 Hello everyone. Good morning. It's 10 on the dot that will just give everyone maybe a couple more minutes to join. I pasted a link to the meeting notes, so I noticed quite a few people on the call if you want to go go down there and Put your name down. That'll be great. And thank you Ash for volunteering to be described today All right, maybe we'll start in just a minute All right, I think we've got quite a few people on and why don't we get started? Welcome everyone I guess happy new year to kick off the first meeting for 2021 And we've got quite a quite a few people on so that's that's great So this is my first time Hosting the meeting, you know It's so much easier to be in the audience than to host it but bear with me as I walk as I walk us through today Firstly, is there anyone new to our group and who'd like to quickly introduce yourselves? Okay, I'll take that as a no and if not are there any Any items that anyone would like to bring up before I go through the You know the roll call and call out If anybody has any updates or items that you'd like to talk about Okay, and in that case, I'm going to call on Emily. I know You probably want to Ask people to take a look at prs. Emily. Would you like to say a few words on that? Yes, so just a quick reminder that The tech leads and the co-chairs are not the only people that can look at prs We would like everybody that's part of the sig and even folks that are looking to join to go ahead and review the prs That currently exist Sometimes it's good to just have a fresh set of eyes go over something that I've been working on or brand in or anybody else Has been working on kind of get that second opinion to make sure that we're not going down the wrong tunnel So if everybody could take a look at some of the prs that we have in there And if you've looked at it and it looks fine, just drop a comment on the pr letting them know that it looks good to you things to pay attention to if you're new to this are language grammars smelling making sure that it's in Alignment with how we would like to see some of the content laid out So text wrapping and 80 characters Spelling those kinds of things. So that's the first thing about prs The other piece is that we have a ton of issues. We have 94 current open active Will 94 open issues a lot of them are inactive So if you're new to the sig or if you're you've been around for a while And there's something that you want to take a look at there are quite a few Inactive issues that we'd like to kind of drum up attention to to determine whether or not They're still valid if they're still interest I know we have a couple of great projects upcoming that are planned But some of these issues are relatively small and can be knocked out very easily and help clean up our Q So if everybody could jump in the repo and take a look at those issues in those prs, that would be fabulous Ported by all this first Preferably yes Yeah, that's that's a good point Thanks a lot Emily And and that's on me as well and I I have a couple I'd like to talk about maybe I've come down come back to it But maybe I know Brandon Has something that you'd like to talk about Brandon Yeah, um happy new year and I think kind of the the main thing that I wanted to just highlight that people know um last year um in december we we mentioned a little bit about The security landscape And we also discussed that in the new name. Maybe that gives the best the best way to describe it Um, so we are going to be kicking off that work. Um next week. So I've scheduled There is an issue that's open and I'll let me get it here So I scheduled a kickoff meeting Just before our regular weekly meeting So if you're interested in kind of helping to look at the landscape or contributing to it Definitely just Leave leave a comment in that issue And I'll send you an invite to that Other than that The security assessment issues are going well. We have a couple Folks there looking into each of them. So hopefully within the next few weeks we can kind of Present some of the the proposed changes. Yeah So great. Thanks Brandon. So just to reiterate that I think For the purpose of you know, if you're interested in any issue and if you'd like to partake and contribute Just please, you know, call yourselves out on those tickets and then, you know The respective people will, you know, loop you in into, you know I don't I don't know make me be a private slack chat or a slack room or something and then we can kick those off And I noticed today that there are no other Updates or topics that we want to talk about so I I had opened two PRs Towards the end of last year and Emily had warned me and I was being very ambitious and I completely dropped the ball on it I was exhausted towards the end of the year, but here we are brand new year Hopefully we can take it off and the two issues that I I had called out And I think I've gotten some feedback on those PRs. Thank you to everyone who responded are Kind of like a webinar like a round table to talk about the cloud security White paper. So what I'd like to do, I think this which is In line with what we've been doing is I'll create a new slack channel To call out all the people who have, you know, Expressed an interest so that we could, you know, have some chats around it and figure out how we can make that happen So that's one and then the goal of that just real quick is to amplify the message of the cloud native Security white paper. I think it's a fabulous artifact. There's so much of interesting stuff But we want to make sure that people are aware of it and then understand the objectives and the key takeaways And so the more that we can do to amplify that message, I think would be great. So I will do that and the second thing is We also talked about doing some Double click kind of blogs. I know