The Sysdig Threat Research Team (TRT) has been busy recently investigating and analyzing new security threats. Their research has uncovered notable vulnerabilities and attack vectors, which they’ve shared insights about through the Sysdig blog. These blog posts include an in-depth look at RUBYCARP, a long-running botnet, and LLMjacking, a technique that can leverage large language models for malicious purposes.

This month, we also announced our latest initiative, the Runtime Insights Partner Ecosystem. If interested, you can check out our blog post and the official press release.

Sysdig Secure

RBAC Permissions Available in Vulnerability Management

Administrators can now create RBAC roles and define which roles can access the Vulnerability Management, Policy, Reporting, and Risk Acceptance functions. For more information, see Custom Roles.

• Release notes

New Version Releases

Stay up-to-date with the latest releases for our scanning tools. May’s updates bring improved functionality, bug fixes, and security enhancements. 

Sysdig CLI Scanner V1.10.0

• Release notes

Runtime Scanner V1.7.0

• Release notes

Host Scanner V0.10.0

• Release notes

Upgrading is easy, but feel free to reach out if you have any questions.

Sysdig Monitor

Alert Editor

When creating alerts, the Alert Editor automatically displays the optimal time window for your alert rule, and every data point in the alert preview now corresponds with an evaluation of an alert rule. You can also Explore Historical Data for Metric alerts 

• Release notes

Sysdig Agents

13.20.0: Enhanced coverage and visibility

Our latest agent update adds support for Suse Linux and increased visibility into JMX and non-interactive commands.  

• Release notes

Suse Linux Enterprise Server Support

You can now install the Sysdig Agent on SLES 12 and SLES 15.

•  Release notes

Capture Non-Interactive Commands in Activity Audit

Activity audit can now capture and report non-interactive commands.

• Release notes

Support for Adding Labels to JMX Metrics

Sysdig added support for labels on JMX metrics collected by the agent. For more information, see Collect JMX Labels.

• Release notes

Defect Fixes

We have several fixes for our agent that landed in May. The complete list can be seen in the release notes.

SDK, CLI, and Tools

Terraform Provider V1.26.0

• Adds the ability to create, update, and delete posture policies.

For more information, see our Terraform Provider docs.

Sysdig Cloud Connector V0.16.66

• Makes secure_api_token optional in cluster-shield

Admission Controller v3.9.45

This release is available under helm chart 0.16.2.

• Makes secure_api_token optional in cluster-shield

Sysdig Secure Jenkins Plugin v2.3.1 

• Bump embedded scanner to 1.9.2
• Bug fixes:
  • Ensure that all the logs from the embedded scanner have been written to file for proper retrieval by the trailer
  • Increase the waiting time before stopping the logs trailer to 2s
  • Ensure proper management of vuln-list inside result json
  • Use imageTag (if available) when all policy evaluations pass

Prometheus Integration v1.29.0

• APPLY changes over PromQl labels on cluster status dashboards
• ADD restarted pods toplist panel to cluster status dashboard
• New version mysql-exporter fixing HIGH vulnerabilities
• New version php-fpm_exporter fixing HIGH vulnerabilities

Open Source

Falco

Falco 0.37.1 is the latest stable release.

New Website Resources

Blogs 

• Leadership Strategies for Risk Reduction, Transparency, and Speed
• Optimizing Wireshark in Kubernetes
• The Urgency of Securing AI Workloads for CISOs
• Cloud Security and Compliance: A Smarter Approach to Keeping Your Head Above Water
• The Race for Artificial Intelligence Governance
• Accelerating AppSec with Mend.io and Sysdig
• LLMjacking: Stolen Cloud Credentials Used in New AI Attack
• Sysdig Launches Runtime Insights Partner Ecosystem to Combat Active Cloud Risk and Stop Attacks
• Strengthening Cloud Security Together: Meet the Runtime Insights Partner Ecosystem
• Sysdig Launches AI Workload Security to Mitigate Active AI Risk
• How Businesses Can Comply with the EU’s Artificial Intelligence Act

Webinars

• May 28: Webinar | Navigating “Shift-left” in Container Security
• May 29: How to Safeguard GenAI Workloads in Exposed Environments
• June 18: Secure Your AWS Workloads From Code to Cloud
• June 19: Active Cloud Risk. How to Combat the Most Critical Threats
• June 25: Fast-Track True Cloud-Native Investigation: Winning the Race Against Cybercriminals

Sysdig Training

Kraken Discovery Labs

Attacks no longer take days—they take minutes. Cloud security requires a modern detection and response benchmark. The 555 benchmark specifies that you have 5 seconds to detect, 5 minutes to triage, and 5 minutes to respond.

