Container and Cloud-Native Architectures: the Modern-day ... › wp-content › uploads › ... ·...

9
Ali Golshan Co-founder & CTO ©2017 StackRox, Inc. All Rights Reserved. Proprietary and Confidential. Container and Cloud-Native Architectures: the Modern-day Labyrinth

Transcript of Container and Cloud-Native Architectures: the Modern-day ... › wp-content › uploads › ... ·...

Page 1: Container and Cloud-Native Architectures: the Modern-day ... › wp-content › uploads › ... · protection for microservices and containers inproduction that maps to evolving workflows

Ali Golshan

Co-founder & CTO

©2017 StackRox, Inc. All Rights Reserved. Proprietary and Confidential.

Container and Cloud-Native Architectures: the Modern-day Labyrinth

Page 2: Container and Cloud-Native Architectures: the Modern-day ... › wp-content › uploads › ... · protection for microservices and containers inproduction that maps to evolving workflows

Ali Golshan

Co-founder & CTO

©2017 StackRox, Inc. All Rights Reserved. Proprietary and Confidential.

Page 3: Container and Cloud-Native Architectures: the Modern-day ... › wp-content › uploads › ... · protection for microservices and containers inproduction that maps to evolving workflows

Why?

Containers and microservices create distributed, rapidly changing attack surfaces

Traditional security solutions don’t have container visibility

Threat landscape is not well-defined

©2017 StackRox, Inc. All Rights Reserved. Proprietary and Confidential.

Page 4: Container and Cloud-Native Architectures: the Modern-day ... › wp-content › uploads › ... · protection for microservices and containers inproduction that maps to evolving workflows

Challenges

©2017 StackRox, Inc. All Rights Reserved. Propri etary and Confidential.

DevOps and Security teams

have a hard time determining

whether container

deployments have

implemented appropriate

controls & configurations to

reduce their attacksurface

Governance Runtime Defense Investigation

Security operation teams

requires threat detection &

protection for microservices

and containers in production

that maps to evolving

workflows

As a result of immutable and /

or ephemeral architecture,

containerized environments

create blind spots during

forensics investigations

Page 5: Container and Cloud-Native Architectures: the Modern-day ... › wp-content › uploads › ... · protection for microservices and containers inproduction that maps to evolving workflows

©2017 StackRox, Inc. All Rights Reserved. Proprietary and Confidential.

StackRox Proprietary & Confidential

5

Foothold Movement Persistence

Indicators:

Low-privileged access to a Kube

cluster outfitted with Custom

Resource Definitions (CRDs)

Indicators:

Attacker creates a database

custom resource object managed

by a custom controller operating in

a privileged context

Indicators:

Attacker injects code to the

controller, extracts Kube secrets

from the cluster, & returns the

controller to a lower-privilege to

maintain stealth persistence

Cloud-native attacks

Page 6: Container and Cloud-Native Architectures: the Modern-day ... › wp-content › uploads › ... · protection for microservices and containers inproduction that maps to evolving workflows

Example

•Focusing on “Action” not “Topology”

choke points

•Adversarial Intent Model:

• Foothold

• Persistence

• Privilege escalation

• Lateral movement

• Objectives

•Delivering context: sequence of actions

©2017 StackRox, Inc. All Rights Reserved. Proprietary and Confidential.

Page 7: Container and Cloud-Native Architectures: the Modern-day ... › wp-content › uploads › ... · protection for microservices and containers inproduction that maps to evolving workflows

Building to Operating

Foothold

Privilege escalation

Movement

Detect

Make risk-driven security decisions

Minimize attack surface

Simplify governance

Prevent

Programmable data collection

Forensics

Disrupt attacks

Respond

©2017 StackRox, Inc. All Rights Reserved. Proprietary and Confidential.

Page 8: Container and Cloud-Native Architectures: the Modern-day ... › wp-content › uploads › ... · protection for microservices and containers inproduction that maps to evolving workflows

©2018 StackRox, Inc. All Rights Reserved. Proprietary and Confidential.

Security Built In

TechnologyContainer and cloud-native detection & response

with patent-pending innovations

in machine learning

MissionSecure enterprises’ container and cloud-native

infrastructure container threats

CustomersGlobal 2000 enterprises acrossfinance,

media, technology and government

Investors$14M from top venture capital firms

& renowned security experts

8

Page 9: Container and Cloud-Native Architectures: the Modern-day ... › wp-content › uploads › ... · protection for microservices and containers inproduction that maps to evolving workflows

©2017 StackRox, Inc. All Rights Reserved. Proprietary and Confidential.


