Cloud Native Visibility and Security

Chris Kranz

| Sysdig Inc. Proprietary Information2

Sysdig Secure DevOps for Cloud Native

• Founded by Wireshark co-creator

• Contributed Falco to CNCF• Supported open-source

sysdig (10M+ downloads)

• Customer expansion mirrors cloud-native adoption

• Trusted by the largest enterprises

• Cloud-native security and monitoring

• Provides visibility and control for secure operations

Open by design Strong momentumEcosystem integration

| Sysdig Inc. Proprietary Information3

Scaling Production Expands DevOps Role

• Monitor availability and performance

• Manage capacity and cost

• Troubleshoot issues

• Scan for vulnerabilities• Apply runtime policies • Triage security alerts• Speed up incident

response and forensics

Secure DevOps

Maximize application availability

Observability functionsSecurity and

compliance functions

Secure DevOps converges security and observability functions

| Sysdig Inc. Proprietary Information4

We want report on all vulnerabilities and compliance violations in running containers in specific Kubernetes namespaces for audit purposes.Japanese ISP

Secure DevOps Examples

We need to improve our signals into SOC for detection, audit and hunting workflows for containers.Large US Bank

We want to ensure images are free of vulnerabilities and meet best practices before pushing to production.Global Travel company

As containers come and go, we need to discover in real time which service- to-service connections are anomalies.Major financial institution

Secure DevOps

| Sysdig Inc. Proprietary Information5

Cloud native leaves you blind

Security and operations fail without context

Containers disappear and leave no trail

Youcan’tsecurewhatyoucannotsee

| Sysdig Inc. Proprietary Information6

• Not container native• No Kubernetes context• Not built for DevOps

• Invasive instrumentation• Limited Kubernetes context• Lack scale and data depth

Legacy tools Point solutions

Legacy and Point Solutions Do Not Work

Cloud native requires specific toolsPurpose-built

| Sysdig Inc. Proprietary Information7

Embed Security Maximize availability Validate compliance

Sysdig Secure DevOps Platform

Converging visibility and security for production deployments

| Sysdig Inc. Proprietary Information8

Sysdig Secure DevOps Platform

RespondRunBuild

Unified Workflow Across the Cloud-Native Lifecycle

CI/CD Security

Registry Security

Apps

Context

Infrastructuremaster node node

Alerts

Event Forwarding/Audit/IR

SIEM

Security PoliciesConfigurationVulnerabilities Metrics Events Audit logsAlerts Syscall capturesEvents

SaaSSelf-hosted

| Sysdig Inc. Proprietary Information9

Microservice-Oriented Instrumentation

Host

HosteBPF Program

Container 1Docker

Container 2Containerd

Container 3CRI-O

SysdigAgentDocker

Host + NetworkMetrics

Prom + StatsdMetrics

Security Events

Data Collection

Security Enforcement

| Sysdig Inc. Proprietary Information10

Why did it happen?

What was the problem?

Where did it occur?

Application context: Violation occurred in a PCI namespace

Application context: Spike occurred in a container within java-app namespace

Use the Same Data to Monitor and Secure

Incident: Privileged container is launched in Kubernetes that violates PCI article 10.2.5

Macro

Micro

Incident: CPU spike noticed in several nodes in K8s infrastructure

Dig down with low-level syscall data (commands, file activity, network connections correlated with Kubernetes activity)

Example: Investigate compliance violation

Example: Troubleshoot performance issue

| Sysdig Inc. Proprietary Information11

Sysdig Secure DevOps Platform

• Detect vulnerabilities and misconfigurations with a single workflow

• Block threats without impacting performance

• Conduct forensics even after the container is gone

• Verify CIS compliance during build

• Use runtime policies to confirm compliance (NIST, PCI)

• Accelerate audit by correlating all cloud-native activity

• Prevent issues by monitoring performance and capacity

• Accelerate troubleshooting with a single source of truth

• Scale Prometheus monitoring across clusters and clouds

Embed security Validate complianceMaximize availability

| Sysdig Inc. Proprietary Information12

DevOps

Secure DevOps Across Cloud-Native Lifecycle

• Incident Response• Forensics• Audit

• Runtime Security• Vulnerability Reporting

• Troubleshooting• Infrastructure Monitoring• Application Monitoring

• Image Scanning

Continuous Compliance (PCI, NIST, CIS, etc.)