In this 60-minute workshop, you’ll execute actual cloud attacks like SCARLETEEL and then assume the role of the defender, leveraging threat-hunting strategies to detect and respond immediately in the cloud.

You can sign up for this lab on our website.

Instructor Led Training

We have a new Azure-specific Cloud Security Posture Management (CSPM) lab available for ILT (Instructor Led Training) delivery. This ILT content included the concepts of zones and Infrastructure as Code, integrated with source control using GitHub or GitLab.

If you are interested in learning more about how to schedule an ILT workshop, please contact your account team.

The post What’s New in Sysdig – May 2024 appeared first on Sysdig.

The Challenge with Traditional Packet Capturing

The ephemerality of containers is one of the most obvious issues. By the time a security incident is detected and analyzed, the container involved may no longer exist. When a pod dies in Kubernetes, it’s designed to instantly recreate itself again. When this happens, it has new context, such as a new IP address and pod name. As a starting point, we need to look past the static context of legacy systems and try to do forensics based on Kubernetes abstractions such as network namespaces and service names.

It’s worth highlighting that there are some clear contextual limitations of Wireshark in cloud native. Tools like Wireshark are not inherently aware of Kubernetes abstractions. This disconnect makes it hard to relate network traffic directly back to specific pods or services without significant manual configuration and contextual stitching. Thankfully, we know Falco has the context of Kubernetes in the Falco rule detection. Wireshark with Falco bridges the gap between raw network data and the intelligence provided by the Kubernetes audit logs. We now have some associated metadata from the Falco alert for the network capture.

Finally, there’s the challenge of data overload associated with PCAP files. Traditional packet capture strategies, such as those employed by AWS VPC Traffic Mirroring or GCP Traffic Mirroring, often result in vast amounts of data, most of which is irrelevant to the actual security concern, making it harder to isolate important information quickly and efficiently. Comparatively, options like AWS VPC Flow Logs or Azure’s attempt at Virtual network tap, although less complex, still incur significant costs in data transfer/storage. 

When’s the appropriate time to start a capture? How do you know when to end it? Should it be pre-filtered to reduce the file size, or should we capture everything and then filter out noise in the Wireshark GUI? We might have a solution to these concerns that bypasses the complexities and costs of cloud services.

The /555 Guide For Security Practitioners

Meet The Only Benchmark For Cloud Security!

Read The Guide

Introducing a New Approach with Falco Talon

Organizations have long dealt with security blindspots related to Kubernetes alerts. Falco and Falco Talon address these shortcomings through a novel approach that integrates Falco, a cloud-native detection engine, with tshark, the terminal version of Wireshark, for more effective and targeted network traffic analysis in Kubernetes environments.

Falco Talon’s event-driven, API approach to threat response is the best way to deal with initiating captures in real time. It’s also the most stable approach we can see with the existing state-of-the-art in cloud-native security – notably, Falco.

Step-by-Step Workflow:

• Detection: Falco, designed specifically for cloud-native environments like Kubernetes, monitors the environment for suspicious activity and potential threats. It is finely tuned to understand Kubernetes context, making it adept at spotting Indicators of Compromise (IoCs). Let’s say, for example, it triggers a detection for specific anomalous network traffic to a Command and Control (C2) server or botnet endpoints.

• Automating Tshark: Upon detection of an IoC, Falco sends a webhook to the Falco Talon backend. Talon has many no-code response actions, but one of these actions allows users to trigger arbitrary scripts. This trigger can be context-aware from the metadata associated with the Falco alert, allowing for a tshark command to be automatically initiated with metadata context specific to the incident.

• Contextual Packet Capturing: Finally, a PCAP file is generated for a few seconds with more tailored context. In the event of a suspicious TCP traffic alert from Falco, we can filter a tshark command for just TCP activity. In the case of a suspicious botnet endpoint, let’s see all traffic to that botnet endpoint. Falco Talon, in each of these scenarios, initiates a tshark capture tailored to the exact network context of the alert. This means capturing traffic only from the relevant pod, service, or deployment implicated in the security alert.

