Deepfence ThreatStryker

Introduction

Modern applications are highly distributed and dynamic, often running as containerized microservices in public, hybrid or multi cloud deployments. There is a paradigm shift in the way we do infrastructure and applications, but the security apparatus is still old fashioned. A closer look at some of the most high profile breaches of recent times, shows that the conventional security measures are inadequate to protect modern applications, against complex multi-vector and multi-stage attacks.

Deepfence is the last line of defence for modern applications running in public or mixed cloud deployments. Deployed as a microservice, Deepfence provides deterministic application security behind firewalls. Deepfence’s patent pending ‘Semantic Patching’ technology employs Machine Learning and Rules, to protect from complex multi-vector & multi-stage attacks, including zero days. This document provides an overview of all the features and steps to deploy and scale Deepfence.

Product Features

The Deepfence platform enables runtime measurements of attack surface by providing features like vulnerability management, and run-time compliance mis-configurations for hosts and containers. Deepfence employs 65+ runtime signals to detect known and unknown attacks, thereby providing active protection.

_images/entproduct_features.jpg

Deployment Architecture

_images/entdeployment_arch.jpg

The Deepfence deployment consists of two components, the deepfence console, and the deepfence agent. The Deepfence console is the management pane and deepfence agents are deployed as sidecar containers on hosts running containers. The machine assigned to run the deepfence console needs to have port 443 and the port range 8000-8010 open, so that the deepfence agents can share the runtime telemetry with the console. Please note that these ports should not be open to the world.

Management Console - Requirements

System requirements for Deepfence Management Consoles are as below:

CPU: No of containers

8

RAM

16 GB or 32GB

Disk space

At-least 120 GB

Port range to be opened for receiving data from Deepfence agents

8000 - 8010

Port to be opened to view the UI

443

Product Installation

Download and extract the Deepfence Deployment Kit, and make a note of the license key from the license email shared with you. It should be on the following lines.

License key

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Company name

xxxx corp

Number of hosts

10

Admin email

xxxx@xxxx.com

The deployment kit contains documentation and installation scripts for the deepfence console and the deepfence agent components, as a zip file. Please extract the zip file, and copy the contents of the directory installation_scripts/docker_linux/deepfence_console to the VM or host where deepfence console is to be installed. Please copy the contents of the directory installation_scripts/docker_linux/deepfence_agent to Linux VM or host where deepfence agent is to be installed. In the event a Kubernetes cluster is being used, the directory installation_scripts/docker_linux/deepfence_agent is copied to the Kubernetes master node. If the deepfence agent is to be installed on Windows based VM or hosts, please use the script in the directory installation_scripts/docker_windows/deepfence_agent.

Docker

Deepfence Console

The host or VM to be used for the Deepfence management console needs to have the docker runtime installed. In addition, it also needs the binary docker-compose to be installed on it.

  1. Go to the directory installation_scripts/docker_linux/deepfence_console

  2. To authenticate to the docker image repository, run the following command: docker login When prompted, please provide the credentials sent by email.

  3. If docker-compose is not installed, run this command:

    sudo curl -L https://github.com/docker/compose/releases/1.20.1/docker-compose-$(uname-s)-$(uname -m) -o /usr/local/bin/docker-compose && sudo chmod 755/usr/local/bin/docker-compose
    
  4. Run docker-compose file in that directory as follows:

    **docker-compose -f docker-compose-prod.yml up -d**
    

Deepfence Agents (Linux)

The host or VM to be used for the Deepfence agents needs to have the docker runtime installed on it.

  1. Go to the directory installation_scripts/docker_linux/deepfence_agent on the VM or host where the deepfence agent is to be installed.

  2. To authenticate to the docker image repository, run the following command: docker login When prompted, please provide the credentials sent by email.

  3. Run the script in that directory as follows: bash start-agent.sh -r <IP_ADDRESS_OF_UI_MACHINE>

Deepfence Agents (Windows)

Operating system requirements: * Windows Server > 1709 * Virtualization support (Azure VMs with V3 family disks)

Installation Steps

  1. Open PowerShell command prompt

  2. Execute the command Set-ExecutionPolicy ‘unrestricted’

  3. Go to the directory installation_scripts/docker_windows/deepfence_agent

  4. Run the script ./install-deps-all.ps1

  5. The above scripts checks and installs the dependencies, and if required, will restart the server for the new installations to reflect