Microservices - NYS Forum Home cb..1.pdf · Agenda Technology What are Microservices? Characteristics of Microservices Microservices and SOA Challenges Strategy Adoption –Microservices

Microservices - NYS Forum Home cb..1.pdf · Agenda Technology What are Microservices? Characteristics of Microservices Microservices and SOA Challenges Strategy Adoption –Microservices

INPRODUCTION - Chapman University

INPRODUCTION - Chapman University

What's Better than Microservices? Serverless Microservices.

What's Better than Microservices? Serverless Microservices.

Microservices Modularity

Microservices Modularity

Microservices Security, Container Runtime Security, MITRE ... · APIs Security. APIs are the front door to Microservices. Today we focus on Microservices Security. The Microservices

Microservices Security, Container Runtime Security, MITRE ... · APIs Security. APIs are the front door to Microservices. Today we focus on Microservices Security. The Microservices

Microservices why?

Microservices why?

Microsoft Microservices

Microsoft Microservices

Reactive microservices

Reactive microservices

Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on Kubernetes

Montreal Kubernetes Meetup: Developer-first workflows (for microservices) on Kubernetes

Application Services for a DevOps World · Lightweight, agile ADC and API software for container-built apps, CI/CD workflows, and microservices, deployed as subscription. F5 CLOUD

Application Services for a DevOps World · Lightweight, agile ADC and API software for container-built apps, CI/CD workflows, and microservices, deployed as subscription. F5 CLOUD

Microservices. Microservices everywhere! (At OSCON 2015)

Microservices. Microservices everywhere! (At OSCON 2015)

Scientific Workflows - University of Washingtonhomes.cs.washington.edu/~billhowe/cs410/lectures/sciwf.pdf · Business Workflows vs. Scientific Workflows • Business Workflows –

Scientific Workflows - University of Washingtonhomes.cs.washington.edu/~billhowe/cs410/lectures/sciwf.pdf · Business Workflows vs. Scientific Workflows • Business Workflows –

MICRO GUIDE FOR MICROSERVICES - nitorinfotech.com€¦ · MICROSERVICES What is Microservices Why we need Microservices Business Challenge The last two decades have seen immensely

MICRO GUIDE FOR MICROSERVICES - nitorinfotech.com€¦ · MICROSERVICES What is Microservices Why we need Microservices Business Challenge The last two decades have seen immensely

The Technical Journey to Microservices - Microservices UX

The Technical Journey to Microservices - Microservices UX

Microservices @ Work - A Practice Report of Developing Microservices

Microservices @ Work - A Practice Report of Developing Microservices

Of Microservices and Microservices - Robert Munteanu

Of Microservices and Microservices - Robert Munteanu

MICROSERVICES - blog.douglampe.comblog.douglampe.com/.../2019/03/Microservices-Little... · Microservices Concerns Service Registry/Discovery ... Distributed Transactions. Service

MICROSERVICES - blog.douglampe.comblog.douglampe.com/.../2019/03/Microservices-Little... · Microservices Concerns Service Registry/Discovery ... Distributed Transactions. Service

Microservices & Serverless - clnv.s3.amazonaws.com · Why Microservices? … and when! Applying Twelve Factors Applying Microservices Design principles Demos, demos, demos Microservices

Microservices & Serverless - clnv.s3.amazonaws.com · Why Microservices? … and when! Applying Twelve Factors Applying Microservices Design principles Demos, demos, demos Microservices

Microservices at Spotify - GOTO Conference · Microservices yay! Are less susceptible to large failures. Microservices boo! are harder to monitor. Microservices boo! need good documentation

Microservices at Spotify - GOTO Conference · Microservices yay! Are less susceptible to large failures. Microservices boo! are harder to monitor. Microservices boo! need good documentation

FromtheMonolithto% Microservices: … · 2015-05-27 · Java / Scala ! microservices . Evolutionto%% Microservices8 • The Monolith • The Microservices Ecosystem • Migrating

FromtheMonolithto% Microservices: … · 2015-05-27 · Java / Scala ! microservices . Evolutionto%% Microservices8 • The Monolith • The Microservices Ecosystem • Migrating