Sysdig released a blog on friday. "For runtime detection, one way to go about it is to watch for the loading of the malicious library by SSHD. These shared libraries often include the version in their filename."
The blog has the actual rule content which I haven't seen from other security vendors
That relies on knowing what to look for. I.e. "the malicious library". The question is whether any of these solutions could catch it without knowing about it beforehand and having a detection rule specifically made for it.
Thanks! That’s a little disappointing since I would have thought that the way it hooked those functions could’ve been caught by a generic heuristic but perhaps that’s more common than I thought.
My experience from working in the security space is that all the tech is pretty un-sexy (with very good sales pitches), and none of it will save you from a nation-state attacker.
I'm pretty surprised to see all this bridge hate. I use the bridge multiple times a week to mountain bike or surf in north bay. I picked my spot in the city in part because of it's proximity to the bridge.
The cloud providers are trying to solve this problem - more and more of our customers are purchasing through the marketplace. It allows them to drive down spend commitments to AWS, GCP, etc - it's a pretty good experience all around and enables usage based pricing + easy collections. Which is something all startups hate dealing with.
Factfullness, one of the best books on Bill Gates summer reading list covers "the gap instinct"
Factfulness is . . . recognizing when a story talks about a gap, and remembering that this paints a picture of two separate groups, with a gap in between. The reality is often not polarized at all. Usually the majority is right there in the middle, where the gap is supposed to be.
To control the gap instinct, look for the majority.
Beware comparisons of averages. If you could check the spreads you would probably find they overlap. There is probably no gap at all.
Beware comparisons of extremes. In all groups, of countries or people, there are some at the top and some at the bottom. The difference is sometimes extremely unfair. But even then the majority is usually somewhere in between, right where the gap is supposed to be.
The view from up here. Remember, looking down from above distorts the view. Everything else looks equally short, but it’s not.
I've worked with 200-300 K8s customers and 30-40 openshift customers.
On K8s I typically see somewhere in the low 20s as the number of pods per node.
Openshift I'll see high 20s or low 30s as the average number of pods across most openshift customers. But we're seeing some crazy numbers for some larger enterprise customers. 100,400,2500 pods per node. This seems to be driven by the way openshift is licensing
The latter is an absolute nightmare to support, and they seem to have trouble organizing internally as well.
The blog has the actual rule content which I haven't seen from other security vendors
https://sysdig.com/blog/cve-2024-3094-detecting-the-sshd-bac...