Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye
Click here to load reader
-
Upload
docker-inc -
Category
Technology
-
view
4.605 -
download
0
Transcript of Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye
Using the SDACK Architecture on Security Event Inspection
Darren Chen
Evans YeSr. Software Engineer @ Trend Micro
Sr. Software Engineer @ Trend Micro
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
About Darren• Darren Chen (Yu-Lun Chen)• Sr. Software Engineer @ Trend Micro• Enthusiast in big data and cloud computing
technologies• Docker experience – 1.5 years
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
About Evans• Evans Ye (Yu-Hsin Yeh) • Sr. Software Engineer @ Trend Micro• Apache Bigtop PMC member• Develop big data apps & infra• Docker experience – 2.5 years
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
How to make a software product ?
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
How to make a Dockerize
software product ?
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
BeforeMotivationWhat is SDACK
Agenda
DuringWhy DockerizeSecurityMonitor
AfterLessons LearnedConclusionsQ&A
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Motivation
Target Scenario
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Problems• Too many log to investigate• Lack of actionable, prioritized
recommendations
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
AD WindowsEvent
DNS Proxy Web server
…..
ThreatAnalytic System
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
But we faced Two problems…….
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
How to deal with
Customers’ Private data ?
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Cloud On Premises
How to deal with Big Volume logs ?
2,000,000,000 per day
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
We need to build
an On-Premises product
which can deal with Big Data
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
How to deal with Big Data?
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Toolbox for building wide variety of big data product
SDACK Architecture
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
What is SDACK
SDACK
Source: http://www.slideshare.net/akirillov/data-processing-platforms-architectures-with-spark-mesos-akka-cassandra-and-kafka
fast and general engine for large-scale data processing
deployment and resource management
toolkit and runtime for building highly concurrent,distributed, and resilient message-driven applications
distributed, highly available database designedto handle large amounts of data across datacenters
high-throughput, low-latency distributed pub-submessaging system for real-time data feeds
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Data Storage
Data Analysis
Data Preprocessing
Data PipelinePackage
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Threat Analytic System Architecture
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Log
APIServer
WebServer 2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIServer
Web Server
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Medium-sized Enterprises
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Large Enterprises
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Fortune 500
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
With Docker• Easy to scale• Test once, run anywhere• Widely supported by many platforms
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Why Dockerize
Dockerize – Benefit
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Deploy Develop
Test Scale
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Deploy Develop
Test Scale
Dockerize – Benefit 1
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIWeb
Challenge• Setup• Operate• Update
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIServer
Web Server
Dockerize Software Technologies
Docker Compose for Operation
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Web Server
APIServer Docker Compose
kafka: build: . ports: - “9092:9092”spark: image: spark port: - “8080:8080” ……
APIServer
Web Server
Docker Hub for Updating
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIServer
Docker Hub
APIServer
Web Server
Dockerize – Benefit 2
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Deploy Develop
Test Scale
Benefit for Development• Docker provides two benefits in our Spark jobs
development – Reproducibility– Flexibility
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Reproducibilityin
Spark Streaming Job Development
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Dev Cluster
Spark Streaming Job Development
Data Streams
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Local
Spark Streaming Job Development
Data Streams
SnapshotData Set
(Date : Jan. 04 ~ Jan. 08)
Freq. : 1 minBatch size : 1000
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Local
Spark Streaming Job Development
Data Streams
SnapshotData Set
(Date : Jan. 04 ~ Jan. 08)
Freq. : 1 minBatch size : 1000
Freq. : 0.5 minBatch size : 5000
Freq. : 1 minBatch size : 50000
1
2
3
Quick Development IterationLocal
LocalData StreamsSnapshotData Set
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Local
Deploy
Test
Destroy
ModifyJob
Job
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Flexibilityin
Hybrid Architecture
Data Research in Dev Cluster
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIWeb
