Published: July 20, 2023

Dashboard section provides a consolidated at-a-glance overview of a variety of operational and security data points captured as a result of asset monitoring with active Spyderbat Nano Agents. This data is presented as a variety of dashboard cards.

All out-of-the-box dashboard cards are grouped into 7 distinct categories based on the type of data as well as specific security and monitoring objectives that these groups of cards could help with. The 7 default dashboard categories include:

• Security

• User Tracking

• Policy

• Operations

• Network

• Inventory

• Kubernetes

The dashboard cards in each default category have been carefully selected by Spyderbat analysts based on the industry's best practices, typical security and operational use cases, as well as unique ability of the Spyderbat monitoring platform to surface critical environment information in an easy to consume manner.

The dashboard card selection in each category is static and may not be customized. However, the users with appropriate permissions have the ability to create their own dashboards and group them into their own custom categories aligning with unique company security and monitoring goals. Check out this tutorial to learn more about creating your own custom dashboards and dashboard cards.

Let’s take a look at each of these distinct categories in detail.

Security Category

The Security Category focuses on surfacing various security related activities that may be deemed malicious, suspicious or interesting and is targeted for SecOps needs.

Spyderbat Nano Agent installed on every node in your monitoring scope combined with a sophisticated analytics engine that uses existing databases of known security detections as well as Spyderbat’s proprietary analytics and rules, make it possible to capture and deliver a variety of security findings:

• Recent Spydertraces with Score >50 and All Recent Spydertraces: Spydertrace is Spyderbat’s unique living graph of activity inside your monitored node or Kubernetes container that is brought to your attention because of a combination of security detections associated with the processes, connections, user actions and other activities that are tied together due to causal dependencies and are all part of the same story. So instead of looking at individual security events and trying to figure out if any of them are related to one another, you can investigate a complete trace of activity where all pieces have been linked together for you by Spyderbat’s powerful analytics engine.\

• Sensitive Data Found in Environment Variables: Spyderbat will detect leaked credentials including passwords, tokens or secret keys\

• Recently Observed Listening Sockets: Spyderbat will identify all open ports and listening sockets that wait for connections from remote clients, as they could potentially provide a vector for a remote attacker to gain access to the device. These could be dangerous when the service listening on the port is misconfigured, unpatched, vulnerable to exploits or has poor network security rules.\

• Recent (Critical and High Severity) Security Flags : Flags are point-in-time security detections of an event and are generated using Spyderbat’s database that includes MITRE ATT&CK scenarios, Spyderbat’s own analytics and any third-party imported databases, that you may have configured (e.g., Falco).\

• Processes Executed Out of /tmp: this directory is used to store temporary files, which makes it a target for malware.

User Tracking Category

This category focuses on abnormal and potentially suspicious user initiated activity, such as:

• Interactive User Spydertraces: chain of activity triggered by an interactive process (aka foreground process) launched and controlled by a user through the command line in a terminal session.\

• Interactive User Sessions: in fact, this dashboard card shows interactive processes and associated effective users that triggered that process.\

• Interactive User Sessions with Privilege Escalation: a list of interactive processes, associated effective users that triggered the process and the user privilege change/escalation event or multiple events occurring within the same chain of activity\

• Interactive Shell Inside a Container: any interactive user activity is suspicious, is considered an anti-pattern and may indicate that something malicious is going on. Interactive shell opened inside a container could potentially lead to data exfiltration.

Policy Category

The dashboard cards in this category are specifically tailored to surface the following Guardian findings:

• Container Policy Deviation Spydertraces will show a chain of related activity triggered by a policy violation inside your monitored container\

• Container Policy Deviation Flags will list all individual point-in-time security detections associated with the applied policies in your containers\

• Linux Service Policy Deviation Flags will list all individual point-in-time security detections associated with the applied policies on your Linux VM’s for the background services

Operations Category

Operations category currently only offers one dashboard card that will reveal any point-in-time security events associated primarily with the monitored infrastructure management and uptime of the assets within, for example, if a pod is running or not, if specific memory management features aimed at preventing memory leaks are enabled or disabled, if any of the conditions or thresholds are exceeded by any of the infrastructure’s critical components.

Network Category

In this category you will gain visibility into a variety of network related activity in your monitored environment, including connections made in and out of the monitored hosts, the connection methods utilized, East-West communication between the machines, egress traffic flows.

By default we are offering the following dashboard card options:

• Long Lived Egress Connections and Egress Connections with Large Data Transfer will allow you to investigate egress connections that could pose risk of malicious or accidental insider threat. You will be able to see egress connections that remain active for an unusually long period of time or look at large data transfers out of your organization.\

• Cross-Machine Connections which will help identify potential malicious lateral movement within your environment\

• Connections to DNS will help you detect any unauthorized activities that could lead to network reconnaissance, malware downloads, communication with attackers’ command and control servers, or data transfers out of a network.\

• Connections Initiated by an SSH Process will allow you to validate if these connections are legit or suspicious since even though the protocol is inherently secure and one of the most common, it can be a valuable attack vector for hackers who could brute-force credentials and exploit the SSH keys (authentication mechanism, client-server configs and machine identities)

Inventory Category

This category is self-explanatory and will show all recently observed main resource assets within your monitored scope. If you bake the Spyderbat Nano Agent installer into your golden image or Kubernetes automation, then you can be sure that the new machines will be monitored the moment they come up. You can refer to this section, All About Spyderbat Nano Agent, on how to deploy into different types of infrastructure and how to use automation.

Out of the box, Spyderbat will be monitoring your inventory of Linux systems, Kubernetes clusters, Kubernetes Nodes, Pods and Containers. Besides the list of these assets you will be able to easily access the associated asset metadata, view the assets current state, as well as investigate any activity related to that asset within the desired time frame.

Kubernetes Category

This last category is a more granular version of the Inventory section, but focused specifically on the Kubernetes infrastructure asset within your monitoring scope. Besides the main asset types already displayed in the Inventory dashboards, such as clusters, nodes, pods and containers, you will also be able to review your services, deployments, replicasets and daemonsets.

In addition, we will provide a full account of kubectl “delete”, “apply” or “create” commands executed on the monitored clusters within the desired observation period. It will give you the opportunity to make sure these major changes are authorized and expected and take immediate action to stop potential damaging behavior in its tracks.