Threat Hunting at Scale: Auditing Thousands of Clusters With Falco + Fluent

The presentation discusses the threats and security pipeline in Kubernetes environments, with a focus on audit logs, runtime security, log processing, and monitoring. The use of open source projects such as Falco and Filebeat is highlighted.

• Kubernetes audit records actions and provides an audit trail of users and workloads
• Falco collects logs from the kernel and focuses on threat hunting
• Filebeat is a general purpose log processor with metrics collection capabilities
• The data pipeline involves input, parsing, filtering, buffering, and routing
• Using Filebeat allows for easy modification of events and logs according to business requirements

The speaker explains that just like our body monitors itself and alerts us to take action when we get sick, we should focus on our defense to minimize the risk of threats in Kubernetes environments. By defining trust boundaries and creating fine-tuned rules and alert mechanisms, we can protect our environment from actors who may try to intimidate it. The use of open source projects such as Falco and Filebeat can aid in threat hunting and monitoring.

At Trendyol, we are running thousands of production-grade Kubernetes clusters to make our customers always happy. The challenge that we have to achieve is to track every component, resource, user, and team in a timeline manner. This is where we have to collect audit events from almost everywhere! Kubernetes audit logs can effectively track the changes made to our clusters. By using Falco, we consume the kernel events and enrich those events with information from Kubernetes. Enabling Kubernetes Audit Logs feature allows us to scan audit events that forwarded from Kubernetes. By using Fluent Bit, we collect logs from different sources such as containers and Falco; furthermore, we extend them with filters, and send them to multiple destinations. By using Loki, we build a highly-available log aggregation system. We create and manage all of our alerting rules for the log data. In this session, we try to combine pieces and introduce a brand new Audit Monitoring System!Click here to view captioning/translation in the MeetingPlay platform!