  6. Now, run the script ./install-deps-post-restart.ps1

  7. The above scripts checks and installs dependencies post restart.

  8. To start the Deepfence agent, if the IP address of the VM or host that has the Deepfence management console is 192.168.1.10, use the following command: /run-deepfence.ps1 -r 192.168.1.10 -cve_scan_dir “C:Program Files”

Start/Stop/Restart Deepfence agent

The run-deepfence.ps1 script stops any existing running Deepfence agent instance before it starts a new instance. This script can be used to restart Deepfence agent in case there is any change in the parameters passed to the agent. To Stop Deepfence Agent, use ./stop-deepfence.ps1

Note

If Docker is already pre-installed, make sure the Docker server’s daemon.json has “experimental” field set to true. daemon.json can be found at its default location “C:ProgramDatadockerconfig”

Proxy Server

If Deepfence management console is configured with proxy server, add proxy server details to docker configuration.

  • Edit file: ~/.docker/config.json (Change proxy server ip address from 111.111.111.111 to your proxy server ip)

    {
        "auths": {
            "https://index.docker.io/v1/": {
                "auth": ""
                }
        },
        "HttpHeaders": {
            "User-Agent": "Docker-Client/19.03.1 (linux)"
        },
        "proxies": {
            "default": {
                "httpProxy": "http://111.111.111.111:8006",
                "httpsProxy": "http://111.111.111.111:8006",
                "noProxy": "localhost,127.0.0.1"
                }
        }
    }
    
  • Restart docker daemon

    sudo systemctl restart docker
    
  • Deepfence agent VM’s does not require any changes for proxy server.

Docker Swarm

In docker swarm, the deepfence agents are deployed as a swarm service in global mode. The Deepfence management console is installed separately outside of the ECS cluster.

Deepfence Console

The Deepfence management console is installed separately outside of the ECS cluster. The host or VM to be used for the Deepfence management console needs to have the docker runtime installed. In addition, it also needs the binary docker-compose to be installed on it.

  1. Go to the directory installation_scripts/docker_linux/deepfence_console.

  2. To authenticate to the docker image repository, run the following command: docker login When prompted, please provide the credentials sent by email.

  3. Run docker-compose file from here docker-compose -f docker-compose-prod.yml up -d

Deepfence Agents

Run the command below in swarm master node. This will deploy deepfence agents in all nodes in the swarm cluster.

docker service create \--mode global \--name deepfence-agent-swarm \--with-registry-auth \--entrypoint /usr/local/bin/start_swarm_agent.sh \--mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock \deepfenceio/deepfence_agent:latest -c "N" -r "127.0.0.1"
  • In the command, replace ip address in -r argument to management console ip address

  • “-c” argument is to start (Y)/not start (N) packet capture by default.
    • If it is set as “Y”, packet capture will be started on all network interfaces.

    • Even if it is set as “N”, packet capture can be started at run time using UI / api.

Checking status of deepfence agent service

docker service ps –no-trunc deepfence-agent-swarm

Stopping deepfence agents in Swarm

  1. Delete the swarm service using following command: docker service rm deepfence-agent-swarm

  2. This will only delete the deepfence-agent-swarm starter container and not the deepfence-agent container.

3. To delete deepfence-agent container, run following temporary swarm service

docker service create \--mode global \--with-registry-auth \--name stop-deepfence-agent-swarm \--mount type=bind,source=/var/run/docker.sock,destination=/var/run/docker.sock \deepfenceio/stop_deepfence_agent_swarm:latest
  1. After a few seconds, this will delete deepfence-agent containers and the agent images in all nodes. This service then can be removed docker service rm stop-deepfence-agent-swarm

Amazon ECS

In Amazon ECS, the deepfence agents are deployed as a daemon service using task definition. The Deepfence management console is installed separately outside of the ECS cluster.

Deepfence Console

The Deepfence management console is installed separately outside of the ECS cluster. The host or VM to be used for the Deepfence management console needs to have the docker runtime installed. In addition, it also needs the binary docker-compose to be installed on it.

  1. Go to the directory installation_scripts/docker_linux/deepfence_console.

  2. To authenticate to the docker image repository, run the following command: * docker login * When prompted, please provide the credentials sent by email.

  3. Run docker-compose file from here docker-compose -f docker-compose-prod.yml up -d

Deepfence Agents

  1. Add deepfence docker hub secrets provided to AWS secrets manager by following the steps outlined here .

  2. Give IAM permissions for ECS task execution role to access this secret as outlined here

  3. Create new task definition for deepfence agent and deploy the service by following the steps outlined in “deepfence_deployment_kit/installation_scripts/amazon_ecs/ECS - Deepfence Agent” .

