How the search for black cat in dark Kubernetes has changed

A little (in) water

Kubernetes (or K8s) is an extensible platform that is becoming the standard among orchestration systems when building Cloud Native applications. Now more and more companies are switching to Kubernetes. Since it is one of the most critical parts of the DevOps process, the question arises: “Where do you start building Kubernetes security?”

As with any system, difficulties with Kubernetes arise already at the stage of setting up secure configuration and maintenance: interfaces CRI, CNI, CSI, embedding points and changes, CRDs, custom operators and controllers, different API versions, etc. At the same time, not all development teams fully know how everything works within the infrastructure.

Kubernetes is unique in every organization and meets specific needs. Therefore, other people’s success stories telling about the use of this or that tool may be completely ineffective for your company.

Unsecured by default

There are many security mechanisms in Kubernetes: RBAC, NetworkPolicy, PodSecurityPolicy (seccomp, AppArmor, SeLinux), etc. But they are disabled by default. This is done so that the first experience of using the platform is successful, and the launch or transfer of applications is not complicated by anything. When migrating to a new environment, additional constraints create application problems that can impact company-wide processes.

Attackers quickly and effortlessly find configuration errors using port scanning within a few minutes after deployment. An attacker can successfully exploit server-side vulnerabilities. This is a direct path to the confidential data leak that any business is so afraid of.

The situation is aggravated by the fact that threats are constantly changing and evolving. An attacker is able to successfully carry out attacks and remain undetected for a long time thanks to special knowledge that is not possessed by those who protect their applications and infrastructure.

If an information security specialist is responsible for the security of the entire infrastructure, then an attacker should find just one flaw and pay attention to one specific area in order to compromise the entire system.

Thus, we live in a world where the attacker is always one step ahead. Our task is to change this order of things and get ahead of the attacker.

Black cat in dark Kubernetes

You must strive for security, which is achieved primarily through understanding yourself (your system), and not through understanding the threats. Threats change quickly, giving the attacker a significant advantage. This situation can be changed by understanding how everything works, and in the future, compare the current and desired state of security of the system. Before choosing preventive measures, you need to learn how to detect threats and thoroughly understand all your applications. Since Kubernetes is committed to self-learning, self-monitoring, and self-healing, modern systems must be provided with mechanisms to protect themselves.

Most information security tools look at solving a problem as looking for a black cat in a dark room, where a black cat is something bad, and the room is an environment in which to find “something bad”. Nowadays, all infrastructures are complex, multifaceted, and not everyone knows how their systems and applications work. Cloud native apps are no exception.

The task of the internal team is to turn on the lights in this room and see everything that happens in the infrastructure in order to identify all negative aspects without regard to the attacker’s capabilities or any other abnormal behavior.

Cloud Security Approaches

The first security solution for K8s must be chosen for ease of use and ease of integration with other solutions.

Let’s highlight the approaches that are worth considering when working with the Kubernetes infrastructure:

  • The Zero Trust approach is a security model in which there is no trust in anyone or anything; all users and devices must confirm their data every time they request access to any resource inside or outside the network;
  • Graph Model – A graph-based security and data presentation model that shows all possible sequences of actions or relationships between processes. According to information security specialists from Microsoft, now security thinks in lists, and the attacker thinks in graphs, and it’s time to use their own weapons against the attackers;
  • Runtime Security is a security technology that detects and blocks anomalies in applications in real time by adding security features to the runtime;
  • Search for anomalies that are associated not only with attacks, but also with problems of poorly written code or misconfiguration.

Recently, a successful example of a solution has appeared on the market that combines all the security models and approaches listed above. Luntry embodies the experience of security audits and penetration testing in traditional and cloud infrastructures. Luntry is an automated real-time anomaly detection tool built on top of eBPF, graph theory and machine learning for Kubernetes infrastructures. The platform uses commands to protect against unknowns related to both security and misbehaving applications.

Luntry will suit your company if you need a convenient and effective platform for the work of IT and information security departments, while not requiring unique skills from the specialists working with it.

Conclusions and parting words

Each Kubernetes infrastructure is unique, and therefore the attack surface and threat model are unique. This means that the approach to security issues in each case will have its own specifics. The K8s infrastructure is complex, but that claim shouldn’t be an excuse.

Remember that security is not a state, but a process. Tools and approaches should not “patch holes”, but build a process within the company. So, for example, using an incident search or analysis tool will be completely ineffective if the security team does not have time to sort them out.

Thus, in order not to break the system and not interfere with the functioning of applications by introducing a new security mechanism, understand how your infrastructure works. Then the familiarity and work with safety will be pleasant, not repulsive.

Similar Posts

Leave a Reply