there was one blog that summarized the entire Landscare that the paper the security white paper But then there is I think there's plenty of opportunity to break it up. So I created another pr And I know it's on me to actually Provide a little bit more context around that I'm going to do that and I have also seen some people express an interest I believe it's 495 and 496 At the end of the meeting today. Maybe I will reference it In our security chat, but those are two things that I will definitely be kicking off and hopefully we can all collaborate and Get that off the ground. So those are two things that I wanted to talk about And uh, I don't know. Uh, maybe I got first time lucky. This might end up being one of our shortest meetings But is there anything else that anybody would like to talk about? So when I add a quick question on the two issues that you brought up Yes, the second part where we want to do micro blogs Was there an issue about Updating the paper with more content as well as vision too Yes, is that a separate issue from this? Yeah, I believe so. I think that is a separate issue. All right now Got you. Okay. Yeah. So there's actually a few issues that are open about the white paper So there is the retrospective That push car had opened up on it There's the micro blogs. There's the webinar and then there's the Breakout topics one, which is 495 and that's the one that you had submitted And I had tagged and related it back to the retrospective So there's a few of them that are kind of all in that same realm That I think would be good to To solidify that group either through the current white paper channel Or anything related to that or just creating a separate planning channel and vene you could probably use the SIG security events channel for planning that webinar and having that conversation We currently use it for the security day, but it's not restricted just a security day. So There's also that I think brand and do we already have a label for the White paper, right? Yeah, we do Yeah, so we we can go through and add those labels to the corresponding issues that are all related Emily does it mix that's a great point. Does it make sense at the risk of creating yet another issue to actually How do we How do we correlate? All these are the related issues. How do we typically do that? Usually it's through the labeling schema and commenting them together So I think adding the label to them all will certainly help that way anybody that's looking for anything related to that topic Very similar to how we did the assessment process labels Got it. Yep. No, I will definitely do that. I think right now we have like four or five issues I will I will take a stab at that and get that done today Yeah, and also if you see like kind of organizationally that is becoming a little bit Dispersed and difficult to manage. We also have kind of like a project tag and we have a project bot that Kind of for bigger efforts involving more people is we use it to track so if that happens you could create a kind of A meta issue and then we can label that as a project and then it may be easier to keep track from that Awesome. Yeah, I like that too Brandon. Maybe I might need your help on that. Is it just create an issue? And maybe either you or Emily can make it into a project. Is that how that would work? Yeah, so so the the main idea is kind of we There has to be a definition of what the project is kind of it has to be like a defined piece of Scoped work and then with a timeline that we can track off Okay. Yep. That's a good good idea. Thank you I so yeah, now that's great. I will definitely go and clean that up Correlated so that everybody has visibility into all the related issues and we can go from there So may I have one more time? Sorry? Yes I'm gonna hold you so so one of the Topics I wanted to discuss was um, I don't know if you need to create an issue for this but I came across this mitre framework for Kubernetes And how that how we can expand on that in our white paper in the next version. Um, so Do you guys think that'll be helpful? I feel there is a huge gap in the detection side of Kubernetes platforms today And correlating information from different bits and pieces is really hard So having that view of what are the dark patterns and what data is required to correlate And script together to be able to see and tackle in an environment. I think that'll be very helpful from an enterprise perspective So the white paper we wanted to remain project or technology specific agnostic um, even though kubernetes is like the The thing that everybody is using but for the kubernetes Detection issues that might be something that's good to do with the falco project and the kubernetes security sig Just kind of like putting together a group just to focus on those There was an article from One of the community members of falco that talked about kubernetes detection runtime security I'll see if yeah, that was that was kaize. So kaize is one of the security researchers at cystic um Yeah, I mean in terms of the mitre tech framework those are the sweet So I was part of that and so to be with her we wrote that because of a requirement from from an investment bank That kind of wanted to have something mapped to it I don't know if that you know, that could be something that could be more widespread That's more of obviously the group here to kind of decide if that's the case But it is an amazing framework to kind of say here's you know the logic that could be put here um, I just I guess I'm trying to understand like what what the end goal of Is that be kind of our best practices in the white paper? That's again as emily said a diagnostic piece there or What are we trying to do with the mitre tech framework really? So I probably would be we were having this discussion a