In June, Cyble Research Labs conducted a routine threat scan and uncovered more than 900,000 Kubernetes exposures across the internet.
This number, while certainly alarming, isn’t unexpected. Kubernetes as a tool is not inherently secure and, for example, it’s not uncommon for developers to spin up a cluster and leave it open once work is completed.
Even though Cyble clarified that its findings didn’t mean every exposed instance was vulnerable to attacks, the threat to unsecured Kubernetes clusters is definitely real. Once a hacker manages to infiltrate a cluster, the damage can be massive, including:
- Compromising of applications
- Overloading of applications, making them unavailable for use
- The theft of confidential data, such as a customer’s personal information, business operations, and more
These attacks are possible. In 2018, electric car manufacturer Tesla suffered through a crypto jacking attack due to an administrative console not being password protected, allowing hackers to identify the company’s Amazon S3 bucket credentials and install a crypto mining script within one of the cluster pods.
Locking down Kubernetes security
There are a number of steps organizations can take to keep their Kubernetes clusters secure and limit the risk of attacks. These steps include, but are not limited to:
- Always updating to the latest version of Kubernetes
- Removing debugging tools from production containers
- Creating defining cluster network policies
- Executing important workloads on a separate set of workstations
- Continually monitoring audit logs for unusual API requests
- Minimizing administration access to nodes whenever possible
Each of these steps can be time-consuming and, depending on the amount of talent available within an organization, complex to navigate—especially in a high-speed development environment.
Enter NeuVector
SUSE’s new open-source security platform, NeuVector provides end-to-end security across a software supply chain and runtime of applications. Best of all, it’s Kubernetes-native, offering a particularly strong solution for securing containers via continuous scanning throughout the full lifecycle of a container.
NeuVector is also one of the new tools currently on the market that performs application-level scanning. Whereas most products scan and acquire information on traffic, they typically aren’t capable of detecting which applications are sending traffic. This key capability is conducted swiftly and no matter how many containers are running, typically only takes 3-5% of a CPU.
In addition, NeuVector runs software directly within clusters in order to watch and report back on applications communicating with each other. With this information, it’s relatively easy to create a baseline model of what your environment looks like so you can better detect and investigate anomalies in the future.
Finally, NeuVector applies machine learning to identify issues within your environments, allowing you to gather information from behavior and environments to better determine potential issues.
As a result of all these features, SUSE’s tool enables you to consistently keep your Kubernetes secure from vulnerabilities and exposures from a single source. Communication between applications is constantly monitored, and you’re able to easily identify which frameworks, libraries, and additional components your applications are using—a critical step when using open-source options and keeping tabs on your entire software supply chain.
Getting started with Kubernetes security
At Redapt, we have a team of rigorously trained and certified Kubernetes experts. As a SUSE Platinum Partner, we are intimately familiar with NeuVector and its capabilities and can walk your organization through the process of adopting and implementing the tool in your environments.
To learn more about Kubernetes security and where your organization may be vulnerable to attacks, reach out to one of our experts today.
