Catch Breaches Faster With Automated Kubernetes Audit Log Monitoring

By applying automation to audit log monitoring, security teams and DevSecOps teams can get ahead of the curve in identifying breaches and vulnerabilities

By 2021, 92% of enterprises will take a cloud-native approach to their software, transforming their monolithic applications into microservices-based architectures. These containerized applications are increasingly orchestrated by Kubernetes, with 44% of companies using Kubernetes in production in 2019. The speed, flexibility and scalability that come with Kubernetes are hard to resist, which is why cloud-native is quickly becoming the status quo for DevOps teams. But what happens when something goes wrong?

FinConDX 2021

Imagine a scenario where a malicious actor steals a cloud-native developer’s unlocked account or otherwise gains credentials within the Kubernetes cluster. Using the stolen credentials, the attacker performs actions on the developer’s behalf, potentially disrupting operations across the environment. The attacker can gain access to critical databases and sensitive resources, compromising intellectual property and the security of customer data.

Once the consequences of the attack become clear, the security team scrambles to find the source of the breach and investigate how it propagated through the environment. But given the scale of their clusters, the ephemeral nature of pods and the speed at which the landscape changes, the team is helpless to diagnose the problem until long after the damage is done.

The downstream impact on the company’s reputation from such an attack can be devastating.

Tesla learned this lesson the hard way in 2018 when hackers stole unsecured credentials and gained access to Tesla’s AWS environment. Once inside, they hijacked Tesla’s cloud resources to run cryptocurrency mining malware. What’s more, it’s possible the hackers could have accessed Tesla’s telemetry database, which tracks the movement of Tesla vehicles.

To catch attacks like this as early as possible, cloud-native security teams need a quick way to find out which users and roles illegitimately accessed sensitive resources and when they did it. Fortunately, all these actions are recorded in the Kubernetes audit log, along with all other activities in the cluster. Unfortunately, the sheer volume of data and “noise” in the audit log makes finding the anomalous activity like finding a needle in a haystack.

The notion of investigating audit logs isn’t new; cybersecurity experts have used audit logs to forensically trace breaches and vulnerabilities since long before the cloud-native era. But given the scale of a distributed Kubernetes environment and the ephemeral nature of pods, pinpointing anomalous activity in the audit log can be a daunting task. Not only is it a tedious and time-intensive process, but it requires deep Kubernetes knowledge to differentiate between normal and anomalous activity.

Today, artificial intelligence (AI) and machine learning techniques are uniquely primed for making sense of large volumes of complex data—including Kubernetes audit logs. Rather than having a human decipher what is irregular and what is normal, a machine learning program can be trained on patterns of normal activity within the audit log and flag when users and principals are accessing resources or performing operations they normally wouldn’t.

By applying automation to audit log monitoring, security teams and DevSecOps teams can get ahead of the curve when it comes to identifying breaches and vulnerabilities. Rather than tracing the source of threats after the damage is done, automation can proactively identify potential hacks in real-time, alerting security teams to act before it’s too late. This kind of continuous observability allows security teams to limit damage and detect vulnerabilities faster.

Automated audit log monitoring in Kubernetes can catch a wide range of threats and vulnerabilities. It can catch vulnerabilities in the Kubernetes API server that enable users to access privileged or sensitive resources, bypassing authentication, authorization, admission control or validation of cluster administration requests. Audit log automation can also identify misconfigured rules-based access control (RBAC), enabling lateral cluster or pod movement, privilege escalation and unauthorized data access or manipulation.

AI-driven audit log monitoring is also a priceless tool for companies with shareholders and government regulations to reckon with. In the case of a breach, automation can quickly point investigators to the source of the breach and all the time-sensitive data related to it, aiding in legal inquiries and expediting remediation.

With the industry still catching up to the new security paradigm of Kubernetes and cloud-native, an automated system can allow security professionals of all experience levels to effectively leverage their audit logs to identify threats and vulnerabilities. As security shifts left and applies automation to speed development and deployment, it’s time for security teams and DevSecOps teams to automate their forensic tracing and get proactive in detecting threats to their enterprise.

Amir Ofek

Amir Ofek has over 20 years of experience in the hi-tech industry. Prior to Alcide, Amir was President and CEO at CyberInt, where he led the company’s fast growth in the cybersecurity MDR space. Before, he worked at Amdocs (NASDAQ:DOX), where he served as VP Client Business Executive for the SingTel Group, based in Singapore, and as the Chief of Staff of Amdocs CEO. He was also a board director at Gilat Satellite Networks (NASDAQ:GILT). Amir is a Captain (res.) in the IDF 8200 unit, and holds BSc. in IT Engineering (Cum Laude) from the Technion and an MBA from INSEAD.

Amir Ofek has 2 posts and counting. See all posts by Amir Ofek