SlideShare a Scribd company logo

Kubernetes meetup k8s_aug_2019

D
dhubbard858

This document discusses securing containers and Kubernetes environments. It describes security risks like remote administration and privilege escalation. It recommends implementing multi-factor authentication, secure network access, valid SSL certificates, and products like Lacework to discover threats. Specific techniques are outlined like using pod security policies to prevent root access, access to host ports, and certain volume types. The document promotes automating cloud security at scale using the Lacework security platform to secure containers and workloads.

Technology
Related topics:
Cloud Security Insights
1 of 26
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
©2018 Lacework, Inc. Confidential and Proprietary.
©2018 Lacework, Inc. Confidential and Proprietary.
©2018 Lacework, Inc. Confidential and Proprietary. 3 Automating Cloud Security at Scale
©2018 Lacework, Inc. Confidential and Proprietary. 4 Lacework Polygraph Threat Intelligence and API’s Alerting SIEM SOC InvestigationCompliance DetectionVisibility Cloud Infrastructure Workloads Accounts VMs ContainersFilesApps Insiders Config APIs Use cases Lacework Security Platform for Cloud
©2018 Lacework, Inc. Confidential and Proprietary. • Networking • Redundancy • Autoscaling • Provisioning • Storage • Alerting
©2018 Lacework, Inc. Confidential and Proprietary.
©2018 Lacework, Inc. Confidential and Proprietary. Do believe the hype! Never heard of it Looking into it M igration planned M igration done W eshould secureit!
©2018 Lacework, Inc. Confidential and Proprietary. ku · ber · net · es co ·nun ·drum Speed & Scale Secure & Safe
©2018 Lacework, Inc. Confidential and Proprietary. The Firewall is the security! Zero-Trust for all Window of Opportunity
©2018 Lacework, Inc. Confidential and Proprietary. Monocultures are hard to secure!
©2018 Lacework, Inc. Confidential and Proprietary.
©2018 Lacework, Inc. Confidential and Proprietary. Hunting Examples with Shodan
©2018 Lacework, Inc. Confidential and Proprietary. Demo of Shodan
©2018 Lacework, Inc. Confidential and Proprietary.
©2018 Lacework, Inc. Confidential and Proprietary. Container Risks and Threats
©2018 Lacework, Inc. Confidential and Proprietary. Container Risks and Threats
©2018 Lacework, Inc. Confidential and Proprietary. K8’s is the Leader
©2018 Lacework, Inc. Confidential and Proprietary. Oh my, HealthZ RCE
©2018 Lacework, Inc. Confidential and Proprietary. Risks and Threats • Full remote administration • Information discovery • Deploy Images • Delete Pod’s • Deploy decoys • Use your imagination • Information Disclosure on targets with invalid certificates • Full RCE (https://www.shodan.io/search?query=healthz+probe)
©2018 Lacework, Inc. Confidential and Proprietary. Recommendations • Regardless of network policy, use MFA for all access; • Apply strict controls to network access, especially for UI and API ports; • Use SSL for all servers and use valid certificates with proper expiration and enforcement policies; • Investigate VPN (bastion), reverse proxy or direct connect connections to sensitive servers; • Look into product and services such as Lacework in order to discover, detect, prevent, and secure your container services. • Build a pod security policy • Configure your Kubernetes pods to run read-only file systems • Restrict privilege escalation in Kubernetes • Deploy RBAC Kubernetes
©2018 Lacework, Inc. Confidential and Proprietary. Pod Security Policy : prevent running as root source Bitnami
©2018 Lacework, Inc. Confidential and Proprietary. Pod Security Policy source Bitnami $kubectl get psp
©2018 Lacework, Inc. Confidential and Proprietary. Pod Security Policy: prevent pods from accessing host ports source Bitnami
©2018 Lacework, Inc. Confidential and Proprietary. Pod Security Policy: prevent access to certain volume types source Bitnami
©2018 Lacework, Inc. Confidential and Proprietary. Containers Security in Polygraph 25
©2018 Lacework, Inc. Confidential and Proprietary. Automating Cloud Security at Scale 26

More Related Content

PPTX
Containers At-Risk: A Review of 21,000 Cloud Environments
Lacework
 
PPTX
Lacework Kubernetes Meetup | August 28, 2018
Lacework
 
PPTX
Lacework Overview: Security Redefined for Cloud Scale
Lacework
 
PPTX
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
PPTX
CipherCloud Technology Overview: Tokenization
CipherCloud
 
