Automated Cloud-Native Incident Response with Kubernetes and Service Mesh

8 June 2023 | DevSecCon Meetup, London UK

Conference Link

Recording

Coming soon!

Abstract

Security incident response is a well-understood operation, with established best practices like the MITRE Att&ck Framework and the Lockheed Martin Kill Chain. Tooling to aid and automate incident response exists, but not all of it is applicable to cloud-native platforms. For example, playbook apps are generally applicable, but the steps to move compromised workloads to an isolated forensics network are platform-specific, and new implementations are needed for the cloud-native world.

In this talk, Matt will:

  • Recap incident response 101
  • Introduce some cloud-native tech including Kubernetes, Istio, and GitOps
  • Show an Operator built by Matt for dynamically adding complex layer-7 traffic rules in response to changes in the environment, which will be used as part of the demo
  • Walk you through a response to a log4shell attack against a workload in a k8s cluster: sensor alert, SIEM analysis, IRP automation (honeypots, isolation), building the IoC, and killing the attack.

Slides

Coming soon!

Demo Code

Coming soon!

Reviews

Coming Soon!