Overview on Observability

Observability plays a role throughout the supply chain for containers by providing visibility, monitoring, and control over the various stages, from acquisition to build to deployment and run. It is crucial for understanding the lifecycle of the containerized application, the various stages of the supply chain it goes through, the components it depends on as well as the actors that participate in its creation. With observability, enterprises can identify gaps in the security of their container supply chain, answer critical questions during incident response and even prevent insecure containers from being deployed in production.

As a critical component of Microsoft's Containers Secure Supply Chain (CSSC) framework, Observability identifies a set of best practices and guidelines for containerized applications. In this article, you will learn about the background, objectives, and goals for the observability of the containers secure supply chain.

Background

In today's enterprise environments, containerized applications are built and deployed using a variety of tools managed by different teams. Observability data from those tools is often siloed and makes it hard to track the lifecycle of a containerized application. This lack of visibility makes it difficult to identify gaps in supply chain security and detect potential security issues.

The Observability component of the CSSC framework recommends a set of best practices and guidelines for capturing essential data from the various stages of the container supply chain. This data can be used to establish the common steps in the lifecycle of a containerized application and detect anomalies that can be indicators of compromise (IoC).

Recommended practices

Microsoft recommends implementing observability in every stage of the container supply chain. Observability data from each stage should be integrated into a single system that provides a holistic view of the supply chain. Artificial intelligence can correlate data from different stages and identify patterns that can be used to detect anomalies and prevent security incidents.

Observability should be augmented with detailed reporting and alerting capabilities. Reporting helps teams understand their current security posture and make improvements while also helping them meet compliance requirements. Timely alerting for suspicious behavior can prevent security incidents and reduce the impact of a breach.

At a minimum, Microsoft recommends capturing the following observability data:

• Sources, versions, and vulnerability posture of external container images that can be used to assess the risk of external dependencies.
• Users' activities for requesting and approval the use of external images that can identify potential internal threats.
• Dates and times of vulnerability and malware scans to ensure that they are performed regularly and avoid outdated data.
• Usage of external images in the build and deployment pipelines to quantify the risk of external dependencies.
• Build details such as the source code location, the build environment, and the build artifacts to ensure that the builds are compliant.
• Deployment details such as the deployment environment, the deployment artifacts, and the deployment configuration to ensure that the deployments are compliant
• Runtime details such as the runtime environment, the runtime artifacts, runtime configuration, and runtime behavior to ensure no deviation from the expected behavior.

The above observability data can be correlated with other data from Security Information and Event Management (SIEM) systems like firewall logs, network traffic, and user activity to detect patterns and identify potential security incidents.

Security goals for observability

Implementing observability within each stage is crucial for identifying gaps and preventing security incidents in the supply chain for containers. The Observability component of the CSSC framework is intended to satisfy the following security goals.

Detect threats and malicious behavior

Attacks on software supply chains are becoming more common and sophisticated. Current monitoring tools are limited to monitoring systems within a single supply chain stage ignoring the overall context of containers lifecycle. Enterprises might rely on periodic or manual checks, which are less effective in identifying ongoing threats or rapidly evolving attack patterns.

Implementing end-to-end observability on the supply chain for containers can help security teams get a holistic view of the supply chain and identify potential threats and malicious behavior.

Simplify compliance

Cloud-native applications are deployed on a global scale and consist of a large number of assets. The limited visibility where containers are deployed, what sources are used and what their security posture is, makes it difficult to meet compliance requirements. The lack of inventory also prevents enterprises to quickly quantify the impact of critical vulnerabilities and take action.

Capturing observability data at each stage of the supply chain for containers can help enterprises build a comprehensive inventory of their container assets and create dependency graphs that can be used to quickly assess risks and deliver compliance reporting.

Assist with incident response

The lack of observability can hinder incident response efforts by delaying detection, limiting visibility, increasing manual workloads, and reducing the efficiency and effectiveness of response measures. Without the complete view of the end-to-end supply chain for containers, incident responders may lack critical information, making it challenging to assess the severity of the incident and formulate an effective response strategy.

Correlating observability data from the various stages of the supply chain for containers can help incident responders make better decisions and respond faster to security incidents.

Recommended tools

Microsoft offers a set of tools and services that can be used to implement observability in the container supply chain.

Azure Container Registry (ACR) Audit and Diagnostics Logs provide a detailed audit and activity trail of all the operations performed on the registry. Logs and moniring data can be analizied and correlated to other observability data in Azure Monitor.

Microsoft Defender for DevOps provides an unified visibility into the DevOps security posture for teams using Azure DevOps and GitHub. Defender for DevOps help you discover deployment misconfigurations, exposed secrets and annotate pull requests in GitHub and Azure DevOps with security information.

Next steps

• Introduction to the Containers secure supply chain framework
• Overview of the Acquire stage
• Overview of the Catalog stage
• Overview of the Build stage
• Overview of the Deploy stage
• Overview of the Run stage