Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DevopsNYC Meetup 4-15-2020

Dan POP
April 15, 2020

DevopsNYC Meetup 4-15-2020

Presentation from DevopsNYC meetup: https://www.meetup.com/DevOps-NYC/events/268996258/

Sign up for a 30 day free trial: https://sysdig.com/company/free-trial/
Register for our upcoming webinars https://sysdig.com/webinars

Dan POP

April 15, 2020
Tweet

More Decks by Dan POP

Other Decks in Technology

Transcript

  1. 5 Tips for Securing and Monitoring your Microservices With Sysdig

    Dan Papandrea Field CTO @popsysdig @sysdig
  2. | Sysdig Inc. Proprietary Information 3 More Stuff! = More

    Stuff to Secure/Monitor • Monitor availability and performance • Manage capacity and cost • Troubleshoot issues • Scan for vulnerabilities • Apply runtime policies • Triage security alerts • Speed up incident response and forensics Secure DevOps Maximize application availability Observability functions Security and compliance functions Secure DevOps converges security and observability functions
  3. | Sysdig Inc. Proprietary Information 4 High Level DevOps Workflow

    Developer Source code repository CI/CD Staging/ QA Production Monitoring Application Delivery Lifecycle Security addressed post deployment Causes disruption and delay
  4. | Sysdig Inc. Proprietary Information 5 Secure DevOps workflow -

    a start Developer Source code repository CI/CD Staging/ QA Production Monitoring Application Delivery Lifecycle Security teams Block pipeline builds if scan fails Security provides guidelines
  5. | Sysdig Inc. Proprietary Information 7 Embedding security across the

    workflow Developer Source code repository CI/CD Staging/ QA Production Monitoring Application Delivery Lifecycle Security teams Block pipeline builds if scan fails Simulate secure by default configs (PSP, network policies) Runtime security and incident response framework Runtime monitoring/visbility
  6. | Sysdig Inc. Proprietary Information 8 5 tips to integrate

    Sysdig into your workflows Automate image scanning into build Continuously validate compliance Enforce runtime security Use monitoring data for troubleshooting and security Implement an incident response plan
  7. | Sysdig Inc. Proprietary Information 9 1. Automate Image Scanning

    during Build Scan for: • vulnerabilities: ◦ OS packages ◦ 3rd party libraries • Misconfigurations CI/CD integration + registry support Runtime reporting of new vulnerabilities Trigger based alerting and notifications to appropriate teams Registry
  8. | Sysdig Inc. Proprietary Information 10 2. Continuously Validate Compliance

    Need to meet multiple regulatory compliance standards (NIST, PCI, etc) Steps to extend compliance across the entire container/k8s lifecycle: 1. Cluster deployment and setup (use CIS Benchmarks) 2. Build time: image scanning (use scanning policies for PCI, NIST) 3. Runtime Compliance (runtime rules based on Falco) 4. Audit activity: i. Host ii. Containers iii. Orchestration: K8s api audit events
  9. | Sysdig Inc. Proprietary Information 11 3. Leverage monitoring data

    for troubleshooting and security Look for feedback via runtime monitoring and spot potential attacks: - DoS - Cryptomining - Unexpected POD CRASHLOOP - Unexpected processes - Rogue connection attempts - New deployments, orchestration events - Misconfiguration and software bugs - File Integrity Monitoring
  10. | Sysdig Inc. Proprietary Information 12 4. Enforce Runtime Security

    Full stack visibility (Processes, network, file system etc aka every single system call) Runtime Prevention via K8s native controls: - Pod Security Policy - Network Security Policy Runtime Threat Detection (IDS) via Falco + enterprise workflows - Cloud and Kubernetes aware policies - Machine learning profiling - Community contribution
  11. | Sysdig Inc. Proprietary Information 13 5. Implement an Incident

    Response Plan Automated response - K8s and container aware - Remediation actions (Alert, Stop, Pause, Quarantine / taint) Full command audit and K8s API events trace Sysdig capture file - Recreate all system activity even if the container is long gone
  12. | Sysdig Inc. Proprietary Information 14 Benefits FOR and Consequences

    OF NOT having a Secure Devops Workflow *Sysdig 2019 Container usage report/IDC Report
  13. | Sysdig Inc. Proprietary Information 15 Platform Built on an

    Open Foundation Image scanning Vulnerability analysis Monitoring Infrastructure and application metrics Runtime security Detection rules and alerts Forensics/troubleshooting Deep visibility into container activity Sysdig Secure DevOps Platform Adds scale, workflow, K8s, and cloud context Respond Run Build
  14. | Sysdig Inc. Proprietary Information 16 Sign up for a

    30 day free trial: https://sysdig.com/company/free-trial/ Monday, April 20 8am PDT / 4pm GMT K8s Security MasterClass Rancher & Sysdig Detecting anomalous activity in Rancher with Falco and Sysdig Secure Tuesday, April 21 10am PDT / 6pm GMT PCI Compliance in Containers & K8s Map PCI processes to containers and walk through a time-saving checklist Thursday, April 30 10am PDT / 6pm GMT Top 5 Cloud Native Pipeline Security Considerations Booz Allen Hamilton experts share best practices in securing software pipelines Register for our upcoming webinars sysdig.com/webinars