Amazon Fargate

In Amazon fargate, the deepfence agents are deployed as a sidecar container using a task definition. The Deepfence management console is installed separately outside of the fargate and the installation procedure is the same as before.

Deepfence Agents

  1. Setup Amazon ECS by following the steps outlined here .

  2. Give IAM permissions for ECS task execution role to access the required secrets as outlined here and here in detail. First, create an Amazon ECS task execution IAM role. Second, create a secret so that fargate can pull the deepfence agents from docker hub using the username/password provided in the license email and note the created secret name or ARN (you will need to enter them in task definition creation step later). You may need to create other secrets to access your own artifacts. Finally, create policies (either managed or inlined policy) allowing access to your stored secrets and attach the created policies to the task IAM role. You also need to attach the AmazonECSTaskExecutionRolePolicy to the IAM role to run Amazon ECS tasks.

  3. On the AWS ECS home webpage, click on the task definition on the side panel to create a new task definition. Select fargate as launch type and then go to Next step. Use the following steps outlined below in “Fargate Task definition And Deployment” instructions to deploy the fargate agent. You can configure the task definition either through Json or using the Amazon UI.

  4. Deploy your application on your cluster.

Create New Task Definition in Fargate

  1. Click Create new Task Definition and select fargate as launch type and then go to Next step.

    _images/newtask_fargate.jpg
  2. Edit Task Definition Name, Task Role and Task Execution Role etc. as required. For the Task Role and Task Execution Role, you have to use the role created in IAM role creation step earlier. Specify Task memory and Task CPU according to your Requirements.

_images/task_fargate.jpg

Update task definition and create agent container

  1. Click on the Add Container button to create a standard container for deepfence agent. Set image as docker.io/deepfenceio/deepfence_agent:FargateScratch. Check the private repository authentication and add the secret name or ARN from IAM role creation step to access deepfence docker hub. In the environment section, do NOT mark it as essential. You need to note down the name of the agent container (FargateAgentSidecarScratch in our example), which you will have to specify in Volumes From section in application container task definition section later. Finally, click the Add button to create the deepfence agent container.

    _images/editcontainer_fargate.jpg

    Creating Agent Container Inside Task Definition

  2. Click on the Add Container button to create a new container for your application by following the additional steps outlined below. If you have more than one application container, you will have to repeat these steps for each container.

    • Setup the environment variables in application task definitions as shown in the image below. DEEPFENCE_KEY (API key available on the settings →User Management tab on management console UI), DF_BACKEND_IP (IP address of Management Console), and DF_SERVERLESS (should be true for serverless instances) are required environmental variables for the Deepfence agent. You will have to copy the appropriate API key and IP address.

      _images/envvariables_fargate.jpg

      Configuring Environment Variables for Fargate Application Container

      If you are using json to configure your task definitions, you can use the following part in the appropriate container section of task definition json after copying the appropriate IP address and API Key.

       environment": [
          {
              "name": "DEEPFENCE_KEY",
              "value": ""
          },
          {
              "name": "DF_BACKEND_IP",
              "value": "0.0.0.0"
          },
          {
              "name": "DF_CAPTURE_INTF",
              "value": "any"
          },
          {
              "name": "DF_FIM_ON",
              "value": "N"
          },
          {
              "name": "DF_PKT_CAP",
              "value": "Y"
          },
          {
              "name": "DF_PKT_CAPTURE_PERCENTAGE",
              "value": "100"
          },
          {
              "name": "DF_PKT_SNAP_LENGTH",
              "value": "65535"
          },
          {
              "name": "DF_SERVERLESS",
              "value": "true"
          },
          {
              "name": "USER_DEFINED_TAGS",
              "value": ""
          }
      ],
      
    • In the application container, update storage to allow read/write from deepfence agent volume by specifying the agent container name (created in step 5) in volumes from. Leave the Read only button unchecked as shown below.

      _images/configurevolumes_fargate.jpg

      Configuring VolumesFrom setting

      If you are using json to configure your task definitions, you can copy the following settings to the appropriate container section of the json after changing the Container name.

       "volumesFrom": [
          {
              "sourceContainer": "FargateAgentSidecarScratch",
              "readOnly": false
          }
      ],
      

      Finally, click the Create button to create the task definition for the deployment.