• Improved Analysis: Finally, the captured data is immediately available for deeper analysis, providing security teams with the precise information needed to respond effectively to the incident. This is valuable for Digital Forensics & Incident Response (DFIR) efforts, but also in maintaining regulatory compliance by logging context specific to security incidents in production.
  

This targeted approach not only reduces the volume of captured data, making analysis faster and more efficient, but also ensures that captures are immediately relevant to the security incidents detected, enhancing response times and effectiveness.

Collaboration and Contribution

We believe this integrated approach marks a significant advancement in Kubernetes security management. If you are interested in contributing to this innovative project or have insights to share, feel free to contribute to the Github project today.

This method aligns with the needs of modern Kubernetes environments, leveraging the strengths of both Falco and Wireshark to provide a nuanced, powerful tool for network security. By adapting packet capture strategies to the specific demands of cloud-native architectures, we can significantly improve our ability to secure and manage dynamic containerized applications.

Open source software (OSS) is the only approach with the agility and broad reach to set up the conditions to meet modern security concerns, well-demonstrated by Wireshark over its 25 years of development. Sysdig believes that collaboration brings together expertise and scrutiny, and a broader range of use cases, which ultimately drives more secure software.

This proof-of-concept involves three OSS technologies (Falco, Falco Talon, and Wireshark). While the scenario was specific to Kubernetes, there is no reason why it cannot be adapted to standalone Linux systems, Information of Things (IoT) devices, and Edge computing in the future.

The post Optimizing Wireshark in Kubernetes appeared first on Sysdig.

March doesn’t just signify the arrival of spring showers and blooming flowers, but also the arrival of Women’s History Month, a time to celebrate and honor the contributions and achievements by women in the United States.

International Women’s Day is also celebrated during March, a day which celebrates the achievements of women from all across the world.

Stay tuned for more updates from Sysdig, and let’s get started!

Sysdig Secure

View Cloud Host Vulnerabilities in Inventory

Inventory now lets you search for vulnerable resources on your AWS and GCP cloud hosts (EC2 Instance, Compute Instance).

Furthermore, each cloud host’s resource-360 drawer includes vulnerability findings through a new tab.
You can also search on Package Name-Version. Note that Azure VM Hosts are out of scope at this time. See Inventory for details.

Inventory UI Updates

You can now search by Host Image ID for AWS EC2 Instance and GCP Compute Instance.

Monitor Objects in S3 Buckets

Agentless AWS Cloud Threat Detection (CDR) coverage is extended to monitor operations performed on objects stored in Simple Storage Service (S3) buckets through S3 notifications.

AWS CloudTrail integration now supports:

• ReadOnly management events (whose verb starts with Get/List/Describe).
• Coverage for S3 notifications to monitor S3 buckets and extend our AWS Agentless CDR coverage.

For details, see the AWS Agentless instructions to connect a cloud account.

Risks Module Released in Technical Preview

We are excited to release Risks in Technical Preview. The Risks feature correlates findings from CSPM, KSPM, cloud log ingestion, CIEM, Vulnerability Management, and Agent-Based Threat Detection. By combining the most critical security issues, we prioritize the biggest risks for security teams to focus on.

For details, see Risks.

Kill Process in Workload

In Threat Detection Policies, Workload and List Matching policies can now be configured to kill the event-triggering process. For details, see Workload.

Improved Azure Cloud Account onboarding

Sysdig has launched an improved onboarding experience for Azure Cloud Accounts. Users can specify their installation preferences regarding desired features. Sysdig then guides them through the installation process step-by-step, ensuring a seamless and personalized experience.

In addition, Sysdig’s Agentless CDR now supports threat detection on Azure. By leveraging Falco and its constantly updated rules managed by the Sysdig Threat Research Team, as well as custom rules tailored to specific environments and security requirements, users can connect their Azure accounts effortlessly while benefiting from robust event processing.

For details, see Connect Cloud Account | Azure.

Global Service Accounts

Sysdig has extended the functionality of team-based service accounts with global service accounts. Unlike team-based service accounts, global service accounts can perform actions that require system level permissions. Admins can create a global service account through the API. See Global Service Accounts

CISA KEV

You can now check if a vulnerability, reported by pipeline, registry, or runtime scanning, is registered in the CISA KEV catalog and filter images by CISA KEV. This allows you to view details such as the date added and due date for CISA KEV vulnerabilities. Drill down into scan results to view the CISA KEV information associated with an image. For more information, see Key Vulnerability Management Terminology.

