
I,
know
our
thread,
questions
about
the.
B
C
C
In
my
comparison,
those
two
like
several
things,
really
stand
out
to
me
and
specifically,
as
that
Falco
has
much
tight
integration
with
kubernetes
in
the
question
and
I
felt
like
this
is
was
a
purpose
of
the
feature
from
the
start
to
have
security
product
that
is
half
a
tight
integration
with
those
environments
that
were
targeting
I'm
talking
specifically
about
the
default
rules
that
are
being
shipped
with
both
products.
Again,
Falco
has
support
from
for
kubernetes
audit
and
support
for
various
contain
environments.
That
is
really
important
for
us,
because
we
can't
you
support
docker.
C
Because
Google's
continuous
supports
cry
or
and
I
think
they
moving
it
into
the
default
container
provided
in
the
future
versions.
On
the
other
hand,
weather
has
really
basic
dog
related
roles,
and
you
can
write
Python
scripts
for
the
Cuban
assorted,
so
it's
really
lacking
in
terms
of
default,
see
trolls
again.
The
rules
I
investigated
on
the
both
sides
of
Fouquet
had
much
tight.
Integrated
row
said
by
default
into
Cuban
edges
and
always
contained
environments.
C
On
the
other
hand,
rather
just
provides
you
lots
of
generic
application,
related
tools
and
I'm
talking
about
talking
about
exchange,
server
or
next
cloud
and
other
various
applications
that
were
not
planned
to
support
and
they
are
not
interested
in.
Those
are
all
sets
at
all
then
again,
problem
with
installation.
It
seems
like
Phalke,
again
provides
probably
the
best
capabilities
up
there.
It
provides
a
really
great
help
chart
that's
what
we
need
in
most
cases
and
whether,
on
the
other
hand,
provides
a
bare
born
a
cuban
artists,
llamo
files,
which
we
could
try
to
work
with.
B
D
I
want
to
just
correct
a
couple
things
here.
If
that's
okay,
so
I
think
one
thing
with
was
that
you
might
be
getting
confused
potentially
here
Arthur's,
but
was
an
agent
server
model
and
so
the
server
deployed
into
kubernetes.
But
the
agent
is
generic,
so
it
can
run
on
a
cryo
container.
It
can
run
on
a
docker
container.
It
really
runs
on
any.
You
know,
clinic.
C
Talking
about
that,
if
you
go
to
zero
said
the
rule
says
it
provides
this,
it
does
not
added
anything
other
than
basic
docker
container
and
in
even
for
docker
container
or
did
rule
set.
You
need
a
third-party
dependency.
On
the
other
hand,
Falcon
does
or
did
for
any
type
of
container
environments,
and
in
this
in
default,
set
and
I'm
talking
about
like,
let's
say
someone
tries
to
spawn
an
additional
contain
in
your
environment,
this
visor,
you
can
only
detect
such
cases
for
the
dock
environment.
C
C
My
actually
question
was
how
available,
like,
let's
say,
malware
detection
in
person
to
having
it
tight
integration
with
contained
environments
and
kubernetes,
because
yeah
and
Phillip
asking
a
good
questions
that
I
had
to
what
like
what
was
the
requirements.
I
think
Eric
original
idea
was
to
have
an
intrusion
detection
system.
How
does
malware
applies
to
an
intrusion
detection
systems?
Is
it
like,
like
I've,
been
mixing
different
types
of
products
and
because
yeah
they
Falco
and
was.
B
A
come
up,
the
secure
the
intrusion,
detection,
security
problem
in
two
very
different
ways,
and
there
is
some
overlap,
but
I
could
actually
potentially
seeing
us
wanted
to
do
both
because
of
because
not
initially,
of
course,
but
what
I'll
catch
us
certain
kinds
of
things
that
Falco
won't
end.
Vice
versa,
I'll
go
catch,
some
things
that
moszer
will
not,
and
it
might.