  3. Now that deepfence agent is available in the fargate instance, you just need to invoke agent and application entrypoints to start the application with Deepfence enabled. This can be done in two ways. First approach requires that you can change the application container image. Before building your application containers for deployment, add a call to start Deepfence entrypoint at the beginning of application entrypoint (or at any point before starting your application) as shown in the following example script. Note that the fargate instance will stop if any of the essential containers exit, so the user application container has to be written accordingly.

    #!/bin/bash -x
    
    echo "Start Deepfence services... Console is $DF_BACKEND_IP"
    /deepfence/usr/local/bin/deepfence-entry-point-scratch.sh
    
    ############################################################
    # Start the customer application entry point below...
    ############################################################
    
    echo "Starting the customer application entry point below..."
    #cust-entry-point.sh "$@"
    
    echo "Block to avoid customer application container from exiting fargate."
    /deepfence/usr/local/bin/block-scratch.sh
    echo "customer entry-point is exiting...."
    

    Invoking agent by changing the application container

    Second approach does not require any change in the application container. So, you can run the same image seamlessly on a VM, EC2 instance, or a fargate instance. For this, you need to provide the deepfence entrypoint with application entrypoint and their arguments as a comma delimited list in the Entry point field. Alternatively, you can provide the deepfence entrypoint in the Entry point field and the application entrypoint along with their arguments in the Command field as shown below.

    _images/invokingagents_fargate.jpg

    Invoking agent by changing the Entrypoint

    _images/invokingagentscommandfield_fargate.jpg

    Invoking agent by changing the Entrypoint and Command field

    If you are using json to configure your task definitions, then you can specify the entrypoint and/or command as follows using appropriate quoting.

    "entryPoint": [
           "/deepfence/usr/local/bin/deepfence-entry-point-scratch.sh",
           "customer-entry-point.sh.sh",
           "param1",
           "param2"
       ],
    

    Invoking agent by changing the Entrypoint

    "entryPoint": [
           "/deepfence/usr/local/bin/deepfence-entry-point-scratch.sh"
       ],
       "command": [
           "customer-entry-point.sh.sh",
           "param1",
           "param2"
       ],
    

    Invoking agent by changing the Entrypoint and Command field

Deploy Deepfence Agent Service on Fargate

After creating your updated application containers and the task definitions, you can launch your fargate instance in your cluster.

  1. You can launch your fargate instance by clicking Run task in the actions dropdown of the task definition. Otherwise, you can click “Run New Task” button in “Tasks” tab of your cluster.

    _images/clustertest_fargate.jpg

    Deploying fargate instance on your cluster

  2. Select Fargate as the launch type and choose appropriate task definition, cluster, number of tasks, VPC and security groups before launching the task. Fargate agents should be able to access ports 8000–8010 on console, so users need to make sure that security groups allow these outbound connections and other connections as needed.

    _images/runtask_fargate.jpg

    Deploying fargate instance on your cluster

  3. Finally, click the “Run Task” button.

Google Kubernetes Engine

In GKE, the deepfence agents are deployed as a daemonset in the cluster.

Deepfence Console

The Deepfence management console is installed separately outside of the GKE cluster. The host or VM to be used for the Deepfence management console needs to have the docker runtime installed. In addition, it also needs the binary docker-compose to be installed on it.

  1. Go to the directory installation_scripts/docker_linux/deepfence_console.

  2. To authenticate to the docker image repository, run the following command: docker login When prompted, please provide the credentials sent by email.

  3. Run docker-compose file from here docker-compose -f docker-compose-prod.yml up -d

Deepfence Agents

  1. Connect to your GKE cluster using gcloud shell.

    _images/gkecluster.jpg
  2. Upload all files in “deepfence_deployment_kit/installation_scripts/kubernetes_linux/deepfence_agent_yaml ” folder to the cloud shell using the upload button at the top right corner.

    _images/clouddeploy.jpg
  3. Grant permissions for the installation with following command (upto k8s v1.11): kubectl create clusterrolebinding “cluster-admin-$(whoami)” –clusterrole=cluster-admin –user=”$(gcloud config get-value core/account)”

  4. If the IP address of the VM or host that has the Deepfence management console is 192.168.1.10, then edit the kubernete-agent.yml file, and change the value of MGMT_CONSOLE_IP_ADDR (in two places) to 192.168.1.10.

  5. Run this command to start deepfence agent daemonset in all nodes in the cluster: kubectl apply -f kubernete-agent.yml

  6. deepfence-agent-daemon will be visible in Workloads page alongside other workloads in the cluster

    _images/gkecluster_dashboard.jpg

Kubernetes (Self-managed / on-premise)

Deepfence Console

The Deepfence management console is installed separately outside of the Kubernetes cluster. The host or VM to be used for the Deepfence management console needs to have the docker runtime installed. In addition, it also needs the binary docker-compose to be installed on it.

