using the sdack architecture on security event inspection by yu-lun chen and evans ye
TRANSCRIPT
![Page 1: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/1.jpg)
Using the SDACK Architecture on Security Event Inspection
Darren Chen
Evans YeSr. Software Engineer @ Trend Micro
Sr. Software Engineer @ Trend Micro
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 2: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/2.jpg)
About Darren• Darren Chen (Yu-Lun Chen)• Sr. Software Engineer @ Trend Micro• Enthusiast in big data and cloud computing
technologies• Docker experience – 1.5 years
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 3: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/3.jpg)
About Evans• Evans Ye (Yu-Hsin Yeh) • Sr. Software Engineer @ Trend Micro• Apache Bigtop PMC member• Develop big data apps & infra• Docker experience – 2.5 years
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 4: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/4.jpg)
How to make a software product ?
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 5: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/5.jpg)
How to make a Dockerize
software product ?
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 6: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/6.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
BeforeMotivationWhat is SDACK
Agenda
DuringWhy DockerizeSecurityMonitor
AfterLessons LearnedConclusionsQ&A
![Page 7: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/7.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Motivation
![Page 8: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/8.jpg)
Target Scenario
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 9: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/9.jpg)
Problems• Too many log to investigate• Lack of actionable, prioritized
recommendations
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 10: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/10.jpg)
AD WindowsEvent
DNS Proxy Web server
…..
ThreatAnalytic System
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 11: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/11.jpg)
But we faced Two problems…….
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 12: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/12.jpg)
How to deal with
Customers’ Private data ?
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Cloud On Premises
![Page 13: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/13.jpg)
How to deal with Big Volume logs ?
2,000,000,000 per day
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 14: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/14.jpg)
We need to build
an On-Premises product
which can deal with Big Data
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 15: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/15.jpg)
How to deal with Big Data?
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 16: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/16.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Toolbox for building wide variety of big data product
SDACK Architecture
![Page 17: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/17.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
What is SDACK
![Page 18: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/18.jpg)
SDACK
Source: http://www.slideshare.net/akirillov/data-processing-platforms-architectures-with-spark-mesos-akka-cassandra-and-kafka
fast and general engine for large-scale data processing
deployment and resource management
toolkit and runtime for building highly concurrent,distributed, and resilient message-driven applications
distributed, highly available database designedto handle large amounts of data across datacenters
high-throughput, low-latency distributed pub-submessaging system for real-time data feeds
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 19: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/19.jpg)
Data Storage
Data Analysis
Data Preprocessing
Data PipelinePackage
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 20: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/20.jpg)
Threat Analytic System Architecture
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 21: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/21.jpg)
Log
APIServer
WebServer 2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 22: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/22.jpg)
APIServer
Web Server
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 23: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/23.jpg)
Medium-sized Enterprises
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 24: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/24.jpg)
Large Enterprises
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 25: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/25.jpg)
Fortune 500
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 26: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/26.jpg)
With Docker• Easy to scale• Test once, run anywhere• Widely supported by many platforms
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 27: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/27.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Why Dockerize
![Page 28: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/28.jpg)
Dockerize – Benefit
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Deploy Develop
Test Scale
![Page 29: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/29.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Deploy Develop
Test Scale
Dockerize – Benefit 1
![Page 30: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/30.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIWeb
Challenge• Setup• Operate• Update
![Page 31: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/31.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIServer
Web Server
Dockerize Software Technologies
![Page 32: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/32.jpg)
Docker Compose for Operation
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Web Server
APIServer Docker Compose
kafka: build: . ports: - “9092:9092”spark: image: spark port: - “8080:8080” ……
APIServer
Web Server
![Page 33: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/33.jpg)
Docker Hub for Updating
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIServer
Docker Hub
APIServer
Web Server
![Page 34: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/34.jpg)
Dockerize – Benefit 2
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Deploy Develop
Test Scale
![Page 35: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/35.jpg)
Benefit for Development• Docker provides two benefits in our Spark jobs
development – Reproducibility– Flexibility
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 36: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/36.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Reproducibilityin
Spark Streaming Job Development
![Page 37: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/37.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Dev Cluster
Spark Streaming Job Development
Data Streams
![Page 38: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/38.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Local
Spark Streaming Job Development
Data Streams
SnapshotData Set
(Date : Jan. 04 ~ Jan. 08)
Freq. : 1 minBatch size : 1000
![Page 39: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/39.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Local
Spark Streaming Job Development
Data Streams
SnapshotData Set
(Date : Jan. 04 ~ Jan. 08)
Freq. : 1 minBatch size : 1000
Freq. : 0.5 minBatch size : 5000
Freq. : 1 minBatch size : 50000
1
2
3
![Page 40: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/40.jpg)
Quick Development IterationLocal
LocalData StreamsSnapshotData Set
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Local
Deploy
Test
Destroy
ModifyJob
Job
![Page 41: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/41.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Flexibilityin
Hybrid Architecture
![Page 42: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/42.jpg)
Data Research in Dev Cluster
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIWeb
Dev ClusterData scientists submit spark jobs
Job
