StackRox Kubernetes Security Platform, 15 Sep 2020

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: Responding to security incidents in container and Kubernetes environments

Description

No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).

A

In a previous video, we covered threat detection so in this video we're going to cover how we would actually move to incident response and handling and enforcement of that type of event.

A

So, in the previous example, we saw that we had an example of multiple malicious processes getting executed within one of the containers and pods in our environment, and in this case, what I'm going to do is I'm going to come over to the policy engine under the platform configuration in the stack rocks ui and I'm going to actually go ahead and I'm going to turn on a runtime policy.

A

So we determined that this was an example of someone actually using the ubuntu package manager in the environment and executing that and doing that to install netcat, which they then proceeded to run in the environment.

A

So what I'm going to do is I'm going to go to this policy I'm going to edit it and I'm going to turn this on at the run time stage and I'm going to click save and now what I'm going to do is I'm going to go over to the violations and I'm going to show a previous example of where we saw the uh the execution examples before ubuntu package manager execution and on a specific, temporary shell that got executed within the environment.

A

We see multiple other things that are wrong with this deployment, including configuration based risks and now going to the actual shell, which I have here now that I've turned enforcement on I'm going to go ahead and I'm actually going to run an app to update and, let's see what happens, and so now, when I run this, what stack rocks is going to do? Is it's actually going to detect this and it's going to tell kubernetes to go ahead and to delete this deployment, and if I do a cube, ctl get events.

A

What I'll see now is that there was actually an enforcement event, type called stack, rocks enforcement and because of that policy, this was actually killed and we prevented this from proceeding further and now, if I actually go back to the ui, I'll also see a notification of that enforcement, and this is an example how of how a potential attack might get prevented.

A

One thing I might do from here is: I might actually put in my build process to notify developers to remove the ubuntu package manager in their docker image after they've run their initial build and tell them to remove this, so we remove that risk from our environment at this case, I'm going to actually mark this as resolved and move on to the next incident in my environment. Thank you.