Securing Your Application Containers in the Face of a Changing Attack Surface

Transcript

1. Presenters Name Aaron Tesch - Security Delivery Manager (Accenture) John

   T. Forman - North America - Container Lead (Accenture) James Santos – Security Innovation Principal (Accenture) Securing your application containers in the face of a changing attack surface

2. ABOUT THE PRESENTERS John T. Forman is a Senior Technical

   Architecture Manager in the Intelligent Software Engineering Services (IES): Emerging & Growth group and acts as a SME in the OpenSource, DevOps, Container and Red Hat practices. With over 20 years of experience designing and delivering complex Technical Architectures for on-premise and cloud environments. John has a passion for Cloud Native technologies and is the North American lead for the Container Technology practice. James Santos is a Security Innovation Principal specializing in Cyber Security. He has more than 20 years of varied experience in Information Security, Systems Engineering, Applications Development, DB Administration and Strategy formation. Previous to Accenture, he had the dual role of managing the Security and Infrastructure teams of a cable network television company. James’ area of concentration is Container Security. Aaron Tesch is a security leader in Accenture’s Application Security Advisory Services with 20+ years experience in IT Ops, Development and Security. As a thought leader Aaron developed a patented security solution for managing secrets and led enterprise transformations that enabled developers by integrating security with development tools. Aaron’s mission is to bring security and DevOps together. Copyright © 2019 Accenture Security. All rights reserved

3. AGENDA Ø Why Application Containers? Ø What are the Threats?

   Ø How do we need to think differently? Ø Adding Application Security to Containers Ø Securing your Application and Container Pipeline Copyright © 2019 Accenture Security. All rights reserved

4. SPEED Fast to Market Consistent Delivery Release when Ready SCALABILITY

   Resource Efficient Stability Performance PORTABILITY Re-Usable Cross Platform Environment APPLICATION CONTAINERS ADOPTION IS GROWING Security ranks as the #1 CHALLENGE to overcome when deploying containers Gartner 2019 Application Container technologies introduce attack surfaces that are not covered by traditional security tools… Copyright © 2019 Accenture Security. All rights reserved

5. Kubernetes Security Journey Protection Hardening Cluster Setup Prevention Setup a

   Cluster • Restrict access To kubectl • Use RBAC • Use Network Policies • Bootstrap TLS Protection from known attacks • Disable Dashboard • Disable default service account token • Protect node metadata • Scan images for known vulnerabilities Security Hardening • Keep Kubernetes updated • Use a minimal OS • Use minimal IAM roles • Use Private IPs on your nodes • Monitor access with Audit Logs • Verify binaries that are being deployed Prevent and limit impact of microservices compromises • Set a Pod Security Policy • Protect secrets with Vaults • Consider Sandboxing • Limit the identity used by K8s pods • Use a Service Mesh for Authentication and Encryption Security Maturity Levels Security levels recommended for a good overall Kubernetes security posture. These security areas and categories have been recently identified by the industry subject matter experts*. * Google Next18 Conference ***Confidential - For Company Internal Use Only*** KUBERNETES SECURITY JOURNEY Protection Hardening Cluster Setup Prevention Setup a Cluster • Restrict access To kubectl • Use RBAC • Use Network Policies • Bootstrap TLS Protection from known attacks • Disable Dashboard • Disable default service account token • Protect node metadata • Scan images for known vulnerabilities Security Hardening • Keep Kubernetes updated • Use a minimal OS • Use minimal IAM roles • Use Private IPs on your nodes • Monitor access with Audit Logs • Verify binaries that are being deployed Prevent and limit impact of microservices compromises • Set a Pod Security Policy • Protect secrets with Vaults • Consider Sandboxing • Limit the identity used by K8s pods • Use a Service Mesh for Authentication and Encryption Security Maturity Levels Security levels recommended for a good overall Kubernetes security posture. These security areas and categories have been recently identified by the industry subject matter experts*. * Google Next18 Conference KUBERNETES SECURITY JOURNEY Copyright © 2019 Accenture All rights reserved.

6. SO HOW DO WE SECURE KUBERNETES? • We start by

   identifying the attack surface in the Kubernetes Architecture and the potential threat associated with it. Copyright © 2019 Accenture All rights reserved.

