 Hello everyone and thank you very much for joining us today on the CNCF webinar. My name is Gal and I'm a product manager at Armo, the maintainer of Cubescape. And today we are going to talk about one of our latest releases, the CIS Benchmark framework. This is a feature which is a direct response to requests that we received from Cubescape's community. Cubescape can automatically scan clusters and repositories against the CIS Benchmark. The center for internet security. And Cubescape is able to identify compliance gaps, suggest remediations and we also monitor for any drifts. Currently we support the CIS Kubernetes version 1.23 and in the next releases we are also going to support CIS for GKE, AKS and EKS. The CIS Kubernetes Benchmark is one of the leading frameworks used for compliance and probably one of the most comprehensive security frameworks for Kubernetes. And this is why it's the security standard for many organizations and compliance implementations like SOC2, HEPA, PCI DSS, SRG and NIST. Now let's have a quick overview of Cubescape. For those of you who aren't familiar with it yet, Cubescape is one of its kind end-to-end open source Kubernetes security platform. It offers a managed and unmanaged Kubernetes security risk analysis and it's doing so by using misconfiguration scanning of your YAML files, your Helm charts, on your local folders, clusters, remote repositories, worker nodes and even your API server. Now Cubescape is also able to detect CVEs in your cluster's workloads or even your remote image registries and we also offer an IDE and third-party apps integrations. To top it all, Cubescape also offers an RBAC visualizer to help you understand your RBAC better and take actions when needed. It's open source so everything is transparent and you can head over to our GitHub page to try it out. You run this line of command and that's it. It's installed and can be operated with your clusters. And you can also use the Cubescape operator to have your environments scanned continuously. Cubescape accompanies the software development lifecycle from dev to production and help you overcome the complexity of Kubernetes security. Cubescape offers built-in frameworks that are a collection of controls that we test against your environment and we created a new framework containing all the CIS benchmark related controls so you can run it easily with a single line of command and don't have to worry about it. It's done automatically. You can even create your own custom frameworks with the controls that you think fit your environment best. In order to scan your cluster against the CIS benchmark, I will run the following command which is Cubescape scan. I will mention the framework which is CIS and using the submit flag, I will be able to view my results later in Cubescape cloud which we'll see in a minute. You can see that in under a minute, I'm already getting results regarding my cluster's security risks. Now let's head over to Cubescape cloud. Before we check the results of our latest scan, I want to show you a little bit of Cubescape. This is the dashboard. You can see our clusters, your trend over time, the top five CVEs and the top five controls that failed across your clusters based on your latest scan and it's a multi-cluster environment so you can choose your cluster and where you want to work. The next thing that I want to show you is image scanning. If you use Cubescape operator which is installed in your cluster, we can also scan for images in your workloads and show you the CVEs that are found on those images. This is where we show you the scan and detect different types of vulnerabilities. I can also filter and sort depending on different parameters. Looking here, you can see all the images that Cubescape found on my environment. I can filter based on severities or have a fix or RCE. If I drill down into one of those, I see the complete list of all the CVEs that were found on this image. Because we know that this amount of CVEs is not something that is handleable, we allow you to filter the important ones. Just filter according to what has effects and what is RCE, the remote code execution. If it's an RCE, an attacker can exploit it from remote and this is something very important to deal with first. After filtering, you can see that we are down to seven. Seven CVEs is something that is more handleable and of course, we show you the CVE name, the component it was found on, the version that component had, the severity of course and again, the important things are if it has effects, which version it was fixed in and is it an RCE or not. Now heading over to repository scan, Cubescape is designed to help you detect misconfiguration scanning at any stage of the software development lifecycle and Cubescape can be integrated with various DevOps and CI tools. We can also scan for misconfiguration on remote repositories like GitHub, GitLab and Azure to show you the misconfigurations when your code is at rest before deploying to any cluster. If you can look right here, I just collect on one of the repositories that I scanned before. I can see the folders and the file names in this repository and I also have a link directly for there. I see the file type and again, the most important thing are the controls that failed on this repository. So I can just click on one of them and get the full results, including history, who made the