Tarian v0.0.13 releases: Protect your applications running on Kubernetes from malicious attacks
Tarian
Protect your applications running on Kubernetes from malicious attacks by pre-registering your trusted processes and trusted file signatures. Tarian will detect unknown processes and changes to the registered files, then it will send alerts and take automated action. Save your K8s environment from Ransomware!
We want to maintain this as an open-source project to fight against the attacks on our favorite Kubernetes ecosystem. By continuous contribution, we can fight threats together as a community.
How does Tarian work?
Tarian Cluster Agent runs in Kubernetes cluster detecting unknown processes and unknown changes to files, reporting them to Tarian Server, and optionally taking action: delete the violated pod. It leverages Falco with a custom rule for detecting new processes executed. For file change detection, Tarian Cluster Agent injects a sidecar container in your main application’s pod which will check file checksums in the configured path and compare them with the registered checksums in Tarian Server. Tarian will be a part of your Application’s pod from dev to prod environment, hence you can register to your Tarian DB what is supposed to be happening & running in your container + file signatures to be watched + what can be notified + action to take (self destroy the pod) based on changes detected. Shift-left your detection mechanism!
What if an unknown change happens inside the container which is not in Tarian’s registration DB, how does Tarian react to it?
If an unknown change happens, Tarian can simply notify observed analytics to your Security Team. Then your Security Engineers can register that change in Tarian DB whether it’s considered a threat or not. Also, based on their analysis they can configure what action to take when that change happens again.
How does the contribution of the community help to fight against the threats via Tarian?
Any new detection analyzed & marked as a threat by your Security Experts if they choose, can be shared to the open-source Tarian community DB with all the logs, strings to look for, observation, transparency, actions to configure, … Basically anything the Experts want to warn about & share with the community. You can use that information as a Tarian user and configure actions in the Tarian app which is used in your environment. This is basically a mechanism to share info about threats & what to do with them. This helps everyone using Tarian to take action together in their respective K8s environments by sharing their knowledge & experience.
What kind of action(s) would Tarian take based on the known threat(s)?
Tarian would simply self-destroy the pod it’s running on. If the malware/virus spreads to the rest of the environment, well you know what happens. So, Tarian is basically designed to help reduce the risk as much as possible by destroying pods. Provisioning of a new pod will be taken care of by K8s deployment. Tarian will only do destruction of the pods only if you tell Tarian to do so. If you don’t want any actions to happen, you don’t have to configure or trigger any; you can simply tell Tarian to just notify you. Tarian basically does what you want to be done to reduce the risk.
Why another new security tool when there are many tools available already, like Falco, Kube-Hunter, Kube-Bench, Calico Enterprise Security, and many more security tools (open-source & commercial) that can detect & prevent threats at network, infra & application levels? Why Tarian?
The main reason Tarian was born is to fight against threats in Kubernetes together as a community. Another reason was, what if there is still some sophisticated attack that is capable of penetrating every layer of your security, able to reach your runtime app (Remote Code Execution) and your storage volumes, and capable of spreading to damage or lock your infra & data?! What do you want to do about such attacks, especially which turn into ransomware? Tarian is designed to reduce such risks, by taking action(s). We know that Tarian is not the ultimate solution, but we are confident that it can help reduce risks especially when knowledge is shared continuously by the community. From a technical perspective, Tarian can help reduce the risk by destroying the infected resources.
Architecture diagram
Changelog v0.0.13
- f4b3a78 ci: upgrade helm version
Install & Use
Copyright (C) 2022 kube-tarian