Dev ClusterData scientists submit spark jobs
Job
Data Research in Dev Cluster
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIWeb
Dev Cluster
Job
Result
Data scientists submit spark jobs
Data Research in Dev Cluster
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIWeb
Dev ClusterData scientists submit spark jobs
Data Research in Dev Cluster
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIWeb
Dev Cluster
Job
Other memberssubmit spark jobs
Data Research in Dev Cluster
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIWeb
Dev Cluster
Job
Wrong Result
Other memberssubmit spark jobs
Hybrid Architecture
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Dev ClusterSubmit Spark Job
APIWeb
APIWeb
Job
Result
Local
What’s More
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Dev ClusterWeb Service Development
APIWeb
APIWeb
Local
Dockerize – Benefit 3
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Deploy Develop
Test Scale
APIServer
Web Server
• Test case 1• sub-test 1a• sub-test 1b
• Test case 2• sub-test 2a• sub-test 2b
• Test case n• sub-test na• sub-test nb
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIServer
Web Server
APIServer
Web Server
…
Clean & Consistent Environment
Dockerize – Benefit 4
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Deploy Develop
Test Scale
Distributed Software Components
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Akka• High performance concurrency framework• Clustering mechanism available• Leverage on Akka, we build up our Akka
cluster system
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Our Akka Cluster System
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Client
Master
LDAPServer
1
2 3
4
Query account information
Send the job
Query LDAP ServerReturn the result LDAPService
Our Akka Cluster System
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Master
LDAP HostName DB
DataProcessEndpoint
JobJobJob
Dockerize for Each Micro-service
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
LDAP
DB
DataProcess
Endpoint
HostName
Master
Dockerize for Scale Out
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
DataProcess
HostName
DB LDAP Endpoint
DataProcess
DataProcess
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Security
Docker Vulnerabilities since 1st release
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
The only high severity vulnerability was fixed within 2 days.
Misconfiguration
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Open it without ACL ?
Open Docker Registry
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
AU BE CA CN DE FI FR GB HK HR IE IR IT JP KR NL PL RU SE SG TW US ZA0
10
20
30
40
50
60
70
80
90
Open Docker Registry w/o Access Control
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Some tools can make your Dockerize product more secure
Docker Bench for Security• Check
– Host configuration– Docker daemon configuration– Docker daemon configuration files– Container images and build files– Container runtime
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
CoreOS Clair• Static analysis of vulnerabilities
– Debian security bug tracker– Ubuntu CVE tracker– Red Hat security data
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Docker Cloud
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Monitor
Web Server
APIServer
Monitor stack
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Grafana
CPU, Memory, Network Metrics
Monitor stack
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Grafana
Metrics
APPMetrics
Issue on cAdvisor• cAdvisor can not send network usage correctly
to InfuxDB– when the container use host network on a
multiple network cards machine• Use Telegraf to fix this problem
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
BeforeMotivationWhat is SDACK
Agenda
DuringWhy DockerizeSecurityMonitor
AfterLessons LearnedConclusionsQ&A
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Lessons Learned
Lessons Learned• Mount the stuff you may change it frequently
to your Docker containers– For example, on PoC, mount your configuration
files into Docker containers directly
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
On PoC
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Change Settings
Re-build Images Deploy
APIServer
Web Server
Mount configuration files
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Host machine
Conf
Kafka container
Conf Conf
Spark container
Conf Conf Conf
Conf Conf Conf
Kafka Configurations
Conf Conf Conf
Spark Configurations
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Conclusions
Summary
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Dockerize
• Deploy• Develop• Test• Scale
Security
• Misconfiguration• Docker Bench• CoreOS Clair• Docker Cloud
Monitor
• Visibility• cAdvisor• InfluxDB• Grafana
APIServer
Web Server
for Security
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
We Need To build an On-Premises product
which can deal with Big Data
In the beginning …
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
We Need To build
an On-Premises product
which can deal with Big Data
Have NowBuild
Ship
Run
Conclusions
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Go aheadDockerize your product
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Thank you!
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Q & A
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Thank you!