Microsoft Defender for Containers provides security for container workloads running on Kubernetes. It monitors clusters for misconfigurations and vulnerabilities, provides runtime threat detection, and generates alerts. It works across multiple clouds by deploying agents and daemons to collect security signals from the API server, nodes, and images. A demonstration showed Microsoft Defender in action monitoring container workloads.
5. Known Practices
◎ Use of private registry and trusted images
◎ Continuous Vulnerability scanning of images (Trivy, Encore)
◎ Limit container privileges
◎ Use of network segmentation
◎ Implement least privilege access (RBAC)
◎ Logging and Monitoring
◎ Implement runtime security for threat detection
◎ Preventive and detective policies - Kyverno
◎ Security and Compliance Audits
◎ Certificates, securing endpoints
◎ Many More …
6. “
93% experienced at least one security incident in their Kubernetes
environments in the last 12 months
- State of Kubernetes security report
* Kubernetes adoption, security, and market trends report 2022
8. Overview of Microsoft Defender for container
◎ Cloud Native solution to
○ Improve
○ Monitor
○ Maintain
the security of your clusters, containers,
and their applications.
◎ Multi-cloud Supports K8s offering and
registries from different CSP like EKS, GKE,
ECR
◎ Kubernetes Native Deployment at Scale
◎ Provides Security Alerts and
Remediation Capabilities
RUN TIME
Threat Detection
ENVIRONMENT
HARDENING
Cluster
Configurations
Vulnerability
Container Image
Container
Security
9. Environment Hardening
9
◎ Continuous monitoring of your Kubernetes clusters
○ Wherever they're hosted [AWS - EKS, Azure - AKS, GCP - GKE, On-Premise (using
ARC)]
○ Continuously assess clusters to provide visibility of misconfigurations
○ Provide Guidelines to mitigate the issues
◎ Kubernetes data plane hardening
○ Azure Policy add on
◉ Extends Gatekeeper v3, required to apply at-scale auditing, enforcements and
safeguards on clusters in a centralized, consistent manner.
○ Defender Daemonset
◉ Deployed to each worker node, collects security-related data and sends it to
Defender for analysis. Required for runtime protections and security
capabilities
11. Vulnerability Assessment
11
◎ Supports Azure ACR and AWS ECR
◎ Triggers
○ On push
○ Recently pulled
○ On import
○ Continuous scan based on
an image pull and for
running images
◎ View and remediate findings
◎ Disable specific findings like
severity below medium, non
patchable findings
12. Runtime Threat Protection
12
◎ Provides real-time threat protection
◎ Generates alerts for suspicious activities
◎ Threat protection at the cluster level
○ Provided by the Defender agent and analysis of the Kubernetes audit logs.
◎ Threat protection at Host level
◎ Monitors the attack surface of multi cloud Kubernetes deployments based on
MITRE ATT&CK® matrix for Containers
◎ Examples:
○ Exposed Kubernetes dashboards, High-privileged roles, Sensitive mounts
○ Anomalous secret access, Detected suspicious file download, Possible
backdoor detected
14. How it works
14
◎ Defender for Containers receives and analyzes:
○ Audit logs and security events from the API server
○ Cluster configuration information from the control plane
○ Workload configuration from Azure Policy
○ Security signals and events from the node level
◎ Components deployed
○ Azure Policy add on
◉ Extends Gatekeeper v3, required to apply at-scale auditing, enforcements and
safeguards on clusters in a centralized, consistent manner. [azure-policy,
azure-policy-webhook]
○ Defender Profile Daemonset
◉ Deployed to each node provides the runtime protections and collects signals
from nodes using eBPF technology. [Microsoft-defender-collector-ds,
microsoft-defender-publisher-ds, microsoft-defender-collector-misc]