RespondRunBuild

Unified platform for security and DevOps use cases

Secure DevOps

• Configuration Validation

| Sysdig Inc. Proprietary Information13

Top 5Software Company 1,000+ K8s context; open-core; unique forensics and auditing capabilities, scale

Japanese ISP 10K+ K8s context; runtime detection; single platform; scale

RespondRunBuild

Enterprise Companies Are Choosing Sysdig

Top 5Public Cloud 1,000+ K8s-native; Prometheus integration, scale

Top 5Investment Bank 100K+ Automated context; data depth, MITRE runtime

rules, scale

Top 10US Bank 5,000+ Automated context; data depth; MITRE runtime rules, audit, open-core; scale

Nodes

| Sysdig Inc. Proprietary Information14

Platform Built on an Open Foundation

Image scanningVulnerability feeds

MonitoringInfrastructure and application metrics

Runtime security Detection policies

and alerts

Forensics/TroubleshootingDeep visibility into container activity

Sysdig Secure DevOps PlatformAdds scale, workflow, K8s, and cloud context

RespondRunBuild

| Sysdig Inc. Proprietary Information16

Sysdig Monitor: Kubernetes Monitoring

• Scale Prometheus monitoring across clusters and clouds

• Analyze real time and historical application behavior

• Automatically discover Cloud Native integrations

• Isolate problems with dynamic service topology

• Resolve issues faster by correlating metrics and events

• Accelerate troubleshooting with a single source of truth

• Prevent issues by optimizing performance and capacity

• Isolate monitoring data, dashboards, alerts by roles

• Auto detect incidents using Kubernetes events knowledge to avoid downtime

Scale for production Speed up troubleshootingMaximize availability

| Sysdig Inc. Proprietary Information22

Sysdig Secure: Security for Kubernetes

• Single workflow for detecting vulnerabilities and miscon-figurations in containers

• Save time by flagging vulnerabilities and identifying owner

• Validate PCI and NIST compliance pre-deployment

• Automatically remediate by triggering response actions and downstream notifications

• Conduct forensics after the container is gone

• Accelerate audit by correlating all cloud-native activity

• Prevent threats without impacting performance using K8s native controls

• Strengthen security using automated policies

• Extend Falco to save time creating and maintaining runtime policies

Deploy securely Validate complianceBlock threats at runtime

| Sysdig Inc. Proprietary Information23

Sysdig Secure 3.0

• Save time by automatically generating Kubernetes policies

• Enforce least privilege with Kubernetes Pod Security Policies

• Stop threats at runtime using K8s controls without impacting performance

• Reconstruct system activities including commands and network connections to speed incident response

• Uncover malicious and miscon-figuration issues by mapping activity to users or services

• Comply with any SOC2, PCI, NIST audit

• Validate policies prior to deployment to avoid breaking applications

• Generate fewer false positives by tuning Falco runtime policies

Prevent RespondOptimize

| Sysdig Inc. Proprietary Information24

Prevent: K8s Policy Advisor

Auto-generate policy from pod configuration:• Automate policy creation to save

time• Enforce least privilege using

Pod Security Policies

Leverage K8s controls to handle enforcement:• Strengthen security using

PSP enforcement• Enable prevention without

relying on security agents

Validate policy prior to deployment:• Avoid breaking applications • Tune policies to reduce false

positives

Generate PreventValidate

| Sysdig Inc. Proprietary Information25

Respond: Activity Audit• Capture system activity and make it

searchable and indexable against Kubectl activity

• Easily filter through any user or service interaction across the K8s stack

• Comply with SOC2, PCI, ISO, HIPAA, etc. audit

| Sysdig Inc. Proprietary Information26

Enriched activity Example queries

Activity• User commands• Network connections• Kubectl activity

Context• K8s context (labels/metadata)• Container and cloud context

1. Show all outbound connections from my billing namespace to an unknown IP address

2. Trace a “kubectl exec” user interaction and list all the command and network activity that happened inside the pod

3. Show every tcpdump command execution that has happened in a host or K8s deployment

Activity Audit Examples

| Sysdig Inc. Proprietary Information29

Sysdig Secure DevOps Platform

Embed security Validate complianceMaximize availability

Converge visibility and security to run cloud native in production

| Sysdig Inc. Proprietary Information30

Dig deeper