|
| 1 | +# Detect Decide Defend |
| 2 | + |
| 3 | +The issue with Kubernetes security is that it's layered. You have a WAF that flags SQL injections, |
| 4 | +an eBPF probe that detects an unexpected process, Kuberentes audit logs show an SA token was used |
| 5 | +and AWS CloudTrail is also in the loop. |
| 6 | + |
| 7 | +All these signals on their own could be just noise, but if you connect the dots, you can see the attack. |
| 8 | + |
| 9 | +## What is "Normal" |
| 10 | + |
| 11 | +Every workload has a predictable behaviour. This is not ML magic, but just declarative behavioural detection. |
| 12 | +A simple deviation from the normal is not an incident, it's just not normal. |
| 13 | + |
| 14 | +## Cloud Application Detect & Response |
| 15 | + |
| 16 | +CADR is a cross-layer correlation between existing open signals. Don't invent new signals, connect the |
| 17 | +ones you already have. Insteaf of having 4 events where you don't really know what happened, you have |
| 18 | +one event that explains an attack. |
| 19 | + |
| 20 | +### ApplicationProfile |
| 21 | + |
| 22 | +The `ApplicationProfile` is the behavioural contract, it captures the baseline behaviour of the application, |
| 23 | +which processes it uses, which network calls it performs, which files it touches. |
| 24 | + |
| 25 | +### RemOps |
| 26 | + |
| 27 | +Declarative Remediation has been on the horizon for years, but SREs have been scared of false positives. RemOps |
| 28 | +uses Kubernetes native constructs like automatic rollbacks of a Deployment, a rollback of a NetworkPolicy, restrict |
| 29 | +a Pod using a SeccompProfile. |
| 30 | + |
| 31 | +First isolate the Pod, then rotate credentials, then rollback the application to the last known good state. |
| 32 | + |
| 33 | +## Links |
| 34 | + |
| 35 | +- <https://kubescape.io/> |
| 36 | +- <https://kubernetes.io/docs/tutorials/security/seccomp/> |
| 37 | +- <https://inspektor-gadget.io/> |
0 commit comments