#1. 参加概要
タイトル: Cloud Native Security Day
日時: 2020年8月17日(月)
場所: リモート参加
こちらの内容は当日発表を聞きながら取ったメモーですので、タイピングミスなどがあるかもしれないです。
当日の発表録画はYoutubeなどに公開する可能性があるので、CNCF公式ページをチェックしてみてください。
#2. Talk1: Collection is not Detection
###About Presenter ⇒ twitter @_sarahyo
###2.1 Typical security operations issues
① Too many disconnected products.
② Not enought SOC analysts.
③ Too many disconnected products.
④ Environment are getting more and more complex.
⑤ Most SOCs depend on manual, time consuming processes.
⑥ Too many ALERTS.
###2.2 How to run SecOps?
① Cloud-only.
② Hybrid.
③ On-prem.
###2.3 What should we do?
① Collect logs from your entire application stack.
② Not just infrastructure, firewall, orchestrator, pods, application ...
###2.4 Which can we use?
Which tools or products or vendors that can help me get the visibility i need for security operations?
・ Vulerability scanning.
・ SIEM.
・ Runtime security.
・ Auditing.
・ Policy tools.
・ Image repositoried.
###2.5 When should we do?
① Watch all the time!!!!
② You need to iterate security operations throughout your entire environment life cycle!!!!
③ From creation > storage > deployment > runtime > teardown.
###2.6 Others
You have mentioned about Mitre, where do we use them for Kubernetes ?
⇒ attack-matrix-kubernetes
#3. Talk2:Establishing Image Provenance and Security in Kubernetes
###About Presenter ⇒ twitter @adrianmouat
###3.1 What is twilio?
Wikepedia: twilio
###3.2 Notary v2
① Extension of Registry.
② Not another service to run.
③ Simple to start with.
④ Add more features, TUF etc later.
###3.3 Tagging Images
① Treat production image tags as immutable.
② Git Hash.
③ Full version number.
④ Digest.
###3.4 Annotations
① Defined in OCI Image Sped.
② Technically different to Labels.
③ Pre-Defined Annotation Keys.
④ Currently unsupported by build tools.
⑤ Just use Lables and predefined keys.
###3.5 Metadata DB
① Store information on images.
② Keyed by digest.
③ Can be updated with events
④ Build data, contents and versions, kn.own vulns.
###3.6 What about the Registry?
Would like to:
・ Search for all tags for digest.
・ Have audit information.
・ Plus other metadata.
###3.7 Reproducible Container Builds
① Use tagged base images or digests.
② Version package installed software .
③ Run a mirror for total control.
###3.8 Downloading Software
① Be careful when using curl/wget in Dockerfile.
② Use GPG to verify signatures - keys.openpgp.org.
③ Checksums.
###3.9 Binary Reproducibility
① File timestamps.
② Other metadata.
・ Build container IDs.
・ Created timestamp.
###3.10 Up-to-date vs Stable
① Tension.
・ Dont want breaking changes.
・ Do want bug-fixes.
② Good test suite.
③ Semantic versioning.
・ Pin to minor version (4.1.x).
###3.11 Library Dependencies
Generally tooling available.
・ Maven display-plugin-updates.
・ NPM updtr.
###3.12 Base Images
① Easy to use out-of -date base images.
② Constant rebuilds?
③ Hooks?
###3.13 What should we do?
① Only run images from a controlled registry!!!
② Use immutable tags, labels, tools(Notary, registries, scanners...)
#4. Talk3:Cloud Native or Cloud Agnostic ?
###About Presenter ⇒ Sri Rajan
###4.1 Cloud Agnostic Definitions
The term "cloud agnostic" is generally regarded to refer to applications and workloads that can be moves seamlessly between cloud platforms and between on-premises infrastructures and cloud platform.
###4.2 Where do you draw the line ?
① It is not a zero-sum game. You can be in the middle.
② The further lower you go, the lowest common denominator you are.
###4.3 What is the cost-benefit ratio ?
① Have you quantified it ? Even on the back of an envelope.
② Dont ignore opportunity cost.
###4.4 Is your security responsibility the same ?
① You are accountable for your security.
② You are not alwasy responsible.
#5. Talk4:How secure is your build/server?
###About Presenter ⇒ twitter @patrickdebois
###5.1 Secure Step
① Check what you execute
② Verify the checksums
③ Check your defaults
④ Is the Certificate still vaild ?
⑤ Who issued the certidicate ?
⑥ Is it an allowed CA ?
⑦ Is your dependency competent, reliable, sincere, care ?
⑧ Check the official name
⑨ Was transport secure ?
⑩ Do you trust your proxies ?
#6. Talk5:
###About Presenter ⇒ twitter @albcr
###6.1 Many aspects of Kubernetes security
① Securing the control plane .
② Authentication, authorization, users.
③ Securing container images.
④ Monitoring, alerting.
⑤ Pod Security.
###6.2 Pod Security
Configure security in your deployments.
① Limiting pod capabilities in the security context.
② Defining Pod Security Policies .
③ Defining RBAC rules.
④ Defining network policies.
⑤ Filtering system calls with seccomp.
⑥ Using non-root users.
###6.3 Reality is different
① We conduct security assessments for customers.
・ Deployments already have PSP, network policies, etc.
② On big deployments, implementing security from scratch is difficult.
