CloudNativeSecurityCon_2023-CloudSecurityEvents.pdf

1、A Lightweight Framework For Security ReactionsCloud(Security)EventsEvan AndersonWhat Is An Event?A notification that something happened in a system.Photo by Jeff Finley on UnsplashWhat Is CloudEvents?CNCF project to standardize event format and metadataDocumented formats:JSONAVROProtobufXMLKey field

2、s(extensible):typesourceidtimestampSecurity EventsBefore an IncidentSoftware buildsDeploymentsVulnerability ScansCVEsTest resultsSDL process stagesIncident ResponseUnexpected System CallsConfiguration ChangesNetwork ConnectionsLogins and AuthenticationsTokens or certs issuedExamples?Falco has a seri

3、es of blog posts using the following projects to achieve the same result:Delete any pod which spawns an interactive terminal shellhttps:/falco.org/blog/falcosidekick-response-engine-part-1-kubeless/Example Eventsce-specversion:1.0ce-type:falco.rule.output.v1ce-source:falco.orgce-id:f7628198-3822-4c9

4、8-ac3f-71770e272a16ce-time:2023-01-11T21:45:31Zce-rule:Terminal shell in containeroutput:21:45:31.,rule:Terminal shell in container,output_fields:container.id:f29b261f8831,container.image.repository:mysql,k8s.ns.name:default,k8s.pod.name:alpine,proc.cmdline:bash-il,proc.name:bash,proc.pname:runc,pro

5、c.tty:34816,user.loginuid:-1,user.name:root“ce-specversion:1.0ce-type:dev.cdevents.service.upgraded.0.1-draftce-source:https:/my-argo-instance.dev/ce-subject:/namespaces/myns/deployments/fooce-time:2023-01-18T22:14:17Zce-id:e699633e-de83-4427-a6dd-9e702ae008d9-8context:.,subject:id:deployments/foo“,

6、environment:id:“namespaces/myns,source:.,name:staging,url:.,artifactId:oci:/.If You Are A Vendor:Generate CloudEvents!Document how to consume them webhook,kafka topic,etcDocument your event types and schemasIf You Are An End-User:Remediation data(react immediately):Use event routing and serverless t

7、o automatically remediate!SIEM data(keep for medium time to support post-hoc analysis):Index and store in queryable format.(BigQuery/Snowflake)Critical data(keep for a long time as part of audit records):Archive and store as log-type records.(S3/cold storage)Please scan the QR Code aboveto leave feedback on this sessionThank You!