7. Reduce Attack Surface • Kubernetes, is a complex system, an

   operating system for datacenters, with many models for infrastructure abstraction (loadbalancer, network, storage, …) • In order to mitigate the blast radius and reduce attack vectors many configuration options can be tuned, depending on the use case of the clusters/workloads Most Common Attack Vectors 1. Container Compromise 2. Unauthorized Network Connections 3. Worker Node Compromise 4. Container Engine 5. Control Plane Attack 6. Etcd database compromise 7. Unauthorized Deployments 8. Unauthorized Application Access 9. Host OS/Hardware Vulnerabilities 10.Network COMMON ATTACK VECTORS KUBERNETES COMPONENTS Host Node Node etcd Pod Container Kubernetes Control Plane Kubelet Node Pod Container Kubelet Kubelet 3 6 5 1 Engine 9 Engine Engine Network 10 2 7 4 8 Copyright © 2019 Accenture Security. All rights reserved

8. CONTAINER SECURITY REFERENCE ARCHITECTURE INCIDENT RESPONSE AND FORENSICS IMAGE SECURITY

   CONTAINER PLATFORM SECURITY ENGINE SECURITY OPERATING SYSTEM CONTAINER SECURITY INFRASTRUCTURE SECURITY FOUNDATION PLATFORM PAAS SECURITY MONITORING AND THREAT ANALYTICS RUNTIME SECURITY NETWORK SECURITY RBAC NETWORK ENCRYPTION VOLUME ENCRYPTION SECRETS MANAGEMENT CONTAINER DAEMON NAMESPACES RESOURCE QUOTAS POLICY-BASED ACCESS CONTROL SYSCALL FILTERING BACKUP & RECOVERY VIRTUALIZATION PHYSICAL HOST SECURITY LOG CENTRALIZATION LOG PROCESSING AND CORRELATION VISUALIZATION AND ALERTING AI & ML ACTIVITY AUDITING FORENSICS NETWORK AND SYSTEM CAPTURES BEHAVIORAL THREAT DETECTION REACTIVE THREAT PROTECTION CLUSTER INTEGRATION SERVICE-BASED SECURITY INTELLIGENT POLICIES NETWORK POLICIES CONTAINER SEGMENTATION LAYER 3 SEGMENTATION INT/EXTERNAL NETWORK SECURITY BEHAVIORAL SECURITY WEB APPLICATION FIREWALL DDOS, DNS ATTACK PROTECTION IMAGE VERIFICATION CI/CD INTEGRATION REGISTRY SECURITY STATIC CONTENT SCANNING DYNAMIC CONTENT SCANNING IMAGE AUDITING LICENSE SCANNING SECURITY REMEDIATION AUTOMATION Copyright © 2019 Accenture Security. All rights reserved

9. COMMON SECURITY RISKS AND MITIGATIONS CONTAINER SECURITY THREATS AND RISK

   MITIGATION MAPPING 9 Containers provide security through isolation from the host operating system. However, containers in a production environment are still exposed to known security threats and risks that must be eliminated or mitigated. In this diagram, we use the most common container security risks to facilitate the identification of the right set of security tools and platform technologies to protect the containers. The security areas, in the right column, provide the high level categorization of the security features required in container security tools. Copyright © 2019 Accenture All rights reserved.

10. SECURING CONTAINERS SECURITY IS THE #1 CHALLENGE Change Drivers Evolving

    must Evolve • Containers change the attack surface • Many AO, Cloud and Digital Transformation Engagements are missing the processes, procedures and technology needed to secure a containerized environment • Immature container security leads to liability and lost customers • Containers and microservices increase application complexity • Containers need new tools in order to properly create visibility and control over your containers. • Update your Secure Development program to function as speed and scale. • Utilize automation to standardize your build processes (DEVOPS) • Integrate Application and Container Security into your CI/CD Pipeline (DEVSECOPS) DevSecOps and Container Security are 2020 Top Priorities for Clients Copyright © 2019 Accenture Security. All rights reserved

11. MICROSERVICE SECURITY REFERENCE MODEL ENABLES THE SECURE BUILD, DEPLOYMENT, CONFIGURATION

    AND OPERATION OF MICROSERVICES CONTAINER RUNTIME SECURITY INCIDENT RESPONSE CONTAINER NETWORK SECURITY CONTAINER IMAGE SECURITY API SECURITY CONTAINER ORCHESTRATION PLATFORM SECURITY CONTAINER ENGINE SECURITY OPERATING SYSTEM SECURITY APPLICATION SECURITY ENABLEMENT INFRASTRUCTURE AS CODE SECURITY Copyright © 2019 Accenture Security. All rights reserved