![Page 43: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/43.jpg)
Data Research in Dev Cluster
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIWeb
Dev Cluster
Job
Result
Data scientists submit spark jobs
![Page 44: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/44.jpg)
Data Research in Dev Cluster
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIWeb
Dev ClusterData scientists submit spark jobs
![Page 45: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/45.jpg)
Data Research in Dev Cluster
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIWeb
Dev Cluster
Job
Other memberssubmit spark jobs
![Page 46: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/46.jpg)
Data Research in Dev Cluster
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIWeb
Dev Cluster
Job
Wrong Result
Other memberssubmit spark jobs
![Page 47: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/47.jpg)
Hybrid Architecture
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Dev ClusterSubmit Spark Job
APIWeb
APIWeb
Job
Result
Local
![Page 48: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/48.jpg)
What’s More
2016 DockerCon | Copyright© 2016 Trend Micro Inc.2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Dev ClusterWeb Service Development
APIWeb
APIWeb
Local
![Page 49: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/49.jpg)
Dockerize – Benefit 3
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Deploy Develop
Test Scale
![Page 50: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/50.jpg)
APIServer
Web Server
• Test case 1• sub-test 1a• sub-test 1b
• Test case 2• sub-test 2a• sub-test 2b
• Test case n• sub-test na• sub-test nb
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
APIServer
Web Server
APIServer
Web Server
…
Clean & Consistent Environment
![Page 51: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/51.jpg)
Dockerize – Benefit 4
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Deploy Develop
Test Scale
![Page 52: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/52.jpg)
Distributed Software Components
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 53: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/53.jpg)
Akka• High performance concurrency framework• Clustering mechanism available• Leverage on Akka, we build up our Akka
cluster system
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 54: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/54.jpg)
Our Akka Cluster System
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Client
Master
LDAPServer
1
2 3
4
Query account information
Send the job
Query LDAP ServerReturn the result LDAPService
![Page 55: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/55.jpg)
Our Akka Cluster System
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Master
LDAP HostName DB
DataProcessEndpoint
JobJobJob
![Page 56: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/56.jpg)
Dockerize for Each Micro-service
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
LDAP
DB
DataProcess
Endpoint
HostName
Master
![Page 57: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/57.jpg)
Dockerize for Scale Out
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
DataProcess
HostName
DB LDAP Endpoint
DataProcess
DataProcess
![Page 58: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/58.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Security
![Page 59: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/59.jpg)
Docker Vulnerabilities since 1st release
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
The only high severity vulnerability was fixed within 2 days.
![Page 60: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/60.jpg)
Misconfiguration
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Open it without ACL ?
![Page 61: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/61.jpg)
Open Docker Registry
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
AU BE CA CN DE FI FR GB HK HR IE IR IT JP KR NL PL RU SE SG TW US ZA0
10
20
30
40
50
60
70
80
90
Open Docker Registry w/o Access Control
![Page 62: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/62.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Some tools can make your Dockerize product more secure
![Page 63: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/63.jpg)
Docker Bench for Security• Check
– Host configuration– Docker daemon configuration– Docker daemon configuration files– Container images and build files– Container runtime
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 64: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/64.jpg)
CoreOS Clair• Static analysis of vulnerabilities
– Debian security bug tracker– Ubuntu CVE tracker– Red Hat security data
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 65: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/65.jpg)
Docker Cloud
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 66: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/66.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Monitor
![Page 67: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/67.jpg)
Web Server
APIServer
Monitor stack
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Grafana
CPU, Memory, Network Metrics
![Page 68: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/68.jpg)
Monitor stack
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Grafana
Metrics
APPMetrics
![Page 69: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/69.jpg)
Issue on cAdvisor• cAdvisor can not send network usage correctly
to InfuxDB– when the container use host network on a
multiple network cards machine• Use Telegraf to fix this problem
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 70: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/70.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
BeforeMotivationWhat is SDACK
Agenda
DuringWhy DockerizeSecurityMonitor
AfterLessons LearnedConclusionsQ&A
![Page 71: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/71.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Lessons Learned
![Page 72: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/72.jpg)
Lessons Learned• Mount the stuff you may change it frequently
to your Docker containers– For example, on PoC, mount your configuration
files into Docker containers directly
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
![Page 73: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/73.jpg)
On PoC
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Change Settings
Re-build Images Deploy
APIServer
Web Server
![Page 74: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/74.jpg)
Mount configuration files
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Host machine
Conf
Kafka container
Conf Conf
Spark container
Conf Conf Conf
Conf Conf Conf
Kafka Configurations
Conf Conf Conf
Spark Configurations
![Page 75: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/75.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Conclusions
![Page 76: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/76.jpg)
Summary
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Dockerize
• Deploy• Develop• Test• Scale
Security
• Misconfiguration• Docker Bench• CoreOS Clair• Docker Cloud
Monitor
• Visibility• cAdvisor• InfluxDB• Grafana
APIServer
Web Server
for Security
![Page 77: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/77.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
We Need To build an On-Premises product
which can deal with Big Data
In the beginning …
![Page 78: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/78.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
We Need To build
an On-Premises product
which can deal with Big Data
Have NowBuild
Ship
Run
Conclusions
![Page 79: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/79.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Go aheadDockerize your product
![Page 80: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/80.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Thank you!
![Page 81: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/81.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Q & A
![Page 82: Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and Evans Ye](https://reader038.vdocuments.site/reader038/viewer/2022102321/586fe2e91a28ab18428b7d89/html5/thumbnails/82.jpg)
2016 DockerCon | Copyright© 2016 Trend Micro Inc.
Thank you!