Today Alcide, runtime security for Kubernetes and DevOps, announced the public beta release of kAudit. Alcide kAudit is a forensic tool for Kubernetes audit logs, backed by patent-pending artificial intelligence. KAudit learns the patterns of your audit log over time and then enables security and compliance enforcement in response to anomalies to that pattern.
Alcide CTO Gadi Naor told The New Stack that the audit log remains the most established method in cybersecurity to see whether systems have been compromised. He said they are the best way to peg what “smells like abuse” — incongruent activity or strange user behavior.
However, an audit log is tedious and time-consuming to go through manually. It’s simply more data than the human brain can process. Especially at the speed necessary to catch a vulnerability.
kAudit Supports SecOps
A security team kicks off using Alcide kAudit by identifying noncompliant behavior through the creation of proactive policies. For example, in a production environment, you may want to have an exception that no one is able to dump compliant data from the log. Anyone working in compliance would want to be alerted about this activity as it flags a data breach.
As kAudit begins to examine your organization’s audit logs it adapts to your system to enforce compliance rules based on behavior patterns.
Next Alcide kAudit investigates your security issues by running automatic credential tests.
Naor says this encompasses “Everything that involves a data breach that involves privileged access to data servers and perform subsequent access [scans] around this.”
Kubernetes is still not secure enough by default. One such flaw is that until recently Kubernetes actually required privileged access for the API server, which means a compromise gaining access to one cluster could potentially access to the entire environment.
“Similarly the audit log isn’t necessarily enabled by default in some Kubernetes managed deployments or at least it’s not something that lands in the users’ laps conveniently,” Naor said. Also Read: How Zero Trust, Service Meshes and Role-Based Access Control Can Prevent a Cloud-Based Security Mess.
“The reality in practice is users are left in the dark when a breach occurs. They won’t know until it’s in the news that data was extracted from the cluster.” — Gadi Naor, Alcide.
The AI backbone of kAudit performs ongoing behavioral analysis of how users and automated services react with the environment. And any deviation is then flagged to SecOps “to provide insights into Kubernetes which in a lot of ways it is a blind spot,” Naor said.
Automated Kubernetes Threat Detection
The amount of audit trail data that’s being generated by Kubernetes can be particularly overwhelming, Naor said. Which is why you need automatic tools to understand all the concepts.
“Relying on the proactive policy is one thing but this doesn’t actually cover the whole threat spectrum,” he said.
Naor reflected back on the first Kubernetes CVE discovered by Rancher last year. It was a high severity CVE related to unauthenticated access to the API server that enabled a Rancher in-house attacker to elevate the privileges so they could access the whole cluster. Naor said this was a very severe vulnerability that resulted in a CNCF advisory, with patches released and cloud providers updating their API servers.
Naor describes the gold feature of kAudit as that patent-pending AI technology that self-learns how users and automated services access your clusters. That means future CVEs could be discovered by a system without pen-testing.
kAudit’s Future in AI/ML
As Alcide kAudit achieves greater adoption, they are looking to leverage AI crowd intelligence to uncover common attack patterns across organizations.
For now, from their small previous user base, they have already discovered some quite serious shared threat patterns.
“Since we started the closed beta cycles, we have seen Kubernetes API server endpoints being actively probed by internet scanners on various locations in the world,” Naor said, most often by attackers in China and Eastern Europe.
“The stuff that we have seen in our systems and customers’ systems during the beta is kind of alarming.” — Gadi Naor, Alcide.
One of the most common vulnerabilities kAudit has detected is credential theft. This could be when a teammate’s unlocked laptop is stolen. An attacker can gain privilege into a Kubernetes cluster and can perform operations on your teammate’s behalf.
Alcide kAudit would be able to detect and flag those actions and when they are being performed, when they are very different than those typically performed by your teammate.
This is just one example of where artificial intelligence and machine learning will continue to drive more and more cybersecurity and fraud protection profiling.
This sort of pattern anomaly detection is already happening in general cloud security, but Naor says kAudit is unique for applying these challenges to the Kubernetes space.
This will only improve as he says Kubernetes APIs shift toward making this data stream easily available as part of the cluster’s APIs. This means you’ll no longer need to have complex cloud-based integrations to access these data streams.