 Hello, everyone, Ola. My name is Samar. And I'll be talking about how to automate your incident response for the clown area risks using post-eat. I'm joined by my co-host today, Carolina. We work at Aqua Security, a leader in the cloud-native space. So this is the agenda for today. We'll briefly talk about what security implies, what it shouldn't imply, and some of the challenges associated in the space will go over what SOTA actually means and what we plan to achieve with it. And in the end, we'll go over some demos. So you might have heard that security is a need, not an option. You must make security into all our products from day one. It cannot be an afterthought. It doesn't work if it's an afterthought. You must drift left. Some of you might not be familiar with this term, but essentially, this is moving security closer to the active development of your software rather than, again, being an afterthought. And we've all heard the famous patch that servers batch all the servers, and it has to be SAP. Hopefully, you never get to see a zero-day, but that's basically what the situation looks like when you have one. So what is security, you might ask. If you were to go and look for the definition, it's essentially the state of being free from danger or threat. Well, this is a general definition of what security could mean. It does, and it should translate somewhat very well to the cloud-native space that we're working in. So you might wonder, how do I get into a state that is free of danger or any threats? Let's take a look at the cloud-native landscape for a minute, and let's see if you're able to figure out how many software projects are on this landscape that directly or indirectly focus on security, monitoring, observability, and automation. So if you had any guesses, you would find your projects in the highlighted boxes, and that's a lot of them that you see there. So having said that, maybe we should try to answer this question of what is security by eliminating our options and answering what isn't security. So using more security projects or adding more layers just for the sake of protecting yourself is not security. We've all heard of security by doing security by hiding stuff from the audience, from the user. Security by obscurity doesn't work. Reducing accessibility for the users to act that your security also doesn't work, and most importantly, for the purpose of today's talk, it should never mean that a security person at a company is the alert management team or security should never translate to alert management or alert ops for operators working at a company. So while I was preparing this talk, I decided to dive into this topic of how the DevOps realm looks like today around security space. And I ran into this post on Reddit to highlight it's a bit shocking and a little sad to see that someone working in the space being a DevOps person is having to deal with such a situation. So let's lay the groundwork that alert fatigue is real. It's a problem. We need to tackle it. The sooner we do, the better it is. Otherwise, you'll see and be very familiar with stuff like these. And yeah, it's not a good place to be. So patriotity, the people who would really know about the alert and the monitoring space, were all would have published a series of blog posts on their website that talks about what is alert fatigue and the problems associated with it and how do we actually get there in the first place. So I do encourage you to check that out. It's a great series. The link is on the slides. But the T of the R is we need to do better. The status quo of security and the endless reports from different scanners is just creating more noise and more noise does not necessarily equal more security. So if you talk about the alert fatigue and we take the alert part of it and talk about that for a second, a good alert should possess all these qualities. First and foremost, they should be actionable. You do not want to get a page in the middle of the night and not know what to do with it. It should be descriptive enough that it has all the information self-contained within it so that you need and you know what to do when you get that page. It should also have certain set thresholds. You don't want a page for every small tiny little detail on a Friday night while you're enjoying a party with your friends. That stuff, if it's not too important and not going to cause a meltdown can, or might, or could bait until Monday. And most appropriately, you should go to the right people. There's nothing worse than getting a page and then basically bouncing that off to another team because well, quote unquote, you're not the right person for it. But in our definition, an ideal alert should be all of those plus it should be automated. You should get an alert. That something's gone wrong, but you should not need to handle that. It should take care of itself. And the operator is essentially a passenger watching the series of actions and events unfold that are related to an alert. So if you put the two together, what is alert automation? Well, it should be self-healing. I just described that an alert should essentially take care of itself. And in other words, we're basically automating the quote unquote playbooks that exist today in the DevOps world where a series of steps are defined in order to do a certain thing and achieve a certain task upon the arrival of an alert. So for today's talk, if we go back to its title, it's SOAR with postee. And for those of you that might not be familiar with what SOAR is, it's actually an acronym that stands for Security Orchestration Automation and Response. So combining all these things together, the system that works should possess all these qualities to handle your alerts and manage them. So I feel the picture would explain a lot better. In this case, you can see you have all your security technologies, your firewalls, your antivirus, your vulnerability scanners. All those outputs from those tools, wonderful tools can go into the SOAR system. What SOAR essentially does is what a team would manually do. So it's not magical. It's nothing new other than the fact that this is a category that if defined well can act wonders in this space. So SOAR will triage and analyze the incidents that are coming in from your security tooling. And essentially, as any system will act on those inputs that it receives and interact with external applications. Could be like paging you, creating a ticket for it if it's not too urgent, sending a message in Slack so there is more than one person that can be alerted for something that might get missed. Send you an email as vanilla and plain as it may sound. Emails work. So without further ado, I would like to introduce posty. You might ask, what is posty? And it's essentially a combination of what I've talked today. It's a message routing system, takes and inputs, looks at what to do with it, and sends it out to something else. We have policy-based routing using OPA in the regular language. So you can essentially define your own policies and tell posty what you want to do when you receive a certain kind of