12. . 12 Enablement: Security in Development Security analysis is integrated

    into CI processes and pipelines. Developers use secure development guidelines, practices, tools, frameworks and techniques. • Secure Coding Guidelines and Reviews • Static Code Analysis – IDE, CI, Application Code, Infrastructure Code • Component Analysis - Images, Binaries, 3rd Party Libraries, etc. • Container and Registry Scans Security in Design Security is considered throughout the functional and technical design phases, according to standards and identified threat models. • Security Blueprints • Reusable Security Services • Security Architecture and Design Reviews • Threat Modeling • Security and Compliance as Code • Logging Security in Planning Security features, components and services are identified and prioritized for development and delivery. • Security Risk Profiles • Container Security Standard • APIs Security Standard Security in Operations Ensure that the right components are deployed and monitored, with the right security controls and metrics for visibility. Security in Testing Security tests are integrated into CD processes and pipelines and performed according to business criticality and security risk. • Dynamic Application Security Testing (DAST / IAST) • Security Tests and Scans – applications, APIs, infrastructure • Penetration Tests • Advanced Adversary Simulations (FusionX) SECURITY IS SHIFTED LEFT INTO EVERY STEP OF THE PRODUCT DEVELOPMENT LIFECYCLE (EVERYTHING AS CODE) SECURE MICROSERVICE DELIVERY MODEL • Security Training • App Security KPIs Product Cycle PRODUCT SECURITY PROFILES METRICS, DASHBOARDS & REPORTS CULTURE, EDUCATION & TRAINING SECURITY CHAMPIONS GOVERNANCE POLICIES, STANDARDS & GUIDELINES SECURITY PORTAL SOURCE CODE REPOSITORY ARTIFACT REPOSITORIES DEVOPS TOOL CHAINS CENTRALIZED LOGGING PLATFORM CROSS-FUNCTIONAL COLLABORATION • Deploy – The right versions of components • Protect – Ensure that the right security controls are in place • Detect – Monitor application, container and infrastructure performance; monitor log events for anomalies • Respond – Alerts, root cause analysis, enhancements of controls Copyright © 2019 Accenture Security. All rights reserved

13. SAMPLE DEVSECOPS PIPELINE* Process Inputs • Product backlog • Security

    policies, standards, blueprints, guidelines and templates CONTAINER SECURITY INTEGRATED IN THE PIPELINE Copyright © 2019 Accenture Security. All rights reserved *Listed vendors do not necessarily reflect Accenture’s vendor recommendations

14. Copyright © 2019 Accenture All rights reserved. 14 BUILD TIME

    INTEGRATION • In order to catch vulnerabilities earlier, integrate the build management tool (i.e. Jenkins) with Twistlock to scan images at build time. The diagram below illustrates this: • Jenkins triggers the Twistlock plugin at build time and checks for vulnerabilities • The build is either passed or failed based on user defined criteria (e.g. fail the build if high/critical vulnerabilities are detected) • Below is a sample run of a pipeline as seen from the Jenkins console • The Twistlock portion happens in the “Scan” and “Publish Scan Results” stages JENKINS – TWISTLOCK* INTEGRATION *Palo Alto acquired Twistlock and will be under the Palo Alto Prisma offering (https://www.paloaltonetworks.com/prisma)

15. Copyright © 2019 Accenture All rights reserved. 15 RUNTIME SECURITY

    • Twistlock* provides both predictive and threat based active protection for running containers • Container models are created when new images are introduced into the runtime environment • Twistlock “learns” the behavior of the container and creates the model • Users can also trigger manual learning as depicted in the process below: SECURITY IN THE CONTAINER RUNTIME ENVIRONMENT *Palo Alto acquired Twistlock and will be under the Palo Alto Prisma offering (https://www.paloaltonetworks.com/prisma)

16. SECURITY AREAS COVERED BY TWISTLOCK Scanning Registry Incident Response, Alerting

    & Forensics Secrets Management RunTime Security Security Areas Twistlock provides features that address the security areas • Integrates with build management tools (i.e. Jenkins, Azure DevOps, twistcli) to perform scanning at build time • Static scanning of images stored in the registry • Scanning of running containers • Serverless functions • Automatic or manual learning that creates container behavior models • Cloud Native App Firewall and Cloud Native Network Firewall • Host Models • Serverless • Integrates with various secrets store (CyberArk, HashiCorp, etc) • Distributes secrets to containers and managed with policies • Secrets injected into containers via env variables or files (in-memory fs) • Integrates with various registries for scans (Artifactory, Nexus, Quay, AWS, Azure, etc) • Trusted registries limit the source of images that can be run in the environment • Supports multiple alerting mechanisms (email, Jira, Slack, Webhook, etc) • Collects various audit information (containers, hosts, firewalls, etc) • Log data can be sent to the local host’s syslog or to a remote destination • Provides various metrics for Prometheus monitoring Copyright © 2019 Accenture Security. All rights reserved Go to https://www.paloaltonetworks.com/cloud-security/twistlock-puresec-strengthen-prisma and https://www.twistlock.com for additional information

