Kubernetes Threat Intelligence: Detecting Domain Generation Algorithms

As Kubernetes matures, gone are the days when we can fully compromise a cluster by just taking over a pod and sending commands to the Kubernetes API service. RBAC and other Kubernetes security features force attackers to pivot at least once to find the right vulnerable pod/service account with the right privileges to take over a cluster. The attack surface grows as the cluster gets bigger and more third-party applications are deployed. By understanding the attacker’s workflow and gaining visibility into the relevant connections, we are able to identify our cluster’s weak points and limit the attacker’s reach.

In this webinar, we will:
* Examine some common techniques that an attacker can use to gain intel about your cluster’s setup once they are inside
* Show a demo of an attacker gaining root access by impersonating a sample third-party application after exploiting a vulnerable API call
* Visualize the attack using Calico Enterprise and review mitigation strategies

Learn from an expert. At Tigera, we work with hundreds of Calico and Calico Enterprise customers every year and have learned a very important lesson in the process: Designing networks and troubleshooting a broken network are difficult problems.

As a Kubernetes architect, what you get from the network team is real estate (racks/compute infrastructure) and an underlay network (nodes that can talk to each other). You have to plan, architect, get the buy-in and implement the network for the actual applications (pods) running in the cluster. You can’t design something completely new if you are constrained by ToRs (top of rack switches), core network fabric, or compliance/security requirements.

This session will begin with a high-level overview of pod networking scenarios and packet path. Then we will do a deep-dive into IP address management and BGP routing design, with an example of each. As part of BGP routing, we’ll walk through various network design options. Finally we conclude with a recommended template for on-prem network design

Malicious actors often use Domain Generation Algorithms (DGA) to exploit the DNS protocol and execute command-and-control (C & C) malware attacks. DGAs are very difficult to detect due to their dynamic and unpredictable nature. Traditional approaches to data security cannot contain DGA threats, with the problem exacerbated by the migration to Kubernetes and the cloud.

Join us for this webinar where we share the latest insights into DGAs, the risks they present, along with best practices to speed detection and reduce risk.
In this session, you will learn:

- How the DNS / DGA / APT kill chain makes DGAs so hard to detect
Why effective monitoring and visibility into Kubernetes and the cloud is essential
- How you can detect a compromised workload with Calico Enterprise’s DGA machine learning capability

Companies are leveraging the power of Kubernetes to accelerate the delivery of resilient and scalable applications to meet the pace of business. These applications are highly dynamic, making it operationally challenging to securely connect to databases or other resources protected behind firewalls.

Tigera and Fortinet have joined forces to solve this operational challenge. With the combination of FortiGate firewalls and Calico Enterprise, you gain full visibility into the container environment and can define fine-grained policies to determine which Kubernetes workloads are allowed to talk to the enterprise’s crown jewels running outside the Kubernetes cluster.

In this webinar, you will learn how Calico Enterprise and FortiGate enable you to:
+ Implement network security control requirements in Kubernetes
+ Dynamically populate Kubernetes objects in FortiGate firewalls to enforce security policies
+ Gain deep visibility into network traffic within your Kubernetes clusters.

After this webinar, you’ll also understand why Calico has been chosen as the preferred network security solution by the leading managed Kubernetes services – Amazon EKS, Azure AKS, Google GKE, IBM IKS, and more – as well as powering several of the world’s largest Kubernetes clusters.

No matter where you are in your Kubernetes journey, eventually you’ll have to connect your k8s cluster to external resources like databases, cloud services, and third-party APIs. A majority of existing workloads are non-Kubernetes, and at some point, your Kubernetes applications will need to communicate with them.

Before you can do that, Security teams, as well as database and application owners, will require you to limit access to specific individuals or groups — and nearly every application has dependencies external to Kubernetes that require some level of access control. However, Kubernetes does not natively enable fine-grained egress access controls..

In this webinar, you will learn how to:

+ Securely migrate k8s workloads/applications into production and control access to external resources
+ Limit k8s egress to external end-points on a granular, per-pod basis
+ Simplify this process using Calico Enterprise

The webinar is ideal for Platform Engineers, Cloud Engineers, and anyone else that is responsible for deploying and maintaining a Kubernetes Platform.

As the founders of Project Calico, we work with hundreds of teams every year to help them avoid obstacles and gain the most value from Calico.