B
C
B
C
B
You
know,
I
I
know
that
we
could
do
Falco
it
in
terms
of
in
making
it
so
they
could
integrate
into
the
kubernetes
environment,
because
that's
what
it's
designed
to
do
was
those
a
different
kind
of
animal
is
that
it
has
to
be
installed
on
each
container
within
each
OS
and
each
container
in
order
to
provide
value
both
install
and
have
configured
to
talk
to
them
was
a
server
yeah
and
that's
different
than
what
we
do
today,
not
different
bad
necessarily
but
very
different.
Yeah.
C
That's
another
thing:
that's
sort
of
concerning
to
me
quite
their
architecture
that
no
I
could
teach
decisions
that
Falco
did
is
again
much
better
suited
to
the
crowd
and
contain
environment
specifically
and,
on
the
other
hand,
again
was
is
just
a
generic
agent
that
can
call-
and
you
can
like
say
to
the
edge
and
check
the
walk
file
and
extract
vital
information.
That's
how
doc
integration
works,
check
like
file
consistency
on
the
disk,
those
features
work
for
any
kind
of
application
and
any
kind
of
operational
systems.
B
One
thing
that
that
and
for
everybody
but
Arthur
you've
been
part.
The
conversation
lately
since
you
on
vacation
is
one
key
thing
that
Sam
liked
from
a
customer
requirements
perspective
on
was
versus
Falco
is
was
can
well
if
it
detects
with
a
rule
that
something
looks
bad,
it
can
block
it
from
occurring
in
addition
to
detecting
it
can
Falco
do
the
same.
I
didn't
find
documentation,
saying
it
could,
but
I
wasn't
as
thorough
as
I
could
have
been
I.
Don't.
C
B
C
I
have
a
good
example.
Like
let
say
someone
is
trying
to
I,
don't
know,
reconfigure
your
Cuban
ettus
clusters
to
use
a
difference
in
I
plug-in
what
you're
going
to
do
in
this
case.
How
would
meaningful
working
the
real
work?
Do
you
work,
API
calls
and
kubernetes
I,
don't
think
it's
possible.
There
are
similar
situation
for
contain
environments
like
let's
try,
let's
say
I'm,
trying
to
open
specific
parts
in
docker
container.
How
would
you
gonna
book
me?
C
B
Things
like
that,
because
it
assumes
now
in
some
cases
it
assumes
for
blocking
that
the
attacker
doesn't
have
route.
They
have
some
level
of
permission,
other
you
know
loca
that
is
not
as
privileged
as
route,
so
since
we
saw
runs
in
the
kernel
or
at
root
level.
So
there
are
some
things
that
was
a
surely
can't
block
everything,
but
it
can
block
some
things
like
you
know,
for
you,
mission
file,
files,
changing
and
trying
some
other
examples.
You
know
not
only
files
changing,
but
certain
files
being
improperly.
A
G
C
C
Believe
not
because
doc
integration
is
based
on
the
walk
files,
I,
don't
think
it
can
go
and
say:
okay,
don't
tell
what
to
do
that.
I
I
doubt
this
is
technically
possible,
but
I
would
be
curious
to
know
that
was
my
understanding.
Conciliation
I
doubt
that
Falco
can
do
that
and
I
have
not
seen
it.
It's
no
I
stated
anywhere
as
a
feature,
but
what
was
acquaintances
may
be
useful
for
the
base
system.
But
again,
in
our
case,
our
root
system
is
like
really
stripped
of
everything.
C
B
Sort
of
uneven
feasibility
of
using
something
was
a
it
in
agate
lab
sea
ice,
TV,
auto
devops
world,
so
knoweth
Falco,
you
know
similar
to
see
Liam
and
similar
somewhat,
to
see
Liam
and
to
mod
security.
Is
there
it's
it?
It
directly
fits
in
that
you
install
it
in
the
you
install
those
two
into
the
kubernetes
infrastructure
and
integrates
with
kubernetes
a
more
more
cilium
than
mod
security.
B
Mod
security
is
a
thing
that
goes
inside
the
ingress
controller,
which
is
part
of
kubernetes
infrastructure
with
was
while
the
management
server
or
the
server
software
can
run
in
a
container
just
like
just
about
anything,
can
run
in
a
container.