event. And more importantly, it can also enforce stuff for you based on the alerts that you receive. So that's the third remediation response aspect of it. So if you try to fit posty into the previous diagram and draw a picture, essentially you take in all the inputs from your vulnerability scanners, from your Kubernetes operator, like trivia operator, your system level demons like Tracy looking for malicious behavior, vulnerabilities, and whatnot, and pipe that all into posty. Posty is going to triage, like I mentioned, and the triage happens using regular evaluation using OPA, categorize them, and essentially act based on the policies you've defined to these certain actions, like credit ticket, sending an email, or even terminate a malicious process on your host if that's the policy you've defined. So if you've not understood any of that, I have an ELI 5 picture for you. You can take in any tool. It will send an alert, create an event. Posty is going to take that and do stuff with it. Simple input, simple output. So how can posty help? Well, as we've discussed, it can field alerts for you, essentially. Posty is available all day. You can go enjoy a party on Friday night. Posty is going to handle the stuff for you. It can automate those playbooks when an alert happens for you on your behalf. And the overall picture is to, in general, reduce the operator overload so you can deal with the more important stuff and the routine stuff, let's say your server crashed because of a hard drive failure. That sends out an alert. Posty takes it, could do a remediation like schedule another EC2 instance in place of the one that died. Very simple tasks. And you can only make it more complex and suit to your needs as you go. So there's talk and talk is cheap. I think the best way to demo posty will be with the demo. So I'll introduce Carolina, and she'll go over a demo of posty with our tools and how you can configure and use it. So, Carolina, over to you. Well, thank you, Simar. I will continue showing how can integrate posty with security tools. For example, here we have 3D that, as you can see, 3D can find vulnerabilities in container image, fight system, git repository, or even can find misconfigurations in Kubernetes, health charts. It can analyze cloud formations, terraform, also with secrets and licenses. And I will use the results of 3D to integrate with posty. For example, I will analyze my Docker image. That is an Alpine image. And I will run my 3D in GitHub Actions. It could be any other CI, it could be Yankee, GitLab. And this result, I send to posty. Because I want, if I found some critical vulnerabilities, I would like to notify to my security team. That's the target. So, here is the project. So, you can take a look, I put all the steps. And I will run the GitHub Actions. We have these, the Slack channel. I will only put some mark to notice that I am receiving a new notification. And I will run my workflow with my demo. So, as you can see, well, you will see here that I'm running, in this step, in one of the steps I am running 3D. I'm running 3D using GitHub Actions, 3D Actions. And after I have the results, I will send to posty, posty that could be support any event. You could send any event to posty. And this is send it. And if I go back to my Slack, I receive the notification because in this image, I found some critical vulnerability and I want to notify my security team. I will show here some steps about, for example, here is the posty user interface that I defined. You could define many routes. I have only these two routes because I am doing these two samples. And here, my route, basically like we have, we're using OPA to define rules that you want to apply in your input. In this case, the input for posty was the 3D. Now, the 3D results. If I found some critical vulnerabilities, I want to be notified. I want to take actions for my Slack team. Could be any other third-party like PagerDuty, Jira, that you could set here. And will be notified after you, after match through. So here is the demo about 3D with posty. Any doubt that you have, please. The repository will be public. It's public already. So you can ping me if you have any doubt to be waived. Or any other idea that maybe you are thinking how you need the result, or you need to integrate, or how are you using in your organizations. Here you have, yeah, it's already we see it. I will go to the next sample that is Tracy. So Tracy is another security tool that help us to detect suspicious behavior at runtime. For example, in the before demo, we were at the built stage. We are building our image. This image will be published in some Kubernetes cluster. And this image will be a container that is running. And could happen anything when you are in production. So Tracy will help us to protect or detect these kinds of bad behaviors that could happen in our production or in any other environment at runtime. Here also have this repository that is with all the steps that you can reproduce. Basically, I will go here to my channel first. I will go for my Tracy channel. And also I will put some to notice that it's coming a new message. And here I install, in my environment, it's a Kubernetes cluster. And basically, I have my Tracy and posting installed. Then I have this spot that is a demo about generator file list. File list is a technique to run some process at memory. And when you run it at the memory, maybe some antivirus or it's not easily to be detected. It's advances technique. So if some hacker or some malicious actor could run, for example, a malware using this technique of file list could be very hard in your organization because no one is not track or evidence that you will notice if you don't have a tool prepared for that. OK, I will run here. Basically, I am running. I will run my I will run this. I will force to generate this event inside of my container. So as you can see, I basically running Vendate that it was executed. But the mode that it was executed is using file as mode. So this process was executed at the memory. That's the reason that Tracy detects with using the sign at the sign after about file is execution. And detect that someone tried to drop it some executable at runtime. This is like a suspicious event. I will show also how was the configurations in posting this case was. I receive the Tracy event and the rule that is using OPA. Basically, I am fear if I found some any sign at tour or security signer that Tracy sent us, I will be notified in my Tracy channel. While all the steps are here, if you have more doubts, please contact us. And here is basically that I was explaining if you have some malicious behavior, Tracy could help us to detect because it's a runtime tool. And here is all the demo, so it's OK. And here are the projects. If you want to know more, we have also Slack channels, so please go there. If you have also some doubts or any other ideas and how you needed to use it in your organizations, please share with us. Thanks so much for watching, for being with us, for the pay attention. I hope to see you. Thank you also, Seymour, and all the CNCF organizations.