With this platform approach to security, data is normalized at the point of collection and ready to analyze in real-time with no lag to correlate, join, or parse telemetry from across systems. This correlates data from your attack surfaces across the control plane and the data plane for cloud workloads, containerized environments, Kubernetes orchestrations, and traditional endpoints into a structured SQL format. Uptycs has extended osquery to unify your cloud and Kubernetes security analytics, using cloudquery and kubequery. This powerful solution makes it incredibly easy to investigate and manage your cloud workloads, VMs, micro-VMs, containers, and traditional endpoints. Using osquery, every process and socket event happening on your operating system is recorded and normalized into SQL tables to query just about any action on your OS (hence the name, OS-query!). ![]() For the uninitiated, osquery is an open-source solution that gathers an unprecedented level of telemetry from your fleet. Uptycs builds on the open-source osquery to do just that. Unifying cloud + container + endpoint telemetry Security tooling has to unify this data for stringing together complex detection patterns and also provide the adequate base layer for fast-moving CSIRT teams to perform incident response and root cause analysis. To perform dynamic investigations and combat scenarios like this increasingly common container escape, we need visibility into a variety of host data ranging from running containers, traditional endpoints, cloud logs, the K8s control plane, and more. When you isolate these monitoring tools, you are siloing the data and ultimately disrupting threat hunting and investigation techniques that allow you to detect and respond. Thinking strategically about this scenario, too often teams partition their container runtime services into two separate layers of monitoring tools and data logging: the audit and enforcement layer of your Kubernetes orchestration and then the actual data layer of your pods and nodes. At the control plane layer, it becomes easier for an attacker to focus on capturing user credentials, entering targeted systems or accounts in the cloud environment, or masking themselves onto developer laptops to continue their movement across your environment. Once they have this root access to the node, attackers continue escalating privileges and runtime service misconfigurations to access the image registry and enter the K8s control plane. Here we have an attacker that can combine the escalation from Dirty Pipe with exploits in runtime services, runc or docker, gaining access to the node running your unprivileged container images. Imagine an attacker using the Dirty Pipe vulnerability ( CVE-2022-0847) to perform container escape, Dirty Pipe is a privilege escalation vulnerability in Linux kernels exploiting a flaw that allows attackers to write data to read-only files and gain root access. The rapidly evolving threat landscape means we need solutions that provide these deep real-time detections, but also a depth of telemetry and platform to easily investigate any aspect of a diverse cloud environment and container fleet. Whether looking in real-time or historical, we need unified data from across the control plane and data plane that is normalized, ready to offer insights, and easily combed for deeper investigations using techniques such as YARA scanning. This lateral movement across different attack surfaces has attackers flowing between the control plane and data plane of your environment to escalate privileges and seek out targeted access. Attackers take advantage of siloed data and security tools to exploit systems using misconfigurations and move laterally. ![]() I want the needle, and the haystack to go along with it. ![]() I Want the Needle and the Haystack: YARA + Security Analytics for Incident Response
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |