SlideShare une entreprise Scribd logo

Container Security Using Microsoft Defender

Rahul Khengare
Rahul Khengare

Microsoft Defender for Containers provides security for container workloads running on Kubernetes. It monitors clusters for misconfigurations and vulnerabilities, provides runtime threat detection, and generates alerts. It works across multiple clouds by deploying agents and daemons to collect security signals from the API server, nodes, and images. A demonstration showed Microsoft Defender in action monitoring container workloads.

Technologie
1  sur  20
Télécharger pour lire hors ligne
Container Security with Microsoft Defender Rahul Khengare 18th Mar 2023 DevOps-Pune Meetup Group
About Me Sr. Staff Engineer, Zscaler ◎ Cloud Security/DevOps/DevSecOps/SRE ◎ Blogger (oss-world, thesecuremonk) ◎ Co-Organizer ○ DevOps-Pune, DevSecOps-Pune ◎ Open Source Software and CIS Contributor ◎ Past Organization: Cloudneeti, Motifworks, NTT Data ◎ https://www.linkedin.com/in/rahulkhengare
Agenda ◎ Need for Container Security ◎ Overview of Microsoft Defender for Cloud ◎ Microsoft Defender Capabilities ◎ How it works ◎ Demo
How you are securing the container workloads?
Known Practices ◎ Use of private registry and trusted images ◎ Continuous Vulnerability scanning of images (Trivy, Encore) ◎ Limit container privileges ◎ Use of network segmentation ◎ Implement least privilege access (RBAC) ◎ Logging and Monitoring ◎ Implement runtime security for threat detection ◎ Preventive and detective policies - Kyverno ◎ Security and Compliance Audits ◎ Certificates, securing endpoints ◎ Many More …
“ 93% experienced at least one security incident in their Kubernetes environments in the last 12 months - State of Kubernetes security report * Kubernetes adoption, security, and market trends report 2022
Microsoft Defender What it is? Capabilities? How it works?
Overview of Microsoft Defender for container ◎ Cloud Native solution to ○ Improve ○ Monitor ○ Maintain the security of your clusters, containers, and their applications. ◎ Multi-cloud Supports K8s offering and registries from different CSP like EKS, GKE, ECR ◎ Kubernetes Native Deployment at Scale ◎ Provides Security Alerts and Remediation Capabilities RUN TIME Threat Detection ENVIRONMENT HARDENING Cluster Configurations Vulnerability Container Image Container Security
Environment Hardening 9 ◎ Continuous monitoring of your Kubernetes clusters ○ Wherever they're hosted [AWS - EKS, Azure - AKS, GCP - GKE, On-Premise (using ARC)] ○ Continuously assess clusters to provide visibility of misconfigurations ○ Provide Guidelines to mitigate the issues ◎ Kubernetes data plane hardening ○ Azure Policy add on ◉ Extends Gatekeeper v3, required to apply at-scale auditing, enforcements and safeguards on clusters in a centralized, consistent manner. ○ Defender Daemonset ◉ Deployed to each worker node, collects security-related data and sends it to Defender for analysis. Required for runtime protections and security capabilities
Environment Hardening 10
Vulnerability Assessment 11 ◎ Supports Azure ACR and AWS ECR ◎ Triggers ○ On push ○ Recently pulled ○ On import ○ Continuous scan based on an image pull and for running images ◎ View and remediate findings ◎ Disable specific findings like severity below medium, non patchable findings
Runtime Threat Protection 12 ◎ Provides real-time threat protection ◎ Generates alerts for suspicious activities ◎ Threat protection at the cluster level ○ Provided by the Defender agent and analysis of the Kubernetes audit logs. ◎ Threat protection at Host level ◎ Monitors the attack surface of multi cloud Kubernetes deployments based on MITRE ATT&CK® matrix for Containers ◎ Examples: ○ Exposed Kubernetes dashboards, High-privileged roles, Sensitive mounts ○ Anomalous secret access, Detected suspicious file download, Possible backdoor detected
Runtime Protection - Alerts 13
How it works 14 ◎ Defender for Containers receives and analyzes: ○ Audit logs and security events from the API server ○ Cluster configuration information from the control plane ○ Workload configuration from Azure Policy ○ Security signals and events from the node level ◎ Components deployed ○ Azure Policy add on ◉ Extends Gatekeeper v3, required to apply at-scale auditing, enforcements and safeguards on clusters in a centralized, consistent manner. [azure-policy, azure-policy-webhook] ○ Defender Profile Daemonset ◉ Deployed to each node provides the runtime protections and collects signals from nodes using eBPF technology. [Microsoft-defender-collector-ds, microsoft-defender-publisher-ds, microsoft-defender-collector-misc]
How it works for AKS 15
How it works for EKS 16
How it works for GKE 17
Demo Defender in Action…
Thanks! Any questions?
References ◎ Microsoft Defender for container ◎ Runtime alerts for Kubernetes cluster ◎ Azure provided container recommendations ◎ Vulnerable K8s for testing ◎ Azure Policies for K8s

