2. Overview
• A Brief History and Overview of Containers
• Security Benefits of Containers
• Container Vulnerability Management
• Responding to Container Attacks
3. Survey – How familiar are you with
containers?
• I open them every day – gotta eat to survive
• I read about them on TechCrunch
• I run them on my raspi at home
• We run our production workloads in containers
• I contribute code to open source container-related projects
11. Survey – what container platform do you use?
• Docker
• LXC
• LXD
• rkt
• Solaris/SmartOS based
• Unikernel/microkernel or similar
• Why didn’t you list my platform? Everyone uses it!
13. Why Orchestration?
• For “real” workloads:
• How to launch 500 containers across 20 hosts?
• Being aware of resources on each host
• Getting storage and networking to right container on the right host
• Distribution for speed, efficiency, cost, etc.
• As part of a CI/CD process
• How to do a rolling update of those 500 live containers to a new sw version?
17. Survey – How Familiar Are You With
Information Security?
• It’s common for me to get viruses and ransomware
• I’m paid to write code by a deadline
• I learned my lesson the first time and now try my best
• Due to unspecified agreements I cannot answer this question
18. Security Benefits of Containers and
Microservices
• Smaller surface area*
• Shorter lifespan* – shorter period when open to attack
• More automated process – easier to recreate/redeploy*
*(in theory)
19. Security Benefits of Containers and
Microservices
• Containerized apps lend themselves to ”12 factor” design
12factor.net
20. Security Disadvantages of Containers and
Microservices
• Relatively new technology
• Lots of moving parts
• Shorter lifespan – this makes investigations more difficult
24. Image Security
• Where did an image come from?
• Is it an official image?
• Is it the right version?
• Has somebody modified it?
25. Image Security
• Docker Content Trust
export DOCKER_CONTENT_TRUST=1
• CoreOS image signing and verification
pgp based
26. Host Security
• Follow standard hardening processes (Bastille, Center for Internet
Security, etc.) but only firewall host, not it’s containers
• A host itself shouldn’t be “exposed” – there should be no public
attack surface. Administer via known private network
• One nasty exposure – privileged containers.
29. Smaller Image, Less Vulnerabilities
• Avoid ”From:Debian” and similar
• Software can’t be vulnerable if it’s not installed.
An amazingly large percentage of public Docker images are
based on Debian, Ubuntu, or CentOS.
30. Why? Least Privilege
• We want the smallest image possible, when we load it across 100
hosts
• The smaller the image, the less exposure for potential vulnerabilities
• If the parent image has a vulnerability, everybody based on that
parent has to re-spin their image
31. Container Vulnerability Scanners
• Open Source:
• OpenSCAP
• CoreOS Clair
• Anchore
• Commercial:
• Why go with commercial? Might be easier, packaged.
36. Why Isolate?
• Only as secure as your weakest link
• What happens if other departments are running in your private
cloud?
• What happens if other customers are running in your bare metal
CaaS?
37.
38. Capabilities
Worst to best:
• Run with --privileged=true
• Run with –cap-add ALL
• Run with --cap-drop ALL --cap-add <only needed>
• Run as non-root user, unprivileged
Useful: capabilities section of
https://docs.docker.com/engine/reference/run/
39. Seccomp
We need to build a list of system calls called by the program…
…that we want to succeed
• Guess (preferably educated)
• RTFM (thanks John!)
• Capture behavior – maybe /usr/sbin/strace
• Disassembly?
40. Plan For Container Attacks
• Before going to production, think about how you’d investigate an
attack
• Containers are mostly ephemeral
• Collect logs at a central location (ELK, Loggly, etc.)
• Practice identifying and snapshotting problem containers
• Don’t forget about data backup/recovery
41. Layered Insight Ozone
Comprehensive container-native security
Deep visibility and fine-grained control
Automatic behavioral templates
Machine learning based anomaly detection
42. Layered Insight Ozone
Inside-Out Approach
Workload Portability
No Special Privileges (Userspace)
Zero Impact to Devs / DevOps
Fully Automatic
LI Instrumented Containers
Infrastructure
Host OS
Docker
43. Thanks – Let’s continue the conversation!
@johnlkinsella
https://www.layeredinsight.com
Slides posted at http://www.slideshare.net/jlkinsel