little bit that there There were quite a number of issues that came in and said kind of like uh, it said like a Best practices or he is like he has a playbook I'm looking for a playbook for security And I think the general discussion has always that too It always varies depending on what environment you're in and also I think that It is difficult for us to kind of maintain that list for a different set of technologies that are Very agile and keep keep changing uh, I think we can kind of provide A page to reference all this material, but I don't think that we Is in scope for us to maintain And magno has a good point in the chat here. I mean if it's not an official framework I think the the tact we should have and again in my humble opinion is like you said is basically have links to You know things that could be used but basically, you know, do we want to advocate a specific one? I don't I don't know if that's something we want to specifically do Or how about this? I think that's a great point. I think uh, uh, which is Do We want to consider like uh, like a git repo or sub-git repo or something like that with the whole bunch of collated Links that that would be helpful in general that there was a There's an issue going back. I think about yeah about the micro micro side and part of the micro side was This this thing about education and then it had resources and as well as Uh, some additional information on how to do certain aspects of aspects of security um, so we want to Um, maybe if we want to kind of start up the discussion again, uh, we should Continue the conversation in the issue. Let me find it and I'll put it in the chat. It's issue number 110 Oh boy. All right going back 300 issues So yeah, there there is an issue um issue number 110. It's for a micro site It's something that we had talked about before and I believe Vinnie I had mentioned it to you as being, uh, Maybe a good place to do micro bogs for this egg okay, but I'm gonna post the link for it in the chat So this is something that we've been wanting to do for a very long time And there's a potential for a plethora of content So I don't want to lose track of this particular discussion But if folks are interested in the micro site, there's an issue you can sign up for it um, but I think a collective resource for Not necessarily specifically kubernetes security, but anything associated with cloud native security documentation resources and blogs Um frameworks as well that kind of go just just just that extra step beyond for somebody that wants like a singular repository of where to go to look for things because I've seen Tons of cross posts and various slack channels and slack work spaces about hey This is how I collect and manage all of my kubernetes related security information or docker information and so on Right awesome. Just to weigh in Yeah, go ahead Robert Hey and answer. I don't know who I think it was dan who asked the question What is the goal of of putting mitre or any framework lowercase f into The white paper I I have used that not in the specific context of kubernetes, but in two different clouds Uh for mapping incident response both in the preparation for incident response Table top exercises for incident response and then actual incident responses And of course for risk assessment So proactively assessing risk and then retroactively postmortem assessing risk. So We happen to use the mitre framework for both azure and aws clouds But lowercase f framework any framework. I think is a useful concept or tool For doing that those types of activities Yeah, so I'm kind of aware. I'm just one other thought. I'm sorry. I cut you off. Go ahead magnum Apologize. Yeah. No, I just want to add to to this As I've seen this kubernetes mitre framework for a while now It was released by microsoft like april in the last year, right? So it's not as I said in the chat It's not an official framework, right? But mitre has put out a blog post recently Asking for help for for the community and company. So Uh, we can either reach out to them either as the the seek security group or with your individual companies there That's one of the things that we're doing here and Yeah, they're trying to create a uh either like a mitre framework for containers in general Or or having both one for for containers and one specific for kubernetes So maybe like a cloud native mitre framework would be a good idea to start. I don't know So yeah, that's just my thoughts there So I just to kind of clarify my thought was not like, hey, what are we why are we doing it's more like Why are we deciding like, you know the the specifics here? And so this that's great. I think it's it's it's where The mitre attack framework is is a great framework if it's not adopted Like if it's not like has something specific as you said to cloud native I think that's something that we you know, maybe we should somewhat get involved with but we shouldn't advocate anything, you know, specifically unless it's a standard that like Everyone wants to adopt. I guess I guess it's a very wishy-washy answer there but like it's I don't know if we want to draw a line and they say and then on something that hasn't been kind of um, That hasn't been kind of uh advocated out there. So Yeah, what I like about the framework is that they focus on real world scenarios, right? So they only add stuff that they see in real life attacks or like honeypots and stuff So that's what they're looking for help with So, yeah, I think it's a great framework and and if we can provide any guidance or or help or any data for them It would be a very helpful for the community as a whole I mean My my sense over there is uh, like even I'm looking at that Microsoft blog post at least the one that I posted there was You know, uh, this whole space people are still learning