Recommandé

Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
Elasticsearch
 
Fleet and elastic agent
Fleet and elastic agentFleet and elastic agent
Fleet and elastic agent
Ismaeel Enjreny
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptx
Mohit Chhabra
 
Monitor every app, in every stage, with free and open Elastic APM
Monitor every app, in every stage, with free and open Elastic APMMonitor every app, in every stage, with free and open Elastic APM
Monitor every app, in every stage, with free and open Elastic APM
Elasticsearch
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Elastic stack Presentation
Elastic stack PresentationElastic stack Presentation
Elastic stack Presentation
Amr Alaa Yassen
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
Justin Henderson
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
Lionel Faleiro
 

Recommandé

Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
Elasticsearch
 
Fleet and elastic agent
Fleet and elastic agentFleet and elastic agent
Fleet and elastic agent
Ismaeel Enjreny
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptx
Mohit Chhabra
 
Monitor every app, in every stage, with free and open Elastic APM
Monitor every app, in every stage, with free and open Elastic APMMonitor every app, in every stage, with free and open Elastic APM
Monitor every app, in every stage, with free and open Elastic APM
Elasticsearch
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Elastic stack Presentation
Elastic stack PresentationElastic stack Presentation
Elastic stack Presentation
Amr Alaa Yassen
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
Justin Henderson
 
Sigma and YARA Rules
Sigma and YARA RulesSigma and YARA Rules
Sigma and YARA Rules
Lionel Faleiro
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
Florian Roth
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
MITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE - ATT&CKcon
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Log management with ELK
Log management with ELKLog management with ELK
Log management with ELK
Geert Pante
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
MITRE ATT&CK
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
MITRE ATT&CK
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKOne Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
MITRE ATT&CK
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
 
ELK Stack
ELK StackELK Stack
ELK Stack
Phuc Nguyen
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
Kangaroot
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Securing danish healthcare using cloudnative
Securing danish healthcare using cloudnativeSecuring danish healthcare using cloudnative
Securing danish healthcare using cloudnative
Frederik Mogensen
 
AzurePolicy DevOps Pune Feb23
AzurePolicy DevOps Pune Feb23AzurePolicy DevOps Pune Feb23
AzurePolicy DevOps Pune Feb23
Rahul Khengare
 

Contenu connexe

Tendances

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
MITRE ATT&CK
 
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKOne Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
MITRE ATT&CK
 

Tendances (20)

Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Log management with ELK
Log management with ELKLog management with ELK
Log management with ELK
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKOne Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 
ELK Stack
ELK StackELK Stack
ELK Stack
 
Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)Elastic SIEM (Endpoint Security)
Elastic SIEM (Endpoint Security)
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 

Similaire à Container Security Using Microsoft Defender

Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz Eckert
ContainerDay Security 2023
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz Eckert
ContainerDay Security 2023
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
Eric Smalling
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Cloud Native Day Tel Aviv
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
CloudVillage
 
DCSF19 How Docker Simplifies Kubernetes for the Masses
DCSF19 How Docker Simplifies Kubernetes for the Masses DCSF19 How Docker Simplifies Kubernetes for the Masses
DCSF19 How Docker Simplifies Kubernetes for the Masses
Docker, Inc.
 

Similaire à Container Security Using Microsoft Defender (20)

Securing danish healthcare using cloudnative
Securing danish healthcare using cloudnativeSecuring danish healthcare using cloudnative
Securing danish healthcare using cloudnative
 
AzurePolicy DevOps Pune Feb23
AzurePolicy DevOps Pune Feb23AzurePolicy DevOps Pune Feb23
AzurePolicy DevOps Pune Feb23
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images Security
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz Eckert
 
Constellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz EckertConstellation - The first always encrypted Kubernetes by Moritz Eckert
Constellation - The first always encrypted Kubernetes by Moritz Eckert
 
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
KubeHuddle NA 2023 - Why should devs care about container security - Eric Sma...
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017
 
[WSO2Con USA 2018] Architecting for Container-native Environments
[WSO2Con USA 2018] Architecting for Container-native Environments[WSO2Con USA 2018] Architecting for Container-native Environments
[WSO2Con USA 2018] Architecting for Container-native Environments
 
Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...
Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...
Ridwan Fadjar Septian PyCon ID 2021 Regular Talk - django application monitor...
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
Why cloud native envs deserve better security - Dima Stopel, Twistlock - Clou...
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
 
(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional(ISC)2 CCSP - Certified Cloud Security Professional
(ISC)2 CCSP - Certified Cloud Security Professional
 
Hardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing PodsHardening Kubernetes by Securing Pods
Hardening Kubernetes by Securing Pods
 
Hello, Docker!
Hello, Docker!Hello, Docker!
Hello, Docker!
 
DCSF19 How Docker Simplifies Kubernetes for the Masses
DCSF19 How Docker Simplifies Kubernetes for the Masses DCSF19 How Docker Simplifies Kubernetes for the Masses
DCSF19 How Docker Simplifies Kubernetes for the Masses
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017
 
Using Docker Platform to Provide Services
Using Docker Platform to Provide ServicesUsing Docker Platform to Provide Services
Using Docker Platform to Provide Services
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 

Dernier

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Dernier (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Container Security Using Microsoft Defender

  • 1. Container Security with Microsoft Defender Rahul Khengare 18th Mar 2023 DevOps-Pune Meetup Group
  • 2. About Me Sr. Staff Engineer, Zscaler ◎ Cloud Security/DevOps/DevSecOps/SRE ◎ Blogger (oss-world, thesecuremonk) ◎ Co-Organizer ○ DevOps-Pune, DevSecOps-Pune ◎ Open Source Software and CIS Contributor ◎ Past Organization: Cloudneeti, Motifworks, NTT Data ◎ https://www.linkedin.com/in/rahulkhengare
  • 3. Agenda ◎ Need for Container Security ◎ Overview of Microsoft Defender for Cloud ◎ Microsoft Defender Capabilities ◎ How it works ◎ Demo
  • 4. How you are securing the container workloads?
  • 5. Known Practices ◎ Use of private registry and trusted images ◎ Continuous Vulnerability scanning of images (Trivy, Encore) ◎ Limit container privileges ◎ Use of network segmentation ◎ Implement least privilege access (RBAC) ◎ Logging and Monitoring ◎ Implement runtime security for threat detection ◎ Preventive and detective policies - Kyverno ◎ Security and Compliance Audits ◎ Certificates, securing endpoints ◎ Many More …
  • 6. “ 93% experienced at least one security incident in their Kubernetes environments in the last 12 months - State of Kubernetes security report * Kubernetes adoption, security, and market trends report 2022
  • 7. Microsoft Defender What it is? Capabilities? How it works?
  • 8. Overview of Microsoft Defender for container ◎ Cloud Native solution to ○ Improve ○ Monitor ○ Maintain the security of your clusters, containers, and their applications. ◎ Multi-cloud Supports K8s offering and registries from different CSP like EKS, GKE, ECR ◎ Kubernetes Native Deployment at Scale ◎ Provides Security Alerts and Remediation Capabilities RUN TIME Threat Detection ENVIRONMENT HARDENING Cluster Configurations Vulnerability Container Image Container Security
  • 9. Environment Hardening 9 ◎ Continuous monitoring of your Kubernetes clusters ○ Wherever they're hosted [AWS - EKS, Azure - AKS, GCP - GKE, On-Premise (using ARC)] ○ Continuously assess clusters to provide visibility of misconfigurations ○ Provide Guidelines to mitigate the issues ◎ Kubernetes data plane hardening ○ Azure Policy add on ◉ Extends Gatekeeper v3, required to apply at-scale auditing, enforcements and safeguards on clusters in a centralized, consistent manner. ○ Defender Daemonset ◉ Deployed to each worker node, collects security-related data and sends it to Defender for analysis. Required for runtime protections and security capabilities
  • 11. Vulnerability Assessment 11 ◎ Supports Azure ACR and AWS ECR ◎ Triggers ○ On push ○ Recently pulled ○ On import ○ Continuous scan based on an image pull and for running images ◎ View and remediate findings ◎ Disable specific findings like severity below medium, non patchable findings
  • 12. Runtime Threat Protection 12 ◎ Provides real-time threat protection ◎ Generates alerts for suspicious activities ◎ Threat protection at the cluster level ○ Provided by the Defender agent and analysis of the Kubernetes audit logs. ◎ Threat protection at Host level ◎ Monitors the attack surface of multi cloud Kubernetes deployments based on MITRE ATT&CK® matrix for Containers ◎ Examples: ○ Exposed Kubernetes dashboards, High-privileged roles, Sensitive mounts ○ Anomalous secret access, Detected suspicious file download, Possible backdoor detected
  • 13. Runtime Protection - Alerts 13
  • 14. How it works 14 ◎ Defender for Containers receives and analyzes: ○ Audit logs and security events from the API server ○ Cluster configuration information from the control plane ○ Workload configuration from Azure Policy ○ Security signals and events from the node level ◎ Components deployed ○ Azure Policy add on ◉ Extends Gatekeeper v3, required to apply at-scale auditing, enforcements and safeguards on clusters in a centralized, consistent manner. [azure-policy, azure-policy-webhook] ○ Defender Profile Daemonset ◉ Deployed to each node provides the runtime protections and collects signals from nodes using eBPF technology. [Microsoft-defender-collector-ds, microsoft-defender-publisher-ds, microsoft-defender-collector-misc]
  • 15. How it works for AKS 15
  • 16. How it works for EKS 16
  • 17. How it works for GKE 17
  • 20. References ◎ Microsoft Defender for container ◎ Runtime alerts for Kubernetes cluster ◎ Azure provided container recommendations ◎ Vulnerable K8s for testing ◎ Azure Policies for K8s