Cloud Native Visibility and Security · after the container is gone • Verify CIS compliance...
Transcript of Cloud Native Visibility and Security · after the container is gone • Verify CIS compliance...
Cloud Native Visibility and Security
Chris Kranz
| Sysdig Inc. Proprietary Information2
Sysdig Secure DevOps for Cloud Native
• Founded by Wireshark co-creator
• Contributed Falco to CNCF• Supported open-source
sysdig (10M+ downloads)
• Customer expansion mirrors cloud-native adoption
• Trusted by the largest enterprises
• Cloud-native security and monitoring
• Provides visibility and control for secure operations
Open by design Strong momentumEcosystem integration
| Sysdig Inc. Proprietary Information3
Scaling Production Expands DevOps Role
• Monitor availability and performance
• Manage capacity and cost
• Troubleshoot issues
• Scan for vulnerabilities• Apply runtime policies • Triage security alerts• Speed up incident
response and forensics
Secure DevOps
Maximize application availability
Observability functionsSecurity and
compliance functions
Secure DevOps converges security and observability functions
| Sysdig Inc. Proprietary Information4
We want report on all vulnerabilities and compliance violations in running containers in specific Kubernetes namespaces for audit purposes.Japanese ISP
Secure DevOps Examples
We need to improve our signals into SOC for detection, audit and hunting workflows for containers.Large US Bank
We want to ensure images are free of vulnerabilities and meet best practices before pushing to production.Global Travel company
As containers come and go, we need to discover in real time which service- to-service connections are anomalies.Major financial institution
Secure DevOps
| Sysdig Inc. Proprietary Information5
Cloud native leaves you blind
Security and operations fail without context
Containers disappear and leave no trail
Youcan’tsecurewhatyoucannotsee
| Sysdig Inc. Proprietary Information6
• Not container native• No Kubernetes context• Not built for DevOps
• Invasive instrumentation• Limited Kubernetes context• Lack scale and data depth
Legacy tools Point solutions
Legacy and Point Solutions Do Not Work
Cloud native requires specific toolsPurpose-built
| Sysdig Inc. Proprietary Information7
Embed Security Maximize availability Validate compliance
Sysdig Secure DevOps Platform
Converging visibility and security for production deployments
| Sysdig Inc. Proprietary Information8
Sysdig Secure DevOps Platform
RespondRunBuild
Unified Workflow Across the Cloud-Native Lifecycle
CI/CD Security
Registry Security
Apps
Context
Infrastructuremaster node node
Alerts
Event Forwarding/Audit/IR
SIEM
Security PoliciesConfigurationVulnerabilities Metrics Events Audit logsAlerts Syscall capturesEvents
SaaSSelf-hosted
| Sysdig Inc. Proprietary Information9
Microservice-Oriented Instrumentation
Host
HosteBPF Program
Container 1Docker
Container 2Containerd
Container 3CRI-O
SysdigAgentDocker
Host + NetworkMetrics
Prom + StatsdMetrics
Security Events
Data Collection
Security Enforcement
| Sysdig Inc. Proprietary Information10
Why did it happen?
What was the problem?
Where did it occur?
Application context: Violation occurred in a PCI namespace
Application context: Spike occurred in a container within java-app namespace
Use the Same Data to Monitor and Secure
Incident: Privileged container is launched in Kubernetes that violates PCI article 10.2.5
Macro
Micro
Incident: CPU spike noticed in several nodes in K8s infrastructure
Dig down with low-level syscall data (commands, file activity, network connections correlated with Kubernetes activity)
Example: Investigate compliance violation
Example: Troubleshoot performance issue
| Sysdig Inc. Proprietary Information11
Sysdig Secure DevOps Platform
• Detect vulnerabilities and misconfigurations with a single workflow
• Block threats without impacting performance
• Conduct forensics even after the container is gone
• Verify CIS compliance during build
• Use runtime policies to confirm compliance (NIST, PCI)
• Accelerate audit by correlating all cloud-native activity
• Prevent issues by monitoring performance and capacity
• Accelerate troubleshooting with a single source of truth
• Scale Prometheus monitoring across clusters and clouds
Embed security Validate complianceMaximize availability
| Sysdig Inc. Proprietary Information12
DevOps
Secure DevOps Across Cloud-Native Lifecycle
• Incident Response• Forensics• Audit
• Runtime Security• Vulnerability Reporting
• Troubleshooting• Infrastructure Monitoring• Application Monitoring
• Image Scanning
Continuous Compliance (PCI, NIST, CIS, etc.)