Platform-Based Scanning

Sysdig has extended the Vulnerability Management scanning capabilities to conduct platform scanning by default. The scanning tools analyze images and host filesystems to extract the Software Bill of Materials (SBOM) and send them to the Sysdig backend for evaluation. Vulnerability matching and policy evaluation now occur within the Sysdig platform rather than on the client side.

Platform-based scanning aims to optimize computing resources, conserve data transfer, improve response time by eliminating client-side evaluation of images, and enhance the robust tracking of images across the user environment. For more information, see Platform-Based Scanning.

Improved GCP Cloud Account Onboarding

Sysdig has launched an improved onboarding experience for GCP Cloud Accounts. Users can specify their installation preferences regarding desired features. Sysdig then guides them through the installation process step-by-step, ensuring a seamless and personalized experience.

In addition, Sysdig’s Agentless CDR now supports threat detection on GCP. By leveraging Falco and its constantly updated rules managed by the Sysdig Threat Research Team, as well as custom rules tailored to specific environments and security requirements, users can connect their GCP accounts effortlessly while benefiting from robust event processing.

For details, see Connect Cloud Accounts | GCP.

Sysdig Monitor

Global Service Accounts

Sysdig has extended the functionality of team-based service accounts with global service accounts. Unlike team-based service accounts, global service accounts can perform actions that require system-level permissions. Admins can create a global service account through the API. See Global Service Accounts

Deactivate User Option

Sysdig has added the ability to configure a period of inactivity for a user, after which the user is deactivated. This helps large enterprises manage users automatically rather than manually deleting users from Sysdig.

This feature is deactivated by default. Currently, it can be enabled via API only.

For details, access the API documentation under User-Deactivation.

Sysdig Agents

13.0.2 March 20, 2024

This hotfix addresses the following:

• Vulnerability fixes:
  • CVE-2024-24786
  • CVE-2024-27304
• The issue in the legacy_ebpf driver that impacted the RHEL kernel v5.14 with the RHEL subversion 4.10 or higher has been fixed.
• Kernel module build failure on linux kernel 6.8 has been fixed.

13.0.1 March 11, 2024

This hotfix fixed an issue where the Sysdig Agent could retain allocated UDP ports until reaching port saturation, occurring under specific combinations of the driver used and enabled features.

13.0.0 March 06, 2024

We strongly recommend you to skip v13.0.0 and upgrade to Sysdig Agent v13.0.1. See Breaking Changes for more information.

Feature enhancements

Updated Docker Image to UBI9

Sysdig Agent’s Universal Base Image has been upgraded from UBI8 to UBI9.

Added Agent health metrics in secure_light Mode

Added the following health metrics when the agent is running in secure_light mode:

• sysdig_agent_analyzer_num_evts
• sysdig_agent_analyzer_dropped_evts

Support for TLS and basic authentication in Agent Prometheus Exporter

Agent Prometheus Exporter now supports TLS and basic authentications.

Ability to collect subattributes from JMX metrics

Added the ability to collect individual subattributes from CompositeData JMX metrics.

Availability of promscrape in ARM64 in FIPS Mode

Sysdig Agent now includes FIPS-mode promscrape binary previously missing for ARM platforms.

Kill process in Workload

In Threat Detection Policies, Workload and List Matching policies can now be configured to kill the event-triggering process. For details, see Workload.

Breaking changes

As part of Sysdig Agent 13.0.0 release, and as anticipated in the release notes for the 12.20.0, Sysdig dropped the support for:

• logwatcher
• RHEL6 and CentOS6

All Sysdig users affected by these changes have been notified. If you haven’t received any communication from Sysdig, it means there is no impact on your usage.

Defect fixes

Updated ssl_shim configuration

The ssl_shim configuration has been changed to fix an issue where openssl.cnf bundled with the agent expected ssl_shim to select the FIPS or non-FIPS providers at startup time. This configuration broke other programs that are dynamically linked against OpenSSL v3.

Added a openssl_conf configuration flag to allow users to specify a custom openssl.cnf file for use with the agent. To include a custom OpenSSL v3 library, you need to set the custom openssl_conf and your library path. This configuration is required when openssl_lib points the agent to a custom OpenSSL v3.x library. See openssl_lib for more information.

