Sans Sec 549 2021
Mastering Cloud Security: A Deep Dive into SANS SEC 549 (2021 Edition)
- Why 2021? Kubernetes adoption exploded, but so did attacks like the Cryptojacking of Kubernetes clusters.
- Topics: Admission controllers (OPA/Gatekeeper), container runtime security (Falco), and secure pod security policies (now PSA).
- Lab: Detecting a privilege escalation from a compromised container to the host node using Falco and CloudTrail.
Day 2: Infrastructure as Code (IaC) Security
The SANS SEC 549 2021 course is a valuable resource for cybersecurity professionals who work in industries that rely on industrial control systems. By providing a comprehensive understanding of ICS security, this course can help organizations improve their security posture and protect against emerging threats.
- Director: Takashi Miike (known for his work on "Audition" and "Ichi the Killer")
- Screenplay: Kenta Fukasaku (known for his work on "Battle Royale" and "Gaku")
- Cinematography: Takashi Komatsu (known for his work on "Gaku" and "Higurashi")
- MTTD, MTTR (days → hours goal).
- Coverage % of endpoints with EDR/visibility.
- False positive rate of top detection rules.
- Hunt-to-detection conversion (hunts that become rules).
- Key Topic: Pod Security Policies (PSP) – though deprecated later, in 2021 they were critical.
- Key Topic: Admission controllers (Kyverno, OPA Gatekeeper) to enforce "no root containers" and "read-only root filesystems."
- Tool Focus: Falco for runtime anomaly detection.
- Lab: Students deployed a malicious pod that attempted to mount the host’s Docker socket and used Falco rules to generate real-time alerts.