RespondRunBuild
Unified platform for security and DevOps use cases
Secure DevOps
• Configuration Validation
| Sysdig Inc. Proprietary Information13
Top 5Software Company 1,000+ K8s context; open-core; unique forensics and auditing capabilities, scale
Japanese ISP 10K+ K8s context; runtime detection; single platform; scale
RespondRunBuild
Enterprise Companies Are Choosing Sysdig
Top 5Public Cloud 1,000+ K8s-native; Prometheus integration, scale
Top 5Investment Bank 100K+ Automated context; data depth, MITRE runtime
rules, scale
Top 10US Bank 5,000+ Automated context; data depth; MITRE runtime rules, audit, open-core; scale
Nodes
| Sysdig Inc. Proprietary Information14
Platform Built on an Open Foundation
Image scanningVulnerability feeds
MonitoringInfrastructure and application metrics
Runtime security Detection policies
and alerts
Forensics/TroubleshootingDeep visibility into container activity
Sysdig Secure DevOps PlatformAdds scale, workflow, K8s, and cloud context
RespondRunBuild
| Sysdig Inc. Proprietary Information16
Sysdig Monitor: Kubernetes Monitoring
• Scale Prometheus monitoring across clusters and clouds
• Analyze real time and historical application behavior
• Automatically discover Cloud Native integrations
• Isolate problems with dynamic service topology
• Resolve issues faster by correlating metrics and events
• Accelerate troubleshooting with a single source of truth
• Prevent issues by optimizing performance and capacity
• Isolate monitoring data, dashboards, alerts by roles
• Auto detect incidents using Kubernetes events knowledge to avoid downtime
Scale for production Speed up troubleshootingMaximize availability
| Sysdig Inc. Proprietary Information22
Sysdig Secure: Security for Kubernetes
• Single workflow for detecting vulnerabilities and miscon-figurations in containers
• Save time by flagging vulnerabilities and identifying owner
• Validate PCI and NIST compliance pre-deployment
• Automatically remediate by triggering response actions and downstream notifications
• Conduct forensics after the container is gone
• Accelerate audit by correlating all cloud-native activity
• Prevent threats without impacting performance using K8s native controls
• Strengthen security using automated policies
• Extend Falco to save time creating and maintaining runtime policies
Deploy securely Validate complianceBlock threats at runtime
| Sysdig Inc. Proprietary Information23
Sysdig Secure 3.0
• Save time by automatically generating Kubernetes policies
• Enforce least privilege with Kubernetes Pod Security Policies
• Stop threats at runtime using K8s controls without impacting performance
• Reconstruct system activities including commands and network connections to speed incident response
• Uncover malicious and miscon-figuration issues by mapping activity to users or services
• Comply with any SOC2, PCI, NIST audit
• Validate policies prior to deployment to avoid breaking applications
• Generate fewer false positives by tuning Falco runtime policies
Prevent RespondOptimize
| Sysdig Inc. Proprietary Information24
Prevent: K8s Policy Advisor
Auto-generate policy from pod configuration:• Automate policy creation to save
time• Enforce least privilege using
Pod Security Policies
Leverage K8s controls to handle enforcement:• Strengthen security using
PSP enforcement• Enable prevention without
relying on security agents
Validate policy prior to deployment:• Avoid breaking applications • Tune policies to reduce false
positives
Generate PreventValidate
| Sysdig Inc. Proprietary Information25
Respond: Activity Audit• Capture system activity and make it
searchable and indexable against Kubectl activity
• Easily filter through any user or service interaction across the K8s stack
• Comply with SOC2, PCI, ISO, HIPAA, etc. audit
| Sysdig Inc. Proprietary Information26
Enriched activity Example queries
Activity• User commands• Network connections• Kubectl activity
Context• K8s context (labels/metadata)• Container and cloud context
1. Show all outbound connections from my billing namespace to an unknown IP address
2. Trace a “kubectl exec” user interaction and list all the command and network activity that happened inside the pod
3. Show every tcpdump command execution that has happened in a host or K8s deployment
Activity Audit Examples
| Sysdig Inc. Proprietary Information29
Sysdig Secure DevOps Platform
Embed security Validate complianceMaximize availability
Converge visibility and security to run cloud native in production
| Sysdig Inc. Proprietary Information30
Dig deeper