Author: Nigel Douglas

The cybersecurity landscape is undergoing a significant shift, moving from security tools monitoring applications running within userspace to advanced, real-time approaches that monitor system activity directly and safely within the kernel by using eBPF. This evolution in kernel introspection is particularly evident in the adoption of projects like Falco, Tetragon, and Tracee in Linux environments. These tools are especially prevalent in systems running containerized workloads under Kubernetes, where they play a crucial role in the real-time monitoring of dynamic and ephemeral workloads.

The open-source project Falco exemplifies this trend. It employs various instrumentation techniques to scrutinize system workload, relaying security events from the kernel to user space. These instrumentations are referred to as ‘drivers’ within Falco, reflecting their operation in kernel space. The driver is pivotal as it furnishes the syscall event source, which is integral for monitoring activities closely tied to the syscall context. When deploying Falco, the kernel module is typically installed via the Falco-driver-loader script included in the binary package. This process seamlessly integrates Falco’s monitoring capabilities into the system, enabling real-time detection and response to security threats at the kernel level.

Setting up robust network security in Kubernetes is a challenge that demands both precision and adaptability. NetworkPolicy offers the potential for highly specific network configurations, enabling or blocking traffic based on a comprehensive set of criteria. However, the dynamic nature of network topologies and the complexities of managing policy implementations present ongoing challenges. The need for constant policy updates, especially in response to changing threat landscapes, introduces risks such as the potential for misconfiguration and the unintended dropping of packets.

The Challenge of IP-Based Network Policies

Building network policies around IP addresses is notoriously challenging. For instance, threat feeds, which list known malicious IP addresses, are constantly changing. An IP address associated with a malicious entity one week might be reassigned and deemed safe the next. This fluidity necessitates an agile approach to network policy management, integrating solutions like NetworkSets to dynamically update policies based on the latest intelligence. However, the sheer volume of threat intelligence feeds – from Tor IP lists to crypto mining blocklists – complicates this integration, making it a daunting task to maintain accurate network controls.

Identity Threat Detection and Response (ITDR) in the cloud is essential to limit access to sensitive data and maintain the integrity of cloud infrastructure. Leading cloud providers like AWS, Microsoft Azure, and Google Cloud have implemented robust Identity and Access Management (IAM) controls, as well as Multi-Factor Authentication (MFA) options, to ensure that users have the standardized access control limitations.

However, as the saying goes, "Trust, but verify." Even with these layers of security, there's a growing concern about what happens when a rogue employee or an external adversary manages to compromise an identity provider. Recent months have witnessed a surge in attacks targeting popular identity providers like Okta, underscoring the critical need for timely and effective detection capabilities. In fact, (Crowdstrike’s 2023 Threat Hunting) report had classified 62% of all interactive cyber intrusions as having involved some form of compromised identities.