It
integrates
with
the
operating
system
that
the
containers
are
running.
So
to
do
this
with
was
up
we'd
either
need
to
change
the
operating
system
in
the
in
the
containers
that
are
being
deployed
or
add
something
to
the
to
add
the
agent
or
be
able
to
get
was.
B
Are
the
ability
to
ssh
to
each
running
container
so
that
it
can
either
install
or
monitor
that
way.
It
has
both
options.
That
is
very
different
than
what
we
do
today
and
I
don't
know
how
feasible
it
is
like.
Do
we
even
in
a
good
lab
world,
if
using
CI,
CD
and
in
order
box,
do
we
have
the
ability
to
change
the
operating
system
deployed.
C
They
do
not
have
this
ability.
That's
why
I'm
highly
concerned
about
architecture
of
the
bazaar,
the
right
deployment
works,
I
think
it's
a
really
poor
fit
for
our
environments.
I
would
need
to
investigate
this
thing
Claymore,
but
I
I'm,
pretty
sure
we
can
integrate
with
it,
but
it's
just
will
create
so
many
issues.
So
no,
and
and
as
you
mentioned,
Falco
is
much
better
lying
to
these
other
tools
that
we
use
so
beautiful.
D
You
know
I
just
wanted
to
sort
of
end
on
this
note
that
you
know,
there's
no
doubt
in
my
mind
that
Falco
is
more
cloud
native
or
Andy
here
to
get
up
and
running,
but
I
don't
want
us
to
base
our
decision
on
that,
like
at
the
end
of
the
day.
I
want
us
to
pick
the
open
source
technology.
That's
going
to
provide
us.
The
feature
set
that
we
need
to
actually
provide
effective
security,
and
you
know
that's
really
where
we're
coming
at
this
from
and
the
feature
set
that
users
care
about.
D
So
you
know
I
think
we
need
to
take
that
into
consideration.
You
know
it's
got
some
great
results
from
the
user
study
that
I've
been
doing.
You
know
Andy's,
taking
great
notes
on
on
that
as
well.
We'll,
hopefully,
do
a
deep
break
here.
You
know
relatively
soon
as
we
wrap
that
up.
But
you
know,
as
we
look
across
the
market,
you
know
not
only
what
Gartner's
writing
about,
but
also
what
we
actually
share.
Customers
and
and
participants
asking
for.
A
D
Give
us
credential
so
I
I,
don't
think
this
is
like
you
know,
immutable
decision
like
we,
you
know
we're
done
here.
We
so
please
feel
free.
You
know
if
we
need
to
come
back
and
reconsider.
We've
got
that
spreadsheet.
I
think
that's
probably
the
best
place
to
collect
our
thinking
go
ahead
way.
I
was.
B
Gonna
put
this
so
I
came
into
this
thinking
that
well,
what
was
was
a
better
fit
for
the
customer
need
and
I
still
do
believe
that,
in
terms
of
what
they're
looking
for
security
wise
but
on
this
room
is
what
comes
before
that
is.
Can
we
even
make
was
a
work
in
our
in
our
environment,
so
we
either
need
to
change
the
OS.
That's
deployed
installed
or
install
on
existing
oasis
that
are
deployed.
You
know
in
containers
or
use
the
SSH
option.
D
Yeah
or
we
let
them
install
it,
so
you
know
one
participant
that
Andy
and
I
talked
to.
They
were
using
a
colliculus
Cisco's
product
anyway.
They
they
just
provide
them
an
agent,
they
say
here's
an
executable
and
then
they
go
work
that
in
to
the
their
process,
to
put
it
on
all
of
their
containers.
Well,.
B
We
make
there
was
a
server
container,
an
installable
application
and
the
customer's
job
is
to
put
there
was
a
agent
on
all
containers
that
they're
running
and
configure
it
to
talk
to
it
and
right,
nor
we
think
about
this.
The
more
I
think
that
they're
not
competing
solutions
for
our
customers
needs
they're,
complementary
that
we
may
actually
want
to
go
yes
Philippe.
Both
we
may
want
to.