PPTX
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
Nur Shiqim Chok
 
PPTX
Security Observability for Cloud Based Applications
John Varghese
 
PDF
Intelligent Cybersecurity for the Real World
NetCraftsmen
 
Containers At-Risk: A Review of 21,000 Cloud Environments
Lacework
 
Lacework Kubernetes Meetup | August 28, 2018
Lacework
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
CipherCloud Technology Overview: Tokenization
CipherCloud
 
[Cisco Connect 2018 - Vietnam] Eric rennie sw cisco_connect
Nur Shiqim Chok
 
Security Observability for Cloud Based Applications
John Varghese
 
Intelligent Cybersecurity for the Real World
NetCraftsmen
 

What's hot (19)

PPTX
Cloud Security 101 (Webinar Deck)
Panther Labs
 
PDF
Cisco Connect 2018 Singapore - Cisco CMX
NetworkCollaborators
 
PDF
Cisco Connect 2018 Singapore - The Network Intuitive
NetworkCollaborators
 
PDF
Cisco Connect 2018 Singapore - Cisco SD-WAN
NetworkCollaborators
 
PDF
Cloud Encryption Gateways (how enterprises can leverage cloud SaaS without co...
Mark Silverberg
 
PDF
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Evident.io
 
PPTX
Cisco Connect 2018 Indonesia - Delivering intent for data center networking
NetworkCollaborators
 
PPTX
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther Labs
 
PDF
Cisco Connect 2018 Singapore - Cisco Incident Response Services
NetworkCollaborators
 
PPTX
Lacework | Top 10 Cloud Security Threats
Lacework
 
PPTX
D3NY17 - Migrating to the Cloud
Imperva Incapsula
 
PPTX
New security solutions for next generation of IT
DATA SECURITY SOLUTIONS
 
PPTX
Lacework AWS Security Week Presentation
Lacework
 
PDF
Rethinking Application Security for cloud-native era
Priyanka Aash
 
PDF
TechWiseTV Workshop: Encrypted Traffic Analytics
Robb Boyd
 
PDF
Cisco Connect 2018 Singapore - Secure data center building a secure zero trus...
NetworkCollaborators
 
PPTX
Automating your AWS Security Operations
Evident.io
 
PPTX
Idc security roadshow may2015 Adrian Aron
Dejan Jeremic
 
PPTX
Lacework for AWS Security Overview
Lacework
 
Cloud Security 101 (Webinar Deck)
Panther Labs
 
Cisco Connect 2018 Singapore - Cisco CMX
NetworkCollaborators
 
Cisco Connect 2018 Singapore - The Network Intuitive
NetworkCollaborators
 
Cisco Connect 2018 Singapore - Cisco SD-WAN
NetworkCollaborators
 
Cloud Encryption Gateways (how enterprises can leverage cloud SaaS without co...
Mark Silverberg
 
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Evident.io
 
Cisco Connect 2018 Indonesia - Delivering intent for data center networking
NetworkCollaborators
 
Panther 101: Bootstrapping Your Cloud SIEM (Webinar Deck)
Panther Labs
 
Cisco Connect 2018 Singapore - Cisco Incident Response Services
NetworkCollaborators
 
Lacework | Top 10 Cloud Security Threats
Lacework
 
D3NY17 - Migrating to the Cloud
Imperva Incapsula
 
New security solutions for next generation of IT
DATA SECURITY SOLUTIONS
 
Lacework AWS Security Week Presentation
Lacework
 
Rethinking Application Security for cloud-native era
Priyanka Aash
 
TechWiseTV Workshop: Encrypted Traffic Analytics
Robb Boyd
 
Cisco Connect 2018 Singapore - Secure data center building a secure zero trus...
NetworkCollaborators
 
Automating your AWS Security Operations
Evident.io
 
Idc security roadshow may2015 Adrian Aron
Dejan Jeremic
 
Lacework for AWS Security Overview
Lacework
 
Ad

Similar to Kubernetes meetup k8s_aug_2019 (9)

PDF
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat Security Conference
 
PDF
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
SBWebinars
 
PDF
Securing Your Customers Data From Day One
Amazon Web Services LATAM
 
PDF
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS Germany
 
PDF
AWS User Group November
PolarSeven Pty Ltd
 
PDF
AWS November meetup Slides
JacksonMorgan9
 
PPTX
Are you ready for a cloud pentest? AWS re:Inforce 2019
2nd Sight Lab
 
PDF
Mitigating techniques
Richard Harvey
 
PDF
Prisma Cloud - CyberTech ID Forum 24.pdf
satrioyoyo
 
BlueHat v18 || Dep for the app layer - time for app sec to grow up
BlueHat Security Conference
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
SBWebinars
 
