 All right. Hey, everyone. I'm Nox from SysTig, and we're going to be covering troubleshooting and forensics. So normally in these talks, you go into monitoring and security. We want to go a little bit deeper and actually go in and do some forensic analysis today. Before we get started on that, I want to give you a little bit of overview about who we are at SysTig and what we do. We are founded by this guy named Lor Stejuani. Probably most of you guys know from his past tools or are familiar with the tool, Wireshark. And a lot of the same approaches that we took into getting visibility into your network, we're now using similar ways to get visibility into your containers. So we launched our open source project, SysTig. And from there, we've got millions of different users of the SysTig open source tool. And that's the base of our instrumentation for all of our commercial products as well. We've got 300-plus enterprise customers using SysTig for real-time monitoring and security visibility into their systems. And we're part of the Red Hat ecosystem, part of the Container Catalog, and the Open Innovation Labs, all that kind of stuff. So what I wanted to talk about today is how monitoring and security at scale is a different challenge. So first, on the visibility side, containers are really going to break your legacy monitoring and security tool. So how do you get visibility into what's actually running inside those containers? Application metrics, system metrics, any file that's opened, any network connection, those user commands? And then how do you tie that back to your services that are being deployed by OpenShift? So not just protecting a container image, but then going back and scoping policies, looking at intrusions and events at more logical layers like OpenShift deployments or your different namespaces. And then how do you take that data at scale and manage it without having to add tags to all your metrics and running into huge cardinality issues? So I'm going to talk a little bit about the architecture of our platform. And it comes down to two different main components. The first is container vision, which I'll get into a little bit later. And this gives us visibility into your applications, your networks, the hosts. And then service vision, which is where we're going to take all the metadata and all the labels from OpenShift and your cloud providers and tag any security event or any performance metric that we collect with all the relevant data for your troubleshooting and forensics investigations. This data can be sent to our cloud platform or to be deployed as an on-prem service. So however you want to run it, however you want to consume our services, you can do this. And that single agent and single back end provides full monitoring, security, and deep troubleshooting and forensics capabilities. So now I'm going to talk a little bit about how we actually collect data from your systems. So this is a simplified host. We've got a custom app running in a container, another classic IngenX image running here. And you can deploy our agent as a process or a container that's running on the host. From there, we're actually going to instrument the kernel to see all the different system calls that are running, to be able to see any activity inside that container, anything that's happening from those processes, and then send that back to your back end. From there, what you're seeing on the left is what a lot of your applications look like. So OpenShift is scheduling your different pods, your different deployments across a bunch of physical nodes. And what we'll do is integrate directly with the OpenShift APIs to then give you a logical view of how those applications are performing. So you can write a security policy that says this deployment as a whole shouldn't have any outbound connections. And then that policy will then scale to the hundreds or thousands of containers that are rolling up into that service. So this instrumentation is the basis of our open source projects on the top. So SysTig for real-time troubleshooting, SysTig Inspect for forensic analysis, and then SysTig Falco, which is our behavioral activity monitor that's also open source. And then our two commercial products of SysTig Secure and SysTig Monitor. So now I'm going to talk a little bit about how that metadata changes troubleshooting in forensics. So if you're looking at something like the HTTP response time of a service, the 99th percentile, it's pretty useful to see. But if that service is made up of a bunch of different containers and pods, you want to know how each one of those individual containers is affecting that service. And that's where the labels and metadata come into play. So what we can see now is how that service is now performing based on an individual container and how that rolls up into that aggregate. Another easy example of this is doing something like detecting crash loop back events within OpenShift. So here we can look at the specific pod restart counts that are happening within a namespace and then triggering those events before that pod restart starts affecting your service as a whole. From a security perspective, you'll want to do the same type of thing. So with that outbound connection that I talked about before, if you go in and apply this to a Redis deployment, it will then go and protect all the images, all the different containers that are rolling up into that deployment. And then you can configure the specific ports that you'd want a whitelist and the standard behavior that you'd expect for that specific deployment. So now let's go a little bit more into troubleshooting and how you figure out the what, the where, the who, the why. How we did this in the past is with tools like Wireshark. But what I'm going to do really quickly today is take you through a forensic investigation within Cystic Secure. So this might be a little hard to do with one hand. So I'm going to get Troy. All right, so what we're looking at now is a topology map of my entire infrastructure. So this is a simple three-node OpenShift cluster. We've got a bunch of physical nodes connecting out to remote IP addresses. And here you can see all the different security events that have happened on a per-node basis. But if you're looking at your services and the health of those and the different events that have happened, you're really going to want to enrich this view with that OpenShift metadata. So now I can switch this to look at my certain deployments. And now we're just looking at the specific namespaces. So now I can see each namespace in my environment drill into a specific namespace where violations have happened, and then drill in further to a deployment to investigate further. So if I click on this WordPress deployment, we've seen an event for a user spawning a shell in a container. So this is kind of your classic container intrusion that should never happen inside production. And if I click on this, I'll get further details about where this actually happened from a physical perspective, and a logical perspective. So we're getting all the different OpenShift metadata about the namespace, the deployment, the pod. You don't have to do any additional reverse lookups, log correlation. Every single event is going to automatically have all of this metadata enriched. So you can know if you have to go change application configuration or go and patch that host. So from here, using our lower level visibility, I can jump off and see the commands that were executed. So if I click on View Commands, we can see a user spawned a shell. Looks like they curled down a sketchy looking root kit. So this is something we're going to definitely want to do further forensic analysis of, and then unzip that root kit. So by jumping over into our Captures tab, we can open up a capture for further forensics. And what a capture is is a dump of all the system calls that happen pre and post any security violation in my environment. So this will give me a full snapshot of everything that was going on at that point in time. Open one up really quick. All right, trade show Wi-Fi coming through. OK, so the first thing I can do is overlay that point in time when the event occurred. And so you can see I've got all the data from the 15 seconds leading up to that event, and then the 15 seconds afterwards as well. And this is giving me a nice overview of all the different system calls and the activity that was going on. So from here, I can start to go overlay file activity, network activity, those executed commands that we saw before to spot trends across my environment. And then we can use these filters to only filter the data that's relevant to the investigation that I'm doing at this point in time. So from here, we can jump into those executed commands again, and then now go another layer further to see what actually happened when that root kit was untarred inside my container. So if I double-click on this tar command, and then because of all our file activity, switch over to this files view, what we can now see is every single file that was written inside that container at that point in time when that root kit was unzipped. And then because we're seeing all the system calls, you can actually go another layer and view the content. So if I use our IO Streams button here and drill in, make this a little bit more readable, now we're actually looking at the individual contents that were written to the container at that point in time. And the nice thing here is you'll have this full audit in Forensics Log, regardless of if that container is still running, if it was started and killed right away. It's a full snapshot of every single thing that was happening on your system. You can also use all this data for troubleshooting. So if you wanted to jump in and look at HTTP requests, see the errors, and all that kind of stuff, you'll get full visibility into really anything that was going on. So hopefully this was a quick overview about how you can use SysTix data for deeper troubleshooting in Forensics. And if you'd like to stop by the booth to see more about what we do at the higher levels with monitoring and security, please stop by. And then I'll be here for a question. So thanks for joining today. [? MUSIC PLAYING ?]