We
may
actually
want
both,
because
they
both
approach
the
problem
in
different
ways
and
cover
there
is
some
overlap
and
what
they
cover,
but
there's
actually
less
overlap.
B
That
I
was
even
at
originally
thinking
so
I
think
the
next
step
on
this
is
next
time.
We
need
to
continue
discussing
this,
not
now,
of
course,
so
let's
continue
discussing
asynchronously
via
the
issue
comments
in
the
issue.
You
should
again
next
week
and
I
think
the
next
step
would
be
is
what
is
even
the
feasibility
of
the
was
agent
getting
onto
the
op.
Each
containers,
OS
I'm,.
C
Just
curious,
should
they
just
suppose
this
pressure
into
the
issue
for
the
visibility,
because
I
was
really
confused.
Yesterday
I
tried
to
find
information,
it
was
not
on
the
Asian.
The
issue
right
now
looks
like
there
was
a
person
I
think
he's
not
a
part
of
the
get
who
AB
he
was
asking
about
the
decision
and
it
looks
like
they
made.
This
switch
like
completely
without
any
discussion
and
all
of
you
so
I
think
it
would
be
rather
good
to
move
the
spreadsheet
to
the
issue.
So
we
could
all
comment
up
there.
It
was.
B
Discussed
it
just
it's
always
things
that
Sam
and
I
have
been
discussing
over
the
last
week,
so
so
the
spreadsheet
I
just
linked
it
to
the
issue
earlier
today.
So
oh
yeah,
so
there's
been
a
lot
of
discussion
with
Sam
and
I,
but
we
haven't.
We
had
didn't,
expand
it
to
the
whole
group
until
today
and
we
should
do
it
more
asynchronously
and
more.
You
know
more
transparently,
I
agree,
but
we're
just
at
the
beginning
of
the
discussion.
So
it's
not
too
late
to
be
doing
that.
B
D
C
Kind
of
described
as
this
approach,
it
was
the
same
point.
We
had
similar
situation
with
sillim
versus
calico
and
it
was
exactly
the
same
situation
in
terms
of
discussions.
There
was
a
peace
agreement
and
on
the
very
bench
to
move
it
forward
is
to
openly
discussed,
make
a
comparison
and
get
to
the
decision
right
now
there
is
no
white
working
with
spreadsheets,
I
guess,
I
feel
it
my
correcting
me,
but
it's
against
the
rules
and
also
I
much
prefer
to
discuss
it
on
the
issue.
It's
much
more.
B
C
But
again
it
will
be
just
cherry
picking
from
the
document.
What's
the
point
of
it,
why
not
just
move
the
staff
out
of
the
document
into
issue
and
just
comment
from
there?
Wouldn't
it
be
a
better
price
for
us,
I
can
do
either
way,
but
if
it's
alright,
it
contains
pieces
of
the
spreadsheet.
Why
not
just
to
everything.
B
D
C
C
B
Yeah
and
Philippe,
your
question
chat
is
this:
annum?
Is
this
MVC
issue
or
discovery
issue
instead,
I
think
so
this
is
this.
Is
we're
still
discovering
things
and
thinking
about
things
and
we're
probably
gonna
do
some
experimentation
yeah.
This
is
not
a
start.
Implementation
we're
nowhere
near
started
connotation
so.
B
B
C
C
B
D
B
I
know
we're
over
on
time
another
way.
Oh,
it
is
four
things
that
I
wanted
to
say:
go
down
this
path,
but
one
way
those
okay,
so
I
am
four
things
that
was.
Does
that
Falco?
Doesn't
there
may
be
ways
to
do
those
things
without
was
a
or
with
something
or
with
Rizzo
as
well,
but
they're?
There
wait,
like
example,
malware
detection.
B
We
have
access
to
the
storage,
we
could
scan
the
storage
at
a
kubernetes
level,
perhaps
and
not
do
it
at
the
OS
level,
and
so
it
is
another
approach
to
potentially
go
when
we
look
at
it.
An
item-by-item
basis
is
for
these
kinds
of
needs
for
these
kinds
of
features.
Is
there
a
more
container
kubernetes
friendly
way
to
do
them?