We observe a common "Kubernetes Journey" that most infrastructure and platform teams progress through as they deploy Kubernetes to their organizations, and will share that journey in this webinar.

Sometimes we are pulled into projects on fire. Without guidance, many projects run into problems of scale, enterprise integration, and cross-functional alignment that can slow everything to a grinding halt. We've seen all these problems and can help.

That is why we created Calico Essentials - our solution to have you aligned with industry experts throughout your Kubernetes journey.

In this webinar, you'll learn the four ways Calico Essentials can help accelerate your Kubernetes project.

- Training and education for new team members and other stakeholders
- Best practices workshops on network and network security design
- Help you operationalize Calico to work with the rest of your tools, infrastructure, and processes
- Troubleshooting strategies, tips, and tricks

Organizations are rapidly moving more and more mission-critical applications to Kubernetes and the cloud to reduce costs, achieve faster deployment times, and improve operational efficiencies. But security teams are struggling to achieve a strong security posture with Kubernetes and cloud-based resources because of the inability to apply conventional security practices in the cloud environment.

Join Threat Intelligence Research Engineer, Manoj Ahuje, for this webinar where he will cover five different attack scenarios on cloud-based Kubernetes infrastructure, and how to catch these malicious activities at each stage with Calico Enterprise and Global Alerts, a new feature just released.

Don’t miss this technical webinar, register to attend now.

The potential attack on Shopify’s Kubernetes-based infrastructure grabbed headlines last year. This highlights the fact that Kubernetes managed applications require a different approach to network security. The differences between the major cloud providers and the complexity of mixed/hybrid-cloud networks only further complicate the issue and make attack surfaces larger and open to a wider range of attack vectors.

It’s no wonder engineers across various disciplines are hungry to understand how attacks can happen and what they can do to implement security measures to stop them.

Join Garwood Pang, Vulnerability Researcher at Tigera, for this webinar where you will:

- Follow step-by-step as he launches an attack similar to the Shopify vulnerability but adding to it with previously known breaches, bug reports, and blog posts

- See how the same attack can be detected and stopped before the network is compromised

- Learn how a zero-trust security model and a network security solution explicitly made for Kubernetes Infrastructure can limit virtually all attacks, regardless of vector

This webinar is ideal for security engineers, platform engineers, DevOps engineers, network engineers, and any other technical role involved in ensuring the security of a Kubernetes orchestrated infrastructure.

Containers and Kubernetes adoption are gaining incredible momentum in enterprise organizations. Gartner estimates that 75% of organizations will be running containerized applications by 2022.

However, there are many challenges to moving containerized applications to internet-facing environments while maintaining security:

- Firewalls are necessary but cannot protect Kubernetes pods that keep changing IP addresses
- Security processes are designed for and rely on a zone-based architecture, but Kubernetes doesn’t fit in that architecture
- Kubernetes Network Policies are a new concept for network and security teams to learn, but they are stretched too thin and have no time to invest in learning them

These problems would go away if the security team’s existing tools and processes worked for Kubernetes.

Attend this webinar and learn how Tigera is the first and only Kubernetes security solution to integrate with the security team’s firewall manager to implement their security controls in Kubernetes. The presentation will include a live demo using Tigera Secure and the Palo Alto Networks Panorama firewall manager.

Kubernetes is a robust, stable, and reliable environment to run modern applications. But, like all software, issues can arise that require troubleshooting. When problems occur with the containerized microservices, Kubernetes can reschedule workloads or replace entire nodes with ease, but when connectivity issues arise, you need an understanding of how Kubernetes networking works and the right tools to help identify and solve the issue.

Join Karthik Prabhakar, Sr. Director, Solutions Engineering with Tigera, for a live webinar on Thursday, September 12 at 10AM PT, 1PM ET where you will learn how to identify, understand, and solve the most common Kubernetes connectivity issues.

Free and Open Source, Tigera Calico delivers secure networking for the cloud-native era, and 2019 has seen many major enhancements to the most deployed networking and network security solution for Kubernetes.

From version 3.3 released in November of 2018 all the way through to 3.8 released earlier this July, Calico has advanced significantly with features that our community has requested and needed, such as:

+ IP address management (IPAM) features that make it more configurable and with support to assign a given IP pool to one or more Kubernetes namespaces
+ Features that give more control and allow much finer-grained dynamic IP management vs the static allocation of a fixed set of addresses to each node in native Kubernetes
+ Native support for VXLAN encapsulation
+ Optimized denial-of-service protection for host endpoints using XDP
+ Namespaced NetworkSets
+ And more...

