Session at ContainerDay Security 2023 on the 8th of March in Hamburg. Containers are awesome. The technology finds more and more adaptation in our daily IT lifes. They are fast, agile and shareable. All those postives bring a downsite to it - visibility. Can I trust every container content? Is my container behaving like it should? It's to fast, how can I catch anomalities? We want to tackle those questions in our session and show you what Falco and Sysdig can do for you to win back container visibility without any loss of container benefits.

1. How to approach Container
Security from Open Source to
Enterprise
Stefan Trimborn
Enterprise Sales Engineer
Source Run

2. What’s better?
OSS Enterprise

3. Why not both!
OSS based Enterprise Solution

4. Creating a Falco rule and apply it

5. Out of the Box Rules
Rules
Update packages
Modify /bin /usr
Write below /etc
Read sensitive file
DB spawned proc
Change namespace
Privileged container
Sensitive mount
Terminal shell
Best practices
FIM (File Integrity)
Privileged pod
ConfigMap creds
kubectl exec/attach
Role changes audit
PCI
NIST
Compliance
CVE-2019-11246
kubectl cp
CVE-2019-5736
runc breakout
CVE-2019-14287
sudo bypass
Vulnerabilities
K8s control plane
Nginx
Elasticsearch
Redis
HAproxy
Rook
MongoDB
PostgreSQL
Cloud Native Stack

6. Create your own rules
6
Rules
- macro: my_monitored_dir
condition: fd.directory in (my_monitored_directories)
- list: my_monitored_directories
items: [/tmp]

7. Introducing…
7
Rules
- rule: Write below my monitored dir
desc: an attempt to write to any file below a set of my monitored
directories
condition: >
evt.dir = < and open_write and my_monitored_dir
and not package_mgmt_procs
output: >
Hey Admin - File below a monitored directory opened for writing
(user=%user.name user_loginuid=%user.loginuid
command=%proc.cmdline file=%fd.name parent=%proc.pname
pcmdline=%proc.pcmdline gparent=%proc.aname[2] container_id=%container.id
image=%container.image.repository)
priority: ERROR
tags: [filesystem, mitre_persistence]

8. Let’s do this!

9. Let’s do this!

10. Let’s do this!

11. Let’s do this!

12. 12
Let’s do this!

13. 13
Let’s do this!

14. 14
Let’s do this!

15. 15
Sweet! All the infos we need to remediate!

16. 16
Hello Sidekick!
16

17. Hello Sidekick! - Outputs
https://github.com/falcosecurity/falcosidekick
● Chat (Slack, Teams, Google Chat,...)
● Metrics (Datadog, Influxdb, StatsD,
Prometheus,...)
● Alerting,
● Logs (Elasticsearch,Loki...)
● Object Storage,
● Message Queue
● Email
● Web
● and more!

18. 18
https://github.com/falcosecurity/plugins
There is more: Falco Plug-Ins!

19. Great! But…
● DIY - Installation, Roll Outs, Rule Updates, etc.
● Extra Work - No UI by default, No Plug-Ins
● Focus on Runtime Detection
● Community Support

20. Now for Enterprise

21. The best of both worlds
● Based on Falco - No need to start from scratch
● Based on OSS - Prometheus, OPA, Falco - Reuse your skills
● More than Runtime Detection - it’s a full CWAPP and CSPM Solution
● No manual management:
UI, Plugins, Rules OOTB
● Premium Support based in Europe!

22. Configuration
Management
Infrastructure as
Code Validation
Vulnerability
Management
Threat
Detection
Incident
Response
•CI/CD pipelines,
registries, and
hosts
•Prioritization based
on in-use vulns
• Capture detailed
record for
forensics
• Block malicious
containers /
processes
• CSPM / cloud
misconfigurations
• Cloud Inventory
CODE BUILD RUN RESPOND
Supply Chain Security
Compliance
• Cloud threat
detection
• Workload runtime
security
• Drift prevention
• Block risky
configs
Securing VMs, Hosts, Kubernetes and Cloud Services
Identity and Access
Management
• CIEM / least
privilege
• Prioritization
based on in-use
permissions

23. Shall we have a closer look at Sysdig Secure?
• Prioritize what matters
• Detect threats in real time
• Fix fast with context
Software Vulnerabilities Configuration & Access Risks Runtime Threats Compliance
Cloud Infrastructure
Containers/Kubernetes

24. 24
Curios?
Want to discuss or see more?
Visit us at sysdig.com
Or contact me at:
stefan.trimborn@sysdig.com

25. Cloud and Container Security
from Source to Run