Container Forensics: What to Do When Your Cluster is a Cluster
When responding to an incident in your containers, you dont necessarily have the same tools at your disposal that you do with VMs - and so your incident investigation process and forensics are differ …
Talk Title | Container Forensics: What to Do When Your Cluster is a Cluster |
Speakers | Maya Kaczorowski (Product Manager, Software Supply Chain Security, GitHub), Ann Wallace (Security Lead, Google) |
Conference | KubeCon + CloudNativeCon Europe |
Conf Tag | |
Location | Barcelona, Spain |
Date | May 19-23, 2019 |
URL | Talk Page |
Slides | Talk Slides |
Video | |
When responding to an incident in your containers, you don’t necessarily have the same tools at your disposal that you do with VMs - and so your incident investigation process and forensics are different. In a best case scenario, you have access to application logs, orchestrator logs, node snapshots, and more. In this talk, we’ll go over where to get information about what’s happening in your cluster, including logs and open source tools you can install, and how to tie this information together to get a better idea of what’s happening in your infrastructure. Armed with this info, we’ll review the common mitigation options such as to alert, isolate, pause, restart, or kill a container. For common types of container attacks, we’ll discuss what options are best and why. Lastly, we’ll talk about restoring services after an incident, and the best steps to take to prevent the next one.