Join us for a technical webinar to learn more about these new features, with real-world examples of how, and why, you’d want to use them to improve the network security of your Kubernetes environment.

Since practically the beginning of data networks, Network and Security professionals have gravitated towards, and grown to love, Zone-Based network architectures.

However, with the evolving landscape driven by microservices, containers, and Kubernetes, Zone-Based designs are being challenged to keep networks secure without creating an unreasonable amount of continuous configuration changes to firewalls.

With this challenge, comes the opportunity to rethink how network security can be delivered more effectively and efficiently. The Cloud and Kubernetes offer a ton of flexibility but how do we achieve security, visibility, and compliance in these new areas.

This technical webinar will dive into how Tigera can help us answer these challenges and more in the cloud landscape.

Of course, Tigera's ability to provide Kubernetes pod networking and facilitate service discovery is extremely valuable, but its real superpower is that both Tigera's commercial offerings and open-source Tigera Calico can implement network security policies inside a Kubernetes cluster.

Most external network security operates at the perimeter or at the physical network layer of Kubernetes. Because Tigera runs inside Kubernetes, it can provide policy and security based on Kubernetes structures like namespaces and deployments.

In this webinar, Senior Technical Solutions Engineer with Tigera, Drew Oetzel, will show you examples of implementing these types of policies for several common security and compliance use cases.

He'll also show you why implementing these types of security policies is so important to keeping your ever-expanding Kubernetes workloads secure.

Compliance standards such as PCI DSS have assumed that traditional characteristics and behaviors of the development and delivery model would continue to be constant going forward. With the Container/Kubernetes revolution, that set of assumptions is no longer entirely correct. Attend this webinar and learn about what's changed, how those changes weaken your compliance and control environment, and what you can do to adjust to the new reality.

Security teams use firewalls to secure their production environments, often using a zone-based architecture, and Kubernetes does not deploy well to that architecture. Application teams are launching new business-critical applications on Kubernetes and are aggressively moving to production. A clash is bound to happen.

In this webinar, we will describe an approach to extend firewalls to Kubernetes that will accelerate deployment to production, save time & money, and preserve existing security processes and investments.

Calico was just recently embedded into Google GKE-On prem and we will demonstrate how to implement security controls on GKE. Don’t miss this webinar as we will be sharing some common network security challenges in the Kubrnetes environment. In addition, we will explore enterprise-grade Calico features provided in Tigera Secure which enables enterprises to add network security support in hybrid cloud environments with:

+ Network Flow Logs that record accepted and denied traffic, which policies denied the traffic, and workload context such as Kubernetes namespaces, labels, and metadata. Tigera Secure also provides dynamic graphical visualization of network flows.

+ Tiered policy controls with role-based access controls, to enable multiple teams to independently manage their respective security policies within the governance of the security team.

+ Anomaly Detection capabilities that provide insight into unusual behaviors and sophisticated attacks that compromise the security and performance of Kubernetes environments.

Istio’s traffic management decouples traffic flow and infrastructure scaling allowing you to specify what rules to govern traffic rather than which specific pods should receive traffic.

In this webinar we'll discuss the following traffic management topics:
· Discovery Load Balancing
· Failure Handling
· Fault Injection

Learn how Anomaly Detection supports, what Gartner has termed, a continuous adaptive risk and trust assessment (CARTA) when building a CaaS platform using Kubernetes. Anomaly Detection expands the zero trust network security model and continuously assess the application and network risk that enables adaptive policy adjustments. Anomaly Detection identifies outliers in Kubernetes clusters by building profiles of typical workloads and components to know when they start to deviate from the norm. It also manages network risk by continuously monitoring for activities such as reconnaissance scan, service connections anomaly, service bytes anomaly, and pod outlier activity detection.

Learn how to support a continuous adaptive risk and trust assessment (CARTA) approach leveraging accurate Kubernetes flow logs. 5-tuple logging is commonly used to monitor and detect anomalies and produces unreliable data that cannot accurately identify anomalies nor prove enforcement of security policies. Network flow logs include workload identity and other metadata that help continuously monitor activities within Kubernetes clusters.