  1. Go to the directory installation_scripts/docker_linux/deepfence_console.

  2. To authenticate to the docker image repository, run the following command: docker login When prompted, please provide the credentials sent by email.

  3. Run docker-compose file from here docker-compose -f docker-compose-prod.yml up -d

Deepfence Agents

In the kubernetes environment, the Deepfence agents are installed on the Kuberentes master and the slave nodes.

We now deploy the Deepfence agent across the desired Kubernetes slave nodes, and the Kubernetes master node. The following steps are to be performed on the Kubernetes master node:

  1. Go to the directory installation_scripts/kubernetes_linux/deepfence_agent_yaml

  2. In master machine run following command to authenticate to the docker image repository: docker login When prompted, please provide the credentials sent by email.

  3. To deploy deepfence agent on kubernetes master machine, if the IP address of the VM or host that has the Deepfence management console is 192.168.1.10, use the following command: bash start-kubernetes-agent-on-master.sh -r 192.168.1.10

  4. If the IP address of the VM or host that has the Deepfence management console is 192.168.1.10, then edit the kubernete-agent.yml file, and change the value of MGMT_CONSOLE_IP_ADDR (in two places) to 192.168.1.10.

  5. Run this command to start deepfence agent daemonset in all nodes in the cluster: kubectl apply -f kubernete-agent.yml

  6. Verify that agents are running: * kubectl get pods -n deepfence * kubectl get daemonset -n deepfence * kubectl describe daemonset deepfence-agent-daemon -n deepfence

Kubernetes - Helm Chart

Deepfence Console

In Kubernetes, currently single node kubernetes cluster is supported for Deepfence management console.

  1. Download latest helm package from here “deepfence_deployment_kit/installation_scripts/kubernetes_linux/deepfence_console_helm/”

  2. Run following command:

    helm v2
    helm install deepfence-console-0.2.2.tgz \
        --name=deepfence-console \
        --set registry.username=<deepfence_username> \
        --set registry.password=<deepfence_password> \
        --set image.tag=latest
    
    helm v3
    helm install deepfence-console deepfence-console-0.2.2.tgz \
        --set registry.username=<deepfence_username> \
        --set registry.password=<deepfence_password> \
        --set image.tag=latest
    

    Docker hub username and password will be sent by email Check README inside the package for detailed setup instructions.

  3. To get the management console ip address, run following command:

kubectl get –namespace default svc deepfence-router -w

  1. To delete deepfence console helm chart, run following command

    helm v2
    helm delete --purge deepfence-console
    helm v3
    helm delete deepfence-console
    

Deepfence Agent

In Kubernetes, Deepfence agents can be installed using a helm chart also.

  1. Download latest helm package from here “deepfence_deployment_kit/installation_scripts/kubernetes_linux/deepfence_agent_helm/”

  2. If the IP address of the VM or host that has the Deepfence management console is 192.168.1.10, use the following command:

    helm v2
    helm install deepfence-agent-0.2.1.tgz \
        --name deepfence-agent \
        --set registry.username=<deepfence_username> \
        --set registry.password=<deepfence_password> \
        --set managementConsoleIp=192.168.1.10 \
        --set image.tag=latest
    
    helm v3
    helm install deepfence-agent deepfence-agent-0.2.1.tgz \
        --set registry.username=<deepfence_username> \
        --set registry.password=<deepfence_password> \
        --set managementConsoleIp=192.168.1.10 \
        --set image.tag=latest
    

    Docker hub username and password will be sent by email Check README inside the package for detailed setup instructions.

  3. To delete deepfence agent helm chart, run following command

    helm v2
    helm delete --purge deepfence-agent
    helm v3
    helm delete deepfence-agent
    

AWS ELB

If the Deepfence management console is placed behind an AWS elastic load balancer, set load balancer protocol as SSL (Secure TCP) instead of HTTPS .