people are still trying to understand it So it's it's it's really good for them to understand all the different threat vectors and then the way the threats progress and so on So and and I understand it's not officially official. Uh, but maybe we can Make it into some other type of a threat framework and not call it a mitre framework, but just to help Uh educate the the the community around Generic threats for I don't know our Kubernetes and containers. Maybe that's a thought One of the things I'm sorry to bogart the meeting but I have one thought here I was I'm also in the uh, cncf Financial services user group and they're looking for like a specific like set of guidelines from a security perspective And if security is the one that's the overarching saying this is the one that we think is is You know, whatever it is I think we have to basically put our line in the sand at some point say Yes, we're going to support the mitre attack framework and hear some great concepts that you all want want to use You know out of the box, right? It's in again It's vendor agnostic because every vendor is going to be able to have you know mitre attack framework You know the discussions it's up to the end user to choose what those things are so I think yeah At some point we should probably have a working group and figure out But if we haven't already What what it is what these things are and kind of standardize on it and help mitre if we need to is my two cents In a way the the framework of choice is going to depend where people are coming from And how much time do they have available and what the s Mario is someone may opt for like Oh, we're going to do ssri. We don't need to do like full on mitre. So it could be Hey, look, these are all the frameworks that are out there like They're great. They're proven to work here are the considerations of one over the other Apply whichever is applicable and and they give an instance We don't need to get behind a particular one But I think our goal is to to educate and in turn Hey, depending on what your objective is you may Evaluate among these and choose one over the other for your project or for the implementation of that project So in the past we've talked about creating Threat matrices or assisting in projects and doing a threat matrix For themselves as part of the security assessments and when we were doing cloud native security white paper We kind of talked a little bit about Threat assessments and How much of that content should go into the white paper? White paper and I think that it might be beneficial to have That as a one of the breakout topics That way we can move forward in that space because I've also seen requests for that same information and perhaps having it broken out I think aradna had mentioned at the cast and the fast level Would also be beneficial. So not just through orchestration and containers, but also going down to serverless to Yeah, go ahead Robert You have a your hand is raised. Oh, no, that was from before. I guess I oh, okay So I think No worries I think maybe this calls for another ticket So that we can collate all our ideas put together because I know these are fantastic ideas But it's just that's just the best option where we put down all our ideas collated Have a separate working group and then figure out how we can converge and land somewhere that's useful for the community So I'll create a ticket veneer since I started the conversation Yeah, that's great. Well collaborated. Thanks. Sure. Thanks aradna lingering thought vene is when when Justin Capos did the Attack matrices for spiffy inspired two three years ago like the team that every Wednesday Every week throughout a year and they they came up with this exercise that was informed by many methodologies But everything was like just thrown out of the window and every single person came from a different background and have different opinions So perhaps we can exemplify of hey actually get people who are performing different using different frameworks and are producing or extrapolating from all of it and coming up with something better ultimately that can be like basic security approach Yeah, I like it andress. Yeah, that should definitely please make sure to put that down there. I like it a lot Aradna, would you be able to link this spiffy spire assessment as kind of like an example? within the issue I will sure. Thank you. Awesome So it's a bit different Suggestion here, but maybe we shouldn't fight somebody from mitre to come talk to the group because Great idea My company has an NDA with them And they've got two divisions, you know one is to exploit industrialization commercialization things The more researchy folks are working on a unified ontology for cyber security, which I know is separate from this threat landscape stuff which tends to be more practical in our organization the ops people are very Focused on the attack surface and reconciling the telemetry from our tooling into the into the threat, but across information security more broadly and especially looking at dev sec ops The threat matrix is not well integrated the mitre framework for The attack surfaces are not isn't quite as well integrated So that's what I am trying to say is mitre Other folks that mitre are interested in broader issues as we are So it might be interested I could extend an invitation to see if we could get somebody to talk there. They're very cagey Maybe other people on the call have talked to them They're You know, they're an ff rdc, but they're reluctant to talk About things that they think are proprietary even though it's federal dollars often that are just promoting the work that they're doing So it can be frustrating to talk to them But there's a lot of interesting work there that they're that they're trying to do and if you try to do