blog に戻る

2020年03月30日 Alon Berger

Alcide kAudit Integrates with Sumo Logic

Enabling Easy Kubernetes Audit Logs Monitoring and Investigation

Alcide recently introduced Alcide kAudit, an automatic tool for analyzing Kubernetes Audit logs. This tool focuses on detecting non-compliant and anomalous behavior of users, automated service accounts and suspicious administration operations. Alcide’s recent integration with Sumo Logic enables users to gain full access to insights and real-time alerts from Alcide kAudit. Users are now able to detect Kubernetes’ compliance violations, security incidents, and administration activity anomalies directly from the Sumo Logic platform. They can also correlate and investigate these alerts with data from their other security data sources.

Combining Sumo Logic’s Ops capabilities with Alcide’s security offerings ensures users get full visibility into their Kubernetes clusters for application health, coupled with security insights for deeper investigation. This integration enables DevOps and security teams to focus on compliance violations and active security risks. This also enables users to quickly limit the “blast radius” and fix the causes of such security issues in their Kubernetes clusters.

Real-time Kubernetes Audit Analysis

Alcide kAudit automatically spots security-related issues with Kubernetes' administrative actions in near real-time, and tracks suspicious behaviors that can be identified by observing extended context over multiple activities. It combines a user-configured set of rules that filter any violation of the organization’s compliance policies.

The application will automatically target unique anomalies in the audited activity based on autonomous machine learning patterns.

Further down the pipeline, these findings can be pushed to DevOps teams as security-related alerts or collected for deep investigation and validation by security and audit experts to prove that a non-compliant activity or a security incident has taken place.

A robust logs exploration dashboard for in-depth analysis

Getting Started: Exporting kAudit Findings and Integration

In the integration section, you can configure separate export channels for different alerts. For example, a dedicated channel for detected anomalies and another one for policy-matching audit entries. Each export integration is configured and used independently, so you can mix and match with Sumo Logic endpoints and Slack channels for example.

Configurable filters - Detections and Audit Policies

  • Entity types - select one or more clusters, principals or resources
  • Entity name - set Regex sequences on entities’ names, for which detections will be exported, and same for excluding other specific detections
  • Detection type - Incident or Anomaly
  • Detection confidence values - select one or more of High, Medium or Low confidence
  • Rules names - a regular expression for selection of specific rules in the policy by their name. Only audit events matching these rules will be exported

Log Types

Alcide kAudit uses logs generated by an agent installed on each Kubernetes cluster.

The kAudit input stream consists of two log types:

  • Anomalies and incidents - appear as _sourcecategory="detections", include all anomalies and incidents identified by the kAudit agent.
  • Audit entries - appear as _sourcecategory="selections", include findings related to Kubernetes’ audit logs entries that match one or more of kAudit policies.

Note that you may also set a rate limit on the number of messages sent per minute to the endpoint.

Closely monitor and track all security-related audit entries, documenting relevant activities by users or service components, filtering events indicating policy violations.

Proactively Identify Non-compliant Behavior and Operational Issues

Based on a configured set of rules that faithfully identify all violations of an organization’s policies, with comprehensive trails of non-compliant activity that has taken place. With automated filters, a collection of such alerts is periodically delivered to compliance investigators or any other responsible party for immediate actioning.

Investigate specific operational and security issues, trace back to responsible parties, troubleshoot and identify root cause with ease.

Intercept Anomalous K8s Behaviours Beyond Configuration Rules

Identifying K8s workloads that contain sensitive information such as access to critical databases throughout their lifecycle is a real challenge.

Alcide kAudit identifies irregular behaviors and suspicious activity patterns while observing them with extended contexts, such as:

  • Exploited Vulnerabilities in the Kubernetes API Server
    Authentication, authorization, admission control or validation requests breaches
  • Violated Security Policies
    Which are in conflict with compliance best practices
  • Stolen Credentials
    Can gain access to Kubernetes-based clusters or pods through social engineering
  • Misconfigured RBAC
    Lateral cluster or pod movement, privilege escalation, data access, and data manipulation

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Start free trial

部門

スポットライト

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial

Alon Berger

Marketing Tech Lead at Alcide

More posts by Alon Berger.

これを読んだ人も楽しんでいます

ブログ

Crossing the machine learning pilot to product chasm through MLOps

Sumo Logic’s MLOps methodology helps accelerate machine learning-based features. Discover how you can adopt this framework for your production-grade features.

ブログ

Splunk second thoughts? It’s time for the cloud-native alternative

Splunk is now a Cisco company. If you have second thoughts about working with them, discover why Sumo Logic is the best Splunk alternative. It’s time to go cloud native.

ブログ

What is AWS CloudTrail?

Learn the basics of AWS CloudTrail, see how to create and enable custom trails, and see where the trail logs are saved.