Support for universal eBPF on 1-vcore machines

Universal eBPF is now supported on 1-vcore machines.

Scoping events to containers on specific Kubernetes clusters

The host scope resolution now works correctly when additional scope predicates are specified along with the standard contauner_id="". For example, contauner_id="" and kubernetes.cluster.name=my_cluster.

Fixed misleading collector reconnection attempts logs

Fixed an issue where agents report a large number of logs with “No further retries left for attachment to container.

Sysdig Cluster Shield Release Notes

Here are the most recent release notes for Sysdig Cluster Shield. Review the entries to learn about the latest features, defect fixes, and known issues.

0.7.0 March 18, 2024

Enhancements

• Added new Kubernetes Metadata Collector (Technical Preview).
• Added the ability to run in single process mode.
• Updated configuration for the Container Vulnerability Management feature.
• Enabled Platform Services by default. Added the ability to disable it through an additional helm chart value containing the current on premise version.
• Removed configuration for Offline Analyzer.
• Refactored the configuration for the registry certificate verification.

Defect fixes

Fixed a memory leak issue in the supervisor process.

0.1.0 March 07, 2024

Sysdig Cluster Shield released as controlled availability

Sysdig is delighted to announce the controlled availability of Sysdig Cluster Shield. This solution consolidates multiple agent deployments into a single containerized component, marking a significant advancement in simplifying the deployment, management, and configuration of the Sysdig suite of security and compliance tools at the cluster level. By streamlining operations for Kubernetes environments, Cluster Shield makes it easier than ever to maintain your security and compliance posture.

For more information, see Sysdig Cluster Shield.

Window Agent

Container enrichment

The agent is now capable of gaining visibility into containerized processes, allowing the containerd-based containers to be secured along with the host operating system.

Availability of Docker image for Windows Server v2019 and v2022

The Windows Agent is now available as a Docker image for Windows Server 2019 and Server 2022.

Defect fixes

Vulnerability fixes

• CVE-2023-45853
• CVE-2024-0727
• CVE-2023-5678
• CVE-2023-6237

Ability to handle wide characters from AmsiScanBuffer events

AMSI events carry the buffer parameter that contains the executed payload, such as Powershell cmdlet and loaded .NET assembly. This conveys that the parameter structure is dynamic and will greatly depend on the data source emitting the AMSI telemetry. As a consequence, the event parsing mechanism has been adapted to treat the parameters as dynamic, and thus derive the content of the AMSI buffer as dictated by the application type emitting the event.

SDK, CLI, and Tools

Sysdig CLI

Sysdig CLI Scanner v1.8.6 is out!

• Fixed CVE-2024-26147.
• Now, Sysdig CLI scanner will honor proxy env vars when pulling images! 

Sysdig CLI Scanner v1.9.0 is out.

IAC

• Fixed panic occurring during terraform directories scanning.
• Fixed bug on severity threshold flag.
• Exit code 1 is returned when violations exceed the threshold.
• Use v2 endpoint to get data from transforms.

VM

• Fixed a bug in maven matcher.
• Make policies succeed if, for a vulnerability, the fix version is present while the solution date is not.

Fixed Vulns

• CVE-2024-24786

https://sysdiglabs.github.io/sysdig-platform-cli

Python SDK

The latest version is v0.17.1. See the Sysdig Python SDK GitHub for details.

Terraform Provider

v1.22.0 is the latest version of  the Sysdig Terraform Provider. For more information, see our Terraform Provider docs.

Terraform Modules

• AWS Sysdig Secure for Cloud remains unchanged at  v0.10.9.
• Terraform Google secure v0.1.10
  • feat: Add module outputs for webhook-datasource #17
  • feat: agentless workload controller WIF #20
  • feat: Adding support for WIF based auth to Webhook Datasource module #21
  • feat(vm,cloud-scan): enables organizational use-case #23
  • test: Add validation test coverage #16
  • test(vm, cloud-scan): single-project use-case #18
  • ci: Update CODEOWNERS #19
  • ci: Update CODEOWNERS for workload scanning module#22
• Terraform Azure remains unchanged at v0.2.10.

Falco VSCode Extension

v0.1.0 is still the latest release. 

Sysdig Cloud Connector

The Cloud Connector remains v0.16.61.