_images/editlisteners.jpg

Troubleshooting

If Deepfence management console VM or host has been reset/rebooted, run following commands on the VM or host that has the Deepfence management console, to restart the services

  • docker-compose -f docker-compose-prod.yml down

  • docker-compose -f docker-compose-prod.yml up -d

If agents need to be stopped:

In a kubernetes environment, execute the following commands on the master node * kubectl delete clusterrolebindings.rbac.authorization.k8s.io

deepfence-agent

  • kubectl delete clusterroles.rbac.authorization.k8s.io deepfence-agent

  • kubectl delete namespace deepfence

Otherwise, for those hosts where we need to stop the deepfence agent, execute the following command on that host * docker rm -f deepfence-agent

CI/CD Integration - CircleCI

User Registration

  1. After the successful completion of docker or kubernetes deployment, if the IP address of the VM or host that has the Deepfence management console is 192.168.1.10, please navigate to http://192.168.1.10, and click on the “Register” link as shown in the image below.

    _images/deepfence_signin.jpg
  2. Complete all the necessary details as shown in the image below.

    _images/deepfence_signup.jpg
  3. Enter license key obtained in the email to activate the account

    _images/deepfence_license.jpg
  4. After successful activation of the account, a visual depiction of the hosts, containers & pods where deepfence agents are deployed are shown, as in the image below.

    _images/deepfence_dashboard.jpg

API Support

Deepfence provides a suite of powerful API’s to control the features, and to extract various reports from the platform. The documentation of the APIs and Clients are available , along with sample programs for Python and GO languages.

Use Case 1 - Runtime Vulnerability Scanning

From topology view, runtime vulnerability scanning for running containers & hosts can be initiated using the console dashboard, or by using the APIs. Here is snapshot of runtime vulnerability scan on a host node.

_images/deepfence_topology.jpg

The vulnerabilities and security advisories for each node, can be viewed by navigating to Vulnerabilities menu as follows:

_images/deepfence_vulnarabilities.jpg

Clicking on an item in the above image gives a detailed view as in the image below

_images/deepfence_vulnarabilitiesview.jpg

Use Case 2 - Runtime Compliance Enablement

From the topology view, runtime compliance scanning for running containers & hosts can be initiated using the console dashboard, or by using APIs. Here is snapshot of runtime compliance scan on a host node.

_images/deepfence_complienceselect.jpg

The compliance status of each node can be viewed by navigating to Compliance menu as follows:

_images/deepfence_compliences.jpg

Clicking on each of the lines in the above image produces the details for each of the items as follows:

_images/deepfence_compliencesview.jpg

Use Case 3 - Runtime Workload Firewall

You can define workload specific whitelists or blacklists per workload at runtime using UI or by using runtime APIs. Deepfence currently supports addition of whitelist and blacklist policies for containers, pods as well as virtual machines.

_images/deepfence_networkpolicy.jpg

The blacklist and whitelist policies added to the system can be visualized and managed by visiting “Policies” menu as follows:

_images/deepfence_networkpolicyview.jpg

Use Case 4 - East-West Traffic Deep Packet Inspection

In addition to workloads specific firewalling and segmentation, Deepfence can also be programmed to perform Deep-Packet Inspection, i.e., DPI of east-west as well as north-south traffic. Deepfence does DPI in a passive manner, without adding any latency to data path. The DPI engine can be tuned to based on your performance and security requirements.

_images/deepfence_packetcapture.jpg

Use Case 5 - Runtime Integrity Monitoring

In addition to network based policies and DPI, Deepfence also performs runtime integrity monitoring for file system, process behavior, system calls and network connections. These features are enabled by default.

Use Case 6 - MultiStage Attack Disruption

Deepfence helps you detect multiple stages of an attack and provides protection policies to disrupt those attacks at various stages.

Quarantine Policies

Quarantine policies enable reset, pause and decommissioning of infected containers, pods or virtual machines as follows:

_images/deepfence_quarentine.jpg

Network Policies

Network policies enable blocking external as well as internal attackers on their tracks.

_images/deepfence_newnetworkpolicy.jpg _images/deepfence_networkpolicypage.jpg

Alert Correlation

Clustering Rules

User can define rules to cluster similar alerts based on their classtypes, frequency and spatial attributes. This helps to reduce potential noise, and view the alerts in a grouped manner.

_images/deepfence_clusteringrules.jpg _images/deepfence_clusteringrulespage.jpg

Intent Detection Rules

Intent detection rules empower users to perform advanced correlation on alerts based on various alert attributes like classtypes, intents, presence of known vulnerabilities and other spatial attributes as follows:

_images/deepfence_intentdetection.jpg _images/deepfence_intentdetectionrules.jpg

Report Generation

Reports can be generated by clicking on the ‘Report Download” link in the UI. A choice of the current day, week, month & year is presented.

_images/deepfence_reportpage.jpg _images/deepfence_reportpagealerts.jpg _images/deepfence_reportpageanamolies.jpg