Container activity monitoring using SysFlow on OpenShift
As organizations adopt container deployments in cloud, they are exposed to new attack surfaces that lacks visibility. The recent Kinsing malware attacks and cryptomining malware have targeted container based systems. These malware establish foothold by exploiting a known vulnerability, modifying container system files, and communicating with C&C servers.
Container monitoring has its own challenges – for example, ephemeral containers make data collection for forensics and investigation impossible, and container logs and events do not reflect host-level activities. Investigating/proactive threat hunting are key capabilities required for effective threat management.
The first step in this process is collecting telemetry from applications, hosts, and networks, and keeping the essential elements needed for security alerts and investigations. A policy can go with this collection to regulate and filter to keep only what needs to be collected.
The SysFlow telemetry pipeline is an open-source monitoring and analytics framework for securing containers and Linux-based systems.
SysFlow telemetry
SysFlow is a new data representation and specification for scalable system telemetry and analytics for container integrity monitoring. SysFlow captures system behavior and make it flow like by lifting raw system event information into an abstraction that describes process behaviors, and their relationships with containers, files, and network. SysFlow systematically compresses the system events while preserving the relative runtime behavior that are needed for analytics. The telemetry format drastically reduces endpoint event collection rates and naturally links these entities together to provide context for analytics, provenance, and broad visibility into container workloads.
The ubiquitous Netflow captures metadata from network packets and only gives you one part of telemetry. It does not have information on the host, endpoints, process, or file-level information. SysFlow builds all the system telemetry from container activity, and provides a scalable, container-native platform for analytics on cloud and enterprise environments.
|
SysFlow deployment and architecture
SysFlow has two main components – the collector and the processor. The collector hooks into the Sysdig probe for collecting the system call activity of containers on the host and summarizes the activity in the SysFlow format. The processor applies the rules on the container activity, raising the alerts on any suspicious ones. The processor outputs the SysFlow stream to a configured sink like QRadar consuming events in syslog format.
SysFlow is very lightweight to collect and processes just like "Netflow" for systems with significant data reduction compared with Sysdig. The semantic lifting also simplifies cross-event analytics.
SysFlow rules
The policy engine adopts and extends the Falco rules definition syntax. These rules control the agent behavior. An example is given below.
Getting started
Quick start: https://SysFlow.readthedocs.io/en/latest/quick.html#starting-the-collection-probe
Deploying SysFlow on OpenShift: https://github.com/SysFlow-telemetry/sf-deployments/tree/master/operator
Github: github.com/SysFlow-telemetry
Documentation: SysFlow.readthedocs.io
Docker Hub: hub.docker.com/u/SysFlowtelemetry
|