Admission Controller

 Admission Controller remains (3.9.37) and helm chart (0.15.0). 

Sysdig Secure Inline Scan Action

The latest release remains unchanged at v3.5.0.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

The Sysdig Secure Jenkins Plugin remains at version v2.3.0.

https://plugins.jenkins.io/sysdig-secure

Prometheus Integrations

We have released v1.28.0: https://github.com/draios/prometheus-integrations/releases/tag/v1.28.0

• ADD more scope to the quotas panels
• ADD change for no data description for Keda panel
• ADD rabbitMQ rule drop also by port
• FIX typo in some dashboard descriptions
• ADD Alert for Sysdig Monitor
• Full Changelog: v1.27.0…v1.28.0

Sysdig On-premise

6.9.1 Hotfix Release, March 2024

This hotfix addresses the following:

• Update the rules validator for the policies backend service to allow users to upgrade their default rules to the latest available ruleset.
• The error during the upgrade process, caused by a missing import code for pvStorageSize.cassandra, has been fixed.
• The issue where the installer incorrectly added a \n (line feed) to the context when current-context is used but the context is not specified in the values.yaml, or on the installer command line, has been resolved.
• Cassandra failure during the Zookeeper upgrade process in the installer when override fields are used. To fix the issue, remove the customOverride field:

cassandra:

  jvmOptions: -Xms6G -Xmx8G

   # customOverrides: |

   #   compaction_throughput_mb_per_sec: 300

Upgrade Process

Supported upgrades from: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

6.7.1 Hotfix Release, March 2024

This hotfix addresses an issue encountered during the zookeeper upgrade process in the installer, providing improved upgrade efficiency and speed.

Upgrade Process

Supported upgrades from: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

6.4.5 Hotfix Release, March 2024

This hotfix fixes an issue with the slowness in the Secure UI.

Upgrade Process

Supported upgrades from: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

Falco Threat Detection Rules Changelog

Several versions of the rules have been released in the last months. Below are the release notes for the most recent rules changes.

https://docs.sysdig.com/en/docs/release-notes/falco-rules-changelog

Rule Changes

• Added the following rules:
  • Connection to SMB Server detected
  • Steganography Tool Detected
  • Python HTTP Server Started
  • Execute Process from Masquerade Directory
  • Shared Libraries Reconnaissance Activity Detected
  • EC2 Instance Create User
  • Terminate EC2 Instances
  • Find Authentication Certificates
  • Contact GCP Instance Metadata Service from Host
  • Contact Azure Instance Metadata Service from Host
  • Execution from Temporary Filesystem
• Reduced false positives for the following rules:
  • Write below etc
  • Connection to IPFS Network Detected
  • nsenter Container Escape
  • Execution from Temporary Filesystem
  • Launch Root User Container 
  • Linux Kernel Module Injection Detected
  • Packet socket created in container
  • Container escape via discretionary access control
  • Suspicious Access To Kerberos Secrets
  • Redirect STDOUT/STDIN to Network Connection in Host
  • Suspicious Access To Kerberos Secrets
  • Dump memory for credentials
  • Mount on Container Path Detected
  • Create Symlink Over Sensitive Files
  • Possible Backdoor using BPF
  • eBPF Program Loaded into Kernel
  • Launch Suspicious Network Tool in Container
  • Suspicious Cron Modification
  • Execution from /tmp
  • Launch Sensitive Mount Container
  • Non sudo setuid
  • Suspicious Domain Contacted
  • Launch Suspicious Network Tool in Container
  • Modify Grub Configuration Files
  • Fileless Malware Detected
  • Container escape via discretionary access control
  • Mount on Container Path Detected
  • Find GCP credentials
  • Ransomware Filenames Detected
  • Mount Launched in Privileged Container
  • Modification of pam.d detected
  • Kernel startup modules changed
  • Suspicious RC Script Modification
  • Find Authentication Certificates
  • Redirect STDOUT/STDIN to Network Connection in Container
  • Suspicious Cron Modification
  • eBPF Program Loaded into Kernel
  • Non sudo setuid
  • Suspicious Operations with Firewalls
  • Suspicious RC Script Modification
  • Mount on Container Path Detected
  • Kernel Module Loaded by Unexpected Program
  • Packet socket created in container
  • Dump memory for credentials
  • Mount on Container Path Detected
• Improved output for Discovery Security Service Activity Detected rule.
• Improved output for Reconnaissance attempt to find SUID binaries and Dump memory for credentials rules.
• Reduced false positives for the Linux Kernel Module Injection Detected rule.
• Improved output for AWS rules – Event Summary.
• Added Execute Process from Masqueraded Directory to managed policies.
• Improved output for the Kernel startup modules changed rule.
• Removed the Execute Process from Masqueraded Directory rule from managed policies.
• Improved condition for the following rules:
  • Dump memory for credentials
  • Suspicious Access To Kerberos Secrets
  • Linux Kernel Module Injection Detected
  • Redirect STDOUT/STDIN to Network Connection in Host
  • Suspicious Cron Modification
  • Clear Log Activities
  • Modification of pam.d detected
  • Linux Kernel Module Injection Detected
  • Suspicious Cron Modification
  • Suspicious network tool downloaded and launched in container
  • Launch Suspicious Network Tool on Host
  • Find GCP Credentials
  • Launch Suspicious Network Tool in Container
• Improved description and tags for Change memory swap options rule.
• Improved tags for AWS EC2 ruleset.
• Improved condition for Suspicious Cron Modification rule.
• Improved output for AWS rules – Event Summary.
• Updated Indicators of Compromise rulesets with new findings.
• Improved tags for Suspicious Domain Contacted rule.
• Improved condition for macro network_tool_procs.
• Updated Indicators of Compromise rulesets with new findings.
• Improved condition for the Kernel Module Loaded by Unexpected Program rule.
• Improved tags for Suspicious Domain Contacted rule.
• Improved output for AWS rules – Event Summary.
• Added the Data Split Activity Detected and Contact EC2 Instance Metadata Service From Host rules.
• Improved condition for the Describe Instances rule.
• Improved tags for the GCP Create Cloud Function rule.
• Improved condition for the Kernel Module Loaded by Unexpected Program rule.
• Improved output for the Kernel Module Loaded by Unexpected Program rule.
• Improve output for AWS rules – Event Summary.
• Improve MITRE tags for AWS S3 ruleset.
• Improve condition for the Update Package Repository rule.

