Securing VMs, Hosts, Kubernetes, and Cloud Services

The 48th IT Press Tour had the opportunity to meet with Suresh Vasudevan, CEO of Sysdig. Their mission is to accelerate and secure cloud innovation.

Falco is the open-source standard for cloud-native threat detection. It monitors system events coming from the kernel and supports hosts, containers, and Fargate. Workload security solutions built on Falco include Microsoft Defender for Cloud, StackRox, Sumo Logic, Giant Swarm, and several others.

Sysdig provides deep container forensics and troubleshooting. With Falco, they provide cloud-to-container security from source to run by identifying software vulnerabilities, runtime threats, configuration risks, and compliance gaps.

The Challenges of Security at the Cloud Scale

There are four critical areas of concern and the questions to ask:

1. Vulnerability Management: How to shrink vulnerability backlog and manage risk without overwhelming developers?
2. Identity and Access Management: Who has access to what resources, and what permissions are actually used?
3. Configuration Management: How to inventory cloud resources and ensure configurations are secure and compliant?
4. Threat Detection and Response: What data and context are key to detecting and responding to anomalies and incidents in the cloud?

Supply Chain Security Compliance

Sysdig provides supply chain security compliance from code and is built to run and respond.

They do this via:

• Infrastructure as code validation for drift prevention and to block risky configuration.
• Vulnerability management with CI/CD pipelines, registries, and hosts and prioritization based on in-use vulnerabilities.
• Configuration management for CPSM and cloud misconfiguration, as well as cloud inventory.
• Identity and access management (IAM) for CIEM least privilege and prioritization based on in-use permissions.
• Threat detection for clouds and workload runtime security.
• Incident response to capture a detailed record for forensics and to block malicious containers and processes.

Runtime insights enhance shift-left security enabling remediation at the source prioritized with in-use exposure.

Threat Research

Sysdig applies a multi-layer approach to threat research that includes customer and premium threat intelligence, active scanning of public repositories, vulnerability research, behavior-based detections, and machine learning (ML)-based detections.

They have more than a dozen threat research and ML experts researching bad actors and activities. In addition, they actively scan public repositories for container image registries, GitHub, and the dark web while using sandbox technology powered by Falco.

They have created a multi-cloud, container-native honeypot network for all major cloud vendors, in dozens of regions, for hundreds of exposed applications using automated forensics and big data analysis.

They are continuously researching vulnerabilities to cloud-native technology and providing responsible disclosure. In addition, they protect users once suspicious behavior is identified with out-of-the-box detection rules.

Machine learning is best for addressing domain-specific detections like bitcoin miners. They are currently using machine learning for the early detection of crypto-miners with 99% precision. In addition, the process-activity telemetry provides the level of granularity required for the accurate detection of malicious behavior.

Prioritize With In-Use Risk Exposure

Only 15% of vulnerabilities are in use at runtime. By using an in-use risk exposure filter to monitor vulnerabilities, configurations, permissions, and Kubernetes network connections, users can identify the top risks. Users can save 1.5 hours per vulnerability by not having to investigate when the package is not in use.

The risk spotlight eliminates noise by identifying the few vulnerabilities that pose an actual risk. These are the ones tied to active packages at runtime. This reduces vulnerability noise by up to 95%.

Customer Use Cases

Yahoo Japan has more than 40,000 nodes of Kubernetes. They use Sysdig for vulnerability analysis across their CI/CD pipeline and runtime environments and to detect and prevent drift and track compliance.

A global payment processor uses AWS and GCP clouds. They use Sysdig to provide Kubernetes runtime security and real-time anomaly and threat detection based on user cloud activity logs.

Goldman Sachs has more than 140,000 Kubernetes nodes and thousands of applications. They use Sysdig to provide endpoint detection and response for Linux VMs and containers and extract critical runtime data to feed threat detection and security analytics.

FINRA has more than 3,000 Fargate tasks and EC2 hosts. They use Sysdig for pipeline and runtime image scanning and threat detection and response for Fargate-based applications.