Securing Your Customers Data From Day One
Amazon Web Services LATAM
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS Germany
 
AWS User Group November
PolarSeven Pty Ltd
 
AWS November meetup Slides
JacksonMorgan9
 
Are you ready for a cloud pentest? AWS re:Inforce 2019
2nd Sight Lab
 
Mitigating techniques
Richard Harvey
 
Prisma Cloud - CyberTech ID Forum 24.pdf
satrioyoyo
 
Ad

Recently uploaded (20)

PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPT
Teaching material agriculture food technology
LiaRayya
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Encapsulation theory and applications.pdf
gurumoop
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Teaching material agriculture food technology
LiaRayya
 

Kubernetes meetup k8s_aug_2019

  • 1. ©2018 Lacework, Inc. Confidential and Proprietary.
  • 2. ©2018 Lacework, Inc. Confidential and Proprietary.
  • 3. ©2018 Lacework, Inc. Confidential and Proprietary. 3 Automating Cloud Security at Scale
  • 4. ©2018 Lacework, Inc. Confidential and Proprietary. 4 Lacework Polygraph Threat Intelligence and API’s Alerting SIEM SOC InvestigationCompliance DetectionVisibility Cloud Infrastructure Workloads Accounts VMs ContainersFilesApps Insiders Config APIs Use cases Lacework Security Platform for Cloud
  • 5. ©2018 Lacework, Inc. Confidential and Proprietary. • Networking • Redundancy • Autoscaling • Provisioning • Storage • Alerting
  • 6. ©2018 Lacework, Inc. Confidential and Proprietary.
  • 7. ©2018 Lacework, Inc. Confidential and Proprietary. Do believe the hype! Never heard of it Looking into it M igration planned M igration done W eshould secureit!
  • 8. ©2018 Lacework, Inc. Confidential and Proprietary. ku · ber · net · es co ·nun ·drum Speed & Scale Secure & Safe
  • 9. ©2018 Lacework, Inc. Confidential and Proprietary. The Firewall is the security! Zero-Trust for all Window of Opportunity
  • 10. ©2018 Lacework, Inc. Confidential and Proprietary. Monocultures are hard to secure!
  • 11. ©2018 Lacework, Inc. Confidential and Proprietary.
  • 12. ©2018 Lacework, Inc. Confidential and Proprietary. Hunting Examples with Shodan
  • 13. ©2018 Lacework, Inc. Confidential and Proprietary. Demo of Shodan
  • 14. ©2018 Lacework, Inc. Confidential and Proprietary.
  • 15. ©2018 Lacework, Inc. Confidential and Proprietary. Container Risks and Threats
  • 16. ©2018 Lacework, Inc. Confidential and Proprietary. Container Risks and Threats
  • 17. ©2018 Lacework, Inc. Confidential and Proprietary. K8’s is the Leader
  • 18. ©2018 Lacework, Inc. Confidential and Proprietary. Oh my, HealthZ RCE
  • 19. ©2018 Lacework, Inc. Confidential and Proprietary. Risks and Threats • Full remote administration • Information discovery • Deploy Images • Delete Pod’s • Deploy decoys • Use your imagination • Information Disclosure on targets with invalid certificates • Full RCE (https://www.shodan.io/search?query=healthz+probe)
  • 20. ©2018 Lacework, Inc. Confidential and Proprietary. Recommendations • Regardless of network policy, use MFA for all access; • Apply strict controls to network access, especially for UI and API ports; • Use SSL for all servers and use valid certificates with proper expiration and enforcement policies; • Investigate VPN (bastion), reverse proxy or direct connect connections to sensitive servers; • Look into product and services such as Lacework in order to discover, detect, prevent, and secure your container services. • Build a pod security policy • Configure your Kubernetes pods to run read-only file systems • Restrict privilege escalation in Kubernetes • Deploy RBAC Kubernetes
  • 21. ©2018 Lacework, Inc. Confidential and Proprietary. Pod Security Policy : prevent running as root source Bitnami
  • 22. ©2018 Lacework, Inc. Confidential and Proprietary. Pod Security Policy source Bitnami $kubectl get psp
  • 23. ©2018 Lacework, Inc. Confidential and Proprietary. Pod Security Policy: prevent pods from accessing host ports source Bitnami
  • 24. ©2018 Lacework, Inc. Confidential and Proprietary. Pod Security Policy: prevent access to certain volume types source Bitnami
  • 25. ©2018 Lacework, Inc. Confidential and Proprietary. Containers Security in Polygraph 25
  • 26. ©2018 Lacework, Inc. Confidential and Proprietary. Automating Cloud Security at Scale 26