17. APPENDIX

18. Copyright © 2019 Accenture Security. All rights reserved MICROSERVICE SECURITY

    REFERENCE MODEL ENABLES THE SECURE BUILD, DEPLOYMENT, CONFIGURATION AND OPERATION OF MICROSERVICES RUNTIME SECURITY INCIDENT RESPONSE ACTIVITY AUDITING FORENSICS NETWORK & SYSTEM CAPTURES NETWORK SECURITY BEHAVIORAL THREAT DETECTION REACTIVE THREAT PROTECTION PROACTIVE THREAT PROTECTION CLUSTER INTEGRATION SERVICE-BASED SECURITY INTELLIGENT POLICIES NETWORK POLICIES CONTAINER SEGMENTATION LAYER 3 SEGMENTATION INT/EXTERNAL NETWORK SECURITY BEHAVIORAL SECURITY NETWORK ENFORCEMENT WEB APPLICATION FIREWALL DDOS, DNS ATTACK PROTECTION NETWORK COMPATIBILITY IMAGE SECURITY IMAGE VERIFICATION CI/CD INTEGRATION REGISTRY SECURITY STATIC CONTENT SCANNING DYNAMIC CONTENT SCANNING IMAGE AUDITING LICENSE SCANNING API SECURITY API GATEWAY IDENTITY & ACCESS MANAGEMENT AUTHORIZATION RATE LIMITING & THROTTLING SESSION TOKEN MANAGEMENT TRANSPORT LAYER SECURITY INPUT VALIDATION AUTHENTICATION API KEY MANAGEMENT AUDIT LOGGING OUTPUT ENCODING EXCEPTION HANDLING DIGITAL SIGNATURES API MONITORING & MANAGEMENT API PORTAL SECURITY API VERSIONING CONTAINER ORCHESTRATION PLATFORM SECURITY CONTAINER ENGINE SECURITY OPERATING SYSTEM SECURITY POLICY-BASED ACCESS CONTROL SYSCALL FILTERING APPLICATION SECURITY THREAT MODELS SAST DAST / IAST VULNERABILITY SCANS SECRETS MANAGEMENT SCA SECURE DESIGN REVIEWS PENETRATION TESTS SECURE CODE REVIEWS SECURE DESIGN BLUEPRINTS ADVANCED ADVERSARY SIMULATIONS RBAC NETWORK ENCRYPTION VOLUME ENCRYPTION SECRETS MANAGEMENT UNPRIVILEGED DAEMON NAMESPACES RESOURCE QUOTAS CONFIGURATION MONITOR & MGMT SECURITY UNIT & INTEGRATION TESTS APPLICATION LOG MONITOR & MGMT GOVERNANCE METRICS, DASHBOARDS & REPORTS CULTURE, EDUCATION & TRAINING SECURITY CHAMPIONS PRODUCT SECURITY PROFILES POLICIES, STANDARDS & GUIDELINES SECURITY PORTAL ENABLEMENT INFRASTRUCTURE AS CODE SECURITY SECURE DESIGN BLUEPRINTS SECURE DESIGN REVIEWS SECURE CODE REVIEWS DYNAMIC SECURITY TESTS PENETRATION TESTS SECRETS MANAGEMENT THREAT MODELS STATIC SECURITY ANALYSIS COMPONENT ANALYSIS ADVANCED ADVERSARY SIMULATIONS VULNERABILITY SCANS CONFIGURATION MONITOR & MGMT SOURCE CODE REPOSITORY ARTIFACT REPOSITORY DEVOPS TOOL CHAINS CENTRALIZED LOGGING PLATFORM INFRA LOG MONITOR & MGMT SECURITY UNIT & INTEGRATION TESTS CROSS- FUNCTIONAL COLLABORATION Copyright © 2019 Accenture Security. All rights reserved

19. CONTACT US

20. PRESENTERS CONTACT INFORMATION John T. Forman Email: [email protected] LinkedIn: https://www.linkedin.com/in/johnforman/

    Twitter: @JTForman James Santos Email: [email protected] Linkedin: https://www.linkedin.com/in/james-santos-105128 Twitter: @jamesmsantos Copyright © 2019 Accenture Security. All rights reserved Aaron Tesch Email: [email protected] Linkedin: https://www.linkedin.com/in/aaronttesch/ Twitter: @AaronTesch