Default Policy Changes

Removed 

• Execute Process from Masqueraded Directory rule from managed policies.

Added the following rules:

• Python HTTP Server Started
• Execute Process from Masquerated Directory
• Shared Libraries Reconnaissance Activity Detected
• EC2 Instance Create User
• Terminate EC2 Instances
• Data Split Activity Detected
• Contact EC2 Instance Metadata Service From Host
  • Find Authentication Certificates
  • Contact GCP Instance Metadata Service from Host
  • Contact Azure Instance Metadata Service from Host
  • Execution from Temporary Filesystem
  • Connection to SMB Server detected
  • Steganography Tool Detected

Updated policies for the following rules:

• Mount on Container Path Detected
• Modify Grub Configuration Files rule
• Escape to host via command injection in process
• Discovery Security Service Activity Detected
• Java Process Class File Download rule.

Open Source

Falco

Falco 0.37.1 is the latest stable release.

New Website Resources

Blogs 

Webinars

A practical guide to resource constraints in Kubernetes

SOAR into 2024: Harness the power of your cloud detection and response

Spring Cyber Solutions Fest

https://go.sysdig.com/Deminar-Fortify-Google-Cloud-Security.html

The post What’s New – March 2024 appeared first on Sysdig.

This year started with multiple recognitions for Sysdig. GigaOM named Sysdig a Leader and the only Outperformer in its inaugural Cloud Workload Security Radar report. The report compares major players in the space and highlights the evolution of the cloud security market “driven by the need for robust, feature-rich platforms capable of addressing diverse and complex security needs.”

Sysdig is also honored to receive the DevOps Dozen 2023 award as the 𝗕𝗲𝘀𝘁 𝗖𝗹𝗼𝘂𝗱 𝗡𝗮𝘁𝗶𝘃𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻. 

“Security teams must protect the business without slowing it down. Sysdig continues to be an innovative market leader. We are proud to honor them with this year’s cloud-native security provider award.”

Alan Shimel, Techstrong Group Founder & CEO 

Stay tuned for more updates from Sysdig, and let’s get started!

