mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-15 14:28:39 +00:00
Destroyed Competitive notes (markdown)
Henri DF
@@ -1,59 +0,0 @@
|
||||
# Commercial
|
||||
## Threatstack
|
||||
"Continuous security monitoring for your cloud."
|
||||
|
||||
Threatstack provides a host intrusion detection system that is currently focused on servers running in AWS. They deploy an agent that monitors:
|
||||
- process events (start, stop, network connections) via `auditd`
|
||||
- user events (commands run)
|
||||
- file/directory activity via `inotify` and `fanotify`
|
||||
|
||||
Their support docs explicitly state that they do not install a kernel module.
|
||||
|
||||
It is a rule-based system, with rules like:
|
||||
|
||||
- `(command = "scp" or command = "wget") and type = "start" and syscall = "execve"`
|
||||
- `type="connect" and connection.addr != null and connection.addr != "127.0.0.1"`
|
||||
|
||||
Rules are configured by the user, with a number of pointers [here](https://threatstack.zendesk.com/hc/en-us/articles/203022169-Defensive-Policy-Creation-Use-Cases-and-What-to-Look-For).
|
||||
|
||||
|
||||
Based on [this](https://threatstack.zendesk.com/hc/en-us/articles/205992556-Tabbed-Alert-View-A-New-Way-to-Manage-Alerts) it looks like their system can routinely generate _lots_ of alerts.
|
||||
|
||||
|
||||
Also, based on [this](https://threatstack.zendesk.com/hc/en-us/articles/200635804-How-do-I-Configure-File-Integrity-Monitoring-FIM-Rules-) their FIM feature does not consider which process is accessing/modifying a file.
|
||||
|
||||
|
||||
|
||||
## Twistlock
|
||||
|
||||
Hangout on air, Chenxi Wang (Twistlock, https://www.linkedin.com/in/chenxi-wang-5588874) and Kit Merker (Google PM for Kubernetes).
|
||||
|
||||
Pitch: containers were originally developed for resource isolation, not security isolation. We at Twistlock think that with the right tools, containers can actually make your system *more* secure.
|
||||
|
||||
Challenges today:
|
||||
- Lack of checking process for vulns when building container images.
|
||||
- Lack of visibility and control in runtime
|
||||
- Ops often left out of the look because they can't look inside them. Can't run agents inside them, can't run logging scripts in them.
|
||||
|
||||
Twistlock addresses security for the entire container lifecycle: vulnerability management (look at images statically, production containers, scan for vulns), role-based access control layer for docker and k8s, and "smart runtime defense"
|
||||
|
||||
This talk focused on the first piece (vuln management).
|
||||
### Vulnerability management and image scanning
|
||||
|
||||
It integrates with a registry: download images form registry, decompose image into its layers, scan each layer from base linux distro to app framework to custom code. Results presented in a dashboard and can be sent out via http.
|
||||
|
||||
We use real-time vuln feeds to drive our service.
|
||||
|
||||
### Runtime defense
|
||||
|
||||
Twistlock runs as a privileged container on each host. "Were able to observer execution of containers and detect anomalies, block certain things, kill anomalous containers". Didn't go into any more detail.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# Open source
|
||||
## Snort
|
||||
## Suricata
|
||||
## OSSEC
|
||||
Reference in New Issue
Block a user