commit, the hash and everything. And now I have all the information I need to fix this issue. We will be back in this view in just a minute. Meanwhile, let's talk about the registry scanning. Remember that we talked about the image scanning in your cluster? The image registry scanning is allowing you to scan your images on your registries, private registries or public registries like Docker IO and Quay IO registries, even before the images are deployed on a running cluster. You know the process. You take an image, you add your own dependencies and code, you tag it, you ship it to your image registry. So your image may hold several layers, which not all are known or visible to you. And Cubescape take those images, whether it's located in a private registry or a public registry and scans the layers that build the complete image you just uploaded. So you have a complete report of the potential vulnerabilities without deploying a single container instance of any image. And again, you can still use the severity, the half-fix and the RCE filters to get a smaller list, which is more handleable. So you don't have to deploy a workload or even write a single line of YAML file in order to get a list of potential vulnerabilities even earlier in the development process. Or you can even assess a potential use risk when using public images, preventing the vulnerabilities from reaching your clusters or in your deployments or of course your production environment. Before I show you the CIS results that we just scanned earlier, I want to show the RBAC visualizer. Now, this is an RBAC visualizer of my environment, of my cluster. I can zoom in, zoom out. I can play around with all the nodes in this graph. And I can just ask questions like use the queries, the built-in queries like, who are my cluster admins? Or show me all the unassigned roles which are probably wandering around in my system for so long and no one clears them. I can also investigate like, let's talk about the storage provisioner. The storage version. So we have a user here and this is the name of the user and I can just show me all the roles that this user is related to. You know what? Show me also all the resources this user is related to. And let's lay out by type. Oh, that's very clear right now. This is very easy to read, right? You can see the user, you can see all these cluster roles and you can see all the resources that this user may take actions on. So this user is actually a cluster admin that can do everything on anything. I can also ask, who can list, get and watch my secrets? And it's that easy. I get the results and I see everyone that can view my secrets. Now, I did mention the custom frameworks earlier. So if we navigate to the system page, to the settings page and we go to the framework section, you can find the pre-made frameworks that we already prepared for you based on the NSA, the MITRE guidelines, and also our own best practices. But now we are talking about the CIS benchmark. If you drill down, you can see all the controls that are related to that framework, the CIS framework for that occasion. But I can also create my own custom framework. And if I do that, I give it a name, I give it a description and I just choose which controls I want to have on that framework. And later, I can scan my clusters based on that framework. So you can see right here that I have a new framework called custom. It has six controls in it and I can just test my environment against it. Now, let's head over to the configuration scanning page, where we will be able to see the results of the scan that we did earlier. Now, I mentioned before, this is a multi-cluster environment. So you get a full list of your clusters. And again, it's important that the trend over time, you want to see and understand how your work impacts the risk score for that cluster. So I will drill down into this cluster. This is the one that we scanned before. And you can see that I have all the frameworks that were scanned against this cluster. Now again, we're talking about the CIS. I can jump between frameworks, but right now we're talking about the CIS. You can see right here that the results are organized in the same subsection orders as the CIS benchmark. So I can drill down into policies for instance, general policies and just choose one. And now you see the results. You see the namespace that the resource is connected to, of course the kind and the name. So I can just click on this wrench and see the assisted remediation. We have Cubescape offers and assisted remediation to help you understand where the issue is, what the issue is, and how to fix it. So if I go to line 41, I just click here. You see that according to the CIS benchmark, this line should be added to the YAML file. Now I can also share this issue right from here to Jira or Slack. I can just choose the best DevOps team ever and they get all the information they need in order to fix the issue right to their Slack channel. If we go back to the configuration scanning, I can also share from here the entire list of resources. And that's what I wanted to show you today. Now there's a lot more to say and show about Cubescape. So I encourage you to try it out. See how easy it is to scan, to fix, to make your environments compliant. You can join our communities on GitHub, on Discord channels and be part of Cubescape. Thank you very much for listening.