automation of brown security You're going to find yourself trying to do things with uco or one of the mitre Taxonomy so it might be, you know, if we're on our forward-looking aspects of the work we do here It might be, you know, at least good to invite them. So there we're of what we're doing too Yeah, mark. That's a great point. I do have some connections at mitre as well through nest So I'll reach out to them as well and see if they are interested in working with us on this Um, and then get back to the team and or include them a dish So, I know magno made a comment We can reach out to the mitre attack for continuous team lead Which was one that posted the blog. Uh, do you want to elaborate on that magno? Sure. Yeah, there's a Link to a blog post and mitre Engineerity posted on december 17 on on the chat there. I can post it again So gen burns is the one that's leading this mitre for containers mitre attack for containers I've reached out to her already like for For us to provide some some data and information related to what we've seen out there in the wild, but Yeah, we I have her email and we can definitely Contact her and ask her to join in a next meeting or or any other date Yeah, but I think that's a great idea I mean the more input that we can get from those folks and to figure out how exactly we can Collaborate and once again for me making it really really useful for the community to understand this is It's the better. I think yeah And I think once again, please feel free to make sure to put that down in the ticket that aradna is going to open on this as well Sounds like it's lining up as a series of great guest speakers Speaking of great guest speakers. We actually have a presentation scheduled for our next meeting on software factory from jonathan meadows So just wanted to let everybody know that Yep, perfect Yeah, I think we have also We have a string of good presentations this month. I think on 20 of also we have the record project which is on um On signing transparency similar to the certificate transparency So it sounds like february is another good month for lots of presentations Is that the rickshaw brandon the rickshaw rickshaw rickshaw, okay. Yeah Yep, so we got it lined up for the next couple of weeks Awesome guys. That was a great Discussion here. I'm looking forward to what we do with the the mitre framework in the context of containers And uh, you know going one last time. Uh, any anything else that you guys would like to talk about? Uh, if it's the last option, I just uh mentioned that we did have our policy work group meeting We have those at 8 a.m. Pacific every other week On wednesdays, so uh, I I think that there's some magic process that occurs where that because we use the same zoom Uh, and i'm not sure how it gets archived, but I think there is some process that can occur to archive those videos So i'll i'll follow up, uh Jim usually handles. I don't think he's on right now But we'll try to post that on the and there's a google doc with the agenda notes Today's talk. We had a presentation About mapping our the policy work group has produced a kubernetes crd for policy report output And presentation today was about mapping that to oscal and specifically for those familiar with oscal the sar the assessment report or assessment results so anyone's interested in that you can review the Recording when it's posted or just reach out on slack and we'll We'll try to send it to everyone Actually, Robert would you is there a link that you could provide to the your meeting notes document? Yeah, if you could post that it's slack, that'd be fantastic Yeah, I'll post that in slack. Okay. I'm on a mobile device. So it's hard to Switch windows, but yeah, I'll get that on the slack for everyone. That would be great. Thank you All right. Well, uh Another question Sure. Yeah Um, there were a couple of issues that were opened um Just pulling them up about the automation of The security assessment process and creating tooling and uh, I missed the the meeting Where uh, when they were discussed, I just wanted to ask about the differences between them. There was a mini discussion in the github issues about that, but if someone can Clarify because that sounds very very interesting Unrelevant for me. I just want to understand anyone's there so Unless anybody else wants to go I can take a stab at refreshing everyone's On on that topic. I think what came about was You know in the context of the assessments and how can we evaluate projects and how can we automate a lot of those concepts? So I think that was just a lot of discussion around it And I don't think we landed anywhere in particular But once again, that's another one where we weren't quite sure Uh, there was some concerns on cost and operationalizing it and liveliness and how do you keep all the projects updated and so on So so that's where we were at. I mean, it was a it was a good topic to talk about But I think the once again the devil is in the details and we really need to understand the scope and converge on that all right, so um Maybe a more specific question. Oh, yeah No, I was going to say I I think just for the I don't know whether you're kind of thinking about the in terms of the security assessment work group issues that we're looking at but I think for now, um, you know, since that's kind of Something that is just started the discussion on we should not include that and Kind of the the specific points that we discussed during the work group Just so that we don't we don't grow the scope too much. Okay. Thanks Okay, thank you Well, I think, uh, I'm gonna finally call it folks. Thank you very much. Uh, Happy new year and look forward to a great year ahead. Cheers. Fene, you did a great job Yeah, thank you. Thank you so much. Cheers. Thank you everyone. Bye. Bye. Thank you