・ Understanding a new architecture is already difficult.
###6.4 Fictive example
Source Code:GoogleCloudPlatform/microservices-demo
###6.5 Security Lifecycle
① Record your apps behaviour
② Generate security policies
③ Review security policies
④ Add security policies as code
###6.6 github:kube-psp-advisor
PsP = PodSecurityPolicy
① kubectl krew install advise-psp
② kubectl advise-psp inspect ...
・ Read resource from the apiserver
・ Aggregate information
・ Generate new resources
Source Code:sysdiglabs/kube-psp-advisor
###6.7 github:oci-seccomp-bpf-hook
① Install on worker nodes
② Monitor syscalls from pods executed with the annotation:
io.containers.trace-syscall=of:/tmp/ls.json
③ Seccomp policy written in the specified file
Source Code:containers/oci-seccomp-bpf-hook
###6.8 github:Inspektor Gadets Network Policy Advisor
① kubectl krew install gadget
② kubectl gadget network-policy monitor
③ kubectl gadget network-policy repport
・ Generate network policy (yamls)
Source Code:kinvolk/inspektor-gadget
#7. Talk6:Defenders Think in Lists & Attackers Think in Graphs
###About Presenter ⇒ Reuven Harrison - Tufin CTO
###7.1 Why Lists
① Lists are easier to generate
② Most security audit tools produce lists of:
Vulnerabilities, Risky configurations, Failed benchmarks...
③ Security engineers rely on these lists
④ Problems:
・ Remediation requires collaboration with developers
・ Too many findings
・ How to prioritize?
###7.2 Graphs reveal the path to the crown jewels
・ Initial access
・ Discovery (egress)
・ Lateral movement
・ Privilege escalation
・ Exfiltration
###7.3 Tenets of s Useful Graph
・ Shows the risky paths combining:
- Network connectivity, vulnerabilities,
- RBAC, pod/container security
・ The wider scope:
- cloud, network, firewalls
・ Highlights top-priority problems
・ Not cluttered
・ Automatic, no setup and configuration
・ Guides the user
#8. Talk7:K8S Attack and Defense:Inception Style
###About Presenter ⇒ twitter @jaybeale
###8.1 Demo
① Attack
・ RCE via Supply Chain issue
・ Monkey in the Middle Attack
・ Public Cloud API Attack
・ Pod Security Policy Evasion
② Defense Considerations
・ Software Supply Chain Work
・ Namespace Isolation or Policy
・ Workload Identity
・ OPA Gatekeeper
#9. Talk8:New Paradigms for the Next Era of Security
###About Presenter ⇒ twitter @sounilyu
###9.1 Core Challenges and Solutions
① What did we buy and how does it support the biz ?
⇒ Asset Mgt, Systems Mgt Tools
② Viruses, Server-side Attacks, Insecure Configs
⇒ Anti-Virus, Firewalls, Secure Configs
③ Too many logs and alerts, Client-side attacks
⇒ IDS, SIEM
④ Assume Breach, Raging Fires, Too Many Privileges
⇒ Incident Responders & IR Tools (EDR, SOAR)
⑤ Ransomware, MBR Wiper, DDoS, Firmware Bricking
⇒ Distributed, Immutable, Ephemeral D.I.E Systems
###9.2 2020s: Age of Recovery(or Resiliency)
- 1980: Identify
- 1990: Protect
- 2000: Detect
- 2010: Respond
- 2020: Recover
① Confidentiality ⇒ Wikileaks, Doxxing
② Integrity ⇒ Ransomeare, #fakenews
③ Availability ⇒ PDoS, MBR Wiper, Bricking Firmware
What kind of solutions directly support our ability to RECOVER or be RESILIENT?
- Serverless Architecture
- Copy on Write
- Content Delivery Network
- Docker
- Blockchain
###9.3 DIE Triad
① Distributed ⇒ DDoS Resistant
The best solution against a distributed attack is a distributed service.
② Immutable ⇒ Changes Easier to Detect and Reverse
Unauthorized changes stand out and can be reverted to known good.
③ Ephemeral ⇒ Drives Value of Assets Closer to Zero
Makes attacker persistence hard and reduces concern for assets at rick
###9.4 Fragility vs Resilience vs Anti-Fragility
Fragile C.I.A
⇒ Harm addressed through patches and workarounds that create greater fragility
Resilient D.I.E
⇒ Harm results in destruction but no change in configuration
Antifragile
⇒ Harm drives changes in configuration that make it even more D.I.E-like
e.g.
AWS Capabilities (Distributed + Immutable + Ephemeral)
⇒ Amazon Elastic Kubernetes Service, Amazon Elastic Container Service, AWS Fargate
###9.5 others
① More irreversible attacks
② Insufficient against well-executed destructive/irreversible scenarios
③ Acoid pet creation and promote cattle creation
#10. 感想
1日イベントとしては内容がなかなか多かったです。
どのシステム・サービスでもセキュリティ対策が大事ですので、このイベントを通して色んな対策と考え方を学習してきました。
システムを守ろうとする前に、まず自分が攻撃者になり、攻撃側の立場で考えることは今回のイベントの中で一番印象が残った内容です。
そして、Talk8のシステムリカバリー問題もなかなか興味深いので、もう少しそれについて調べたいと思います。
Kubecon+CloudNativeConの記録も後日投稿する予定するので、お楽しみに。