Home / Companies / Sysdig / Blog / May 2019

May 2019 Summaries

5 posts from Sysdig

Filter
Month: Year:
Post Summaries Back to Blog
Palo Alto Networks' acquisition of Twistlock signifies a strategic investment in the rapidly growing cloud-native market, particularly emphasizing the importance of container security. This move highlights the challenges associated with managing container health, risk, and performance, especially as microservices and Kubernetes enable the decomposition of monolithic applications into numerous containers. The acquisition reflects the shift from traditional security models to a more integrated, data-centric approach that addresses the evolving needs of enterprises in the context of cloud-native technologies. As the container market approaches a valuation of $5 billion, with over 40% of enterprises already utilizing cloud-native technologies and a significant majority using Kubernetes, the demand for comprehensive visibility and security solutions is clear. Twistlock's early success in container image scanning set a foundation, but as the market matured, the need for a broader strategy that integrates security and DevOps became evident, focusing on a unified data platform to enhance efficiency and address security challenges at scale.
May 29, 2019 844 words in the original blog post.
The blog post outlines how to create a robust security stack for Google Kubernetes Engine (GKE) using Falco, Google Cloud Pub/Sub, and Google Cloud Functions. Falco, an open-source runtime security engine, monitors system behavior and detects anomalies in cloud-native platforms like Kubernetes, leveraging Linux kernel instrumentation. The security stack operates through Falco agents deployed in Kubernetes clusters to capture runtime security events, while Google Cloud Functions execute automated security playbooks, like pod isolation or termination, triggered by these events. Google Cloud Pub/Sub serves as the communication medium between Falco and the serverless functions, ensuring efficient and reliable message exchange. The integration with Google Cloud Security Command Center enhances the stack by providing a security information and event management (SIEM) capability. The post provides a step-by-step guide to setting up the stack, including deploying Falco via Google Marketplace, configuring Pub/Sub topics, and deploying security playbooks as Google Cloud Functions, with an emphasis on the flexibility and extensibility of Falco's rule engine for custom security scenarios.
May 14, 2019 2,380 words in the original blog post.
Falco 0.15.0 has been released, marking three years of the project's existence, and it includes significant enhancements such as bug fixes, updated rules, and a mitigation for CVE-2019-8339. This update also introduces support for CRI-O and containerd, aligning with their rising adoption as preferred container runtimes, thus benefiting users of IBM Kubernetes Service and OpenShift 4.0. The new release integrates MITRE ATT&CK Framework tags into Falco rules, providing better insight into detected tactics, techniques, and procedures. Performance improvements have been made, including asynchronous container metadata lookups and enhanced kernel ring buffer processing, with additional contributions expected from a Google Summer of Code student focused on Falco's performance. The CNCF-sponsored security audit further indicates the project's growth and maturity, and users are encouraged to update to the latest release via package repositories or Docker hub, with forthcoming updates to the Falco Helm chart for enhanced runtime support.
May 13, 2019 570 words in the original blog post.
CVE-2019-8339 is a medium-severity vulnerability discovered in Falco, an open-source threat detection tool, which allows attackers, who have already gained system access, to flood the system with system calls, potentially bypassing Falco's detection capabilities. The issue involves the buffer used between the kernel and user space for processing system call events, which can be overwhelmed, leading to dropped events that might include malicious activity. Falco version 0.15.0 addresses this vulnerability by implementing new detection methods for dropped system calls and providing configurable actions when drops are detected, such as sending alerts or logging messages. The update also includes performance improvements, such as reading events from the system call buffer using an adaptive algorithm and fetching container metadata asynchronously to reduce event drops. Future plans include providing a Prometheus endpoint for enhanced monitoring and undergoing a security audit to further strengthen Falco's defenses.
May 13, 2019 1,389 words in the original blog post.
The MITRE ATT&CK framework is a comprehensive knowledge base detailing over 200 techniques used by adversaries during cyber attacks, categorized into tactics, techniques, and procedures (TTPs) across 11 categories such as execution, persistence, and privilege escalation. Falco, an open-source container security tool, leverages this framework to detect anomalous activities in containers by monitoring system calls and generating event streams. Falco's rules engine allows for the creation of alerts based on these streams, focusing on containerized environments with 46 rules aligned with eight key MITRE frameworks. It provides users the ability to write rules at the host level to identify suspicious activities, enhancing the security of containerized applications by addressing various adversarial tactics and techniques.
May 10, 2019 757 words in the original blog post.