Sysdig Secure

Data Types for Events Forwarding

Sysdig’s Events Forwarding feature now supports Activity Audit. Additionally, we have initiated deprecation for the following legacy data types:

• Legacy Runtime policy event format, replaced by the new format
• Legacy Compliance v1 events (Secure events compliance and Benchmark events), part of the Legacy compliance
• Legacy Vulnerability Scanner v1, part of the Legacy scanning engine

Filter for Updated Threat Detection Rules

We have added a new drop-down filter on the Rules Library page to easily review recent changes made to rules and exceptions.

See View Recent Changes to a Rule for details.

Introducing Infrastructure as Code Scanning Integration to Sysdig CLI Scanner

Sysdig is thrilled to announce a major advancement to the sysdig-cli-scanner tool with the integration of Infrastructure as Code (IaC) scanning functionality. This release empowers users to seamlessly scan IaC resources for potential risks and compliance issues, enhancing the security posture of your development workflows. By using the familiar sysdig-cli-scanner interface, you can initiate IaC scans to identify potential risks and compliance issues early in the development lifecycle. The tool continues to support the basic functionality.

Key features:

• A comprehensive exit code system for easy interpretation of scan results
• Role-Based Access Control (RBAC) for precise control over permissions
• Cross-platform compatibility
• Ability to integrate into existing workflows, such as CI/CD pipelines
• Use of API Token for authentication, ensuring consistency with the VM CLI
• Simple command execution

For more information, see Run Sysdig CLI Scanner in IaC Mode.

Inventory (General Availability)

Sysdig is pleased to make our Inventory feature available by default to all Secure SaaS customers with the following capabilities:

• Unified Data: Leveraging our Cloud Attack Graph to combine posture, vulnerability, configuration, and network exposure findings, as well as Runtime Insights on your resources
• “Featured Filters” panel: Improved search experience
• Image as a Resource: Container images are returned as a first-class citizen
• Image and Workload Vulnerabilities: View and search on vulnerability data (CVE, Package, Exploit, Fix, In Use, etc.)
• Network Exposure on Vanilla K8s Workloads, AWS EC2s and S3 buckets, Azure VMs, and Blob Containers: Display and query resources that are directly or ingress-exposed to the internet
• New resource metadata is available:
  • Search for Containers and Image Pullstrings on K8s Workloads
  • Search by Namespace for IaC K8s Workloads
  • Search for cloud resources by ARN for AWS or Resource ID for GCP and Azure
• Unique URL for each resource (in addition to applied search filters) which can be shared with your teammates/colleagues

See Inventory for details.

Improved Jira Integration

Vulnerability Management (VM) has now been fully integrated with Jira. Click on any vulnerability in the VM module to create a fully-fleshed out Jira ticket, which you can assign to a colleague from the comfort of the Sysdig UI. Sysdig will then remember which vulnerabilities have Jira tickets.

See Remediate with Jira for details.

Splunk Integration

Splunk has been integrated with Vulnerability, joining the ranks of Jenkins and ServiceNow. Fetch, triage, and orchestrate Sysdig runtime vulnerabilities in Splunk with a Technical Add-On (TA). The Splunk TA enables the extraction of all Runtime scan results.

Download the Sysdig Vulnerabilities add-on from Splunkbase to get started, as described in Vulnerability Integrations | Splunk.

Non-Kubernetes Container Scanning

Scan Docker and Podman containers for vulnerabilities with Sysdig Secure.

For more information, see Non-Kubernetes Container Scanning.

Agentless Host Scanning (Technical Preview)

On AWS EC2 hosts, you can now perform agentless runtime vulnerability scanning. You can also view all discovered hosts, get real-time status updates, and troubleshoot issues with the Cloud Hosts page in Data Sources.

See AWS Agentless Installation for details.

Risk Spotlight (General Availability)

The Vulnerability Management team is excited to announce the official release of Risk Spotlight (aka EVE or “In Use”). After several iterations of the agent, profiling service, and vulnerability management integration stages to address accuracy and computational requirements, the Risk Spotlight service is officially GA.

With Sysdig agent v12.15+ and runtime vulnerability management scanning, you can identify and prioritize packages that are both vulnerable and actively “In Use” in runtime workloads.

We also enable external integrations with partners that use this data, such as Snyk and Docker.

See Risk Spotlight (In Use) and Risk Spotlight Integrations for details.

Leverage Artificial Intelligence for AWS Console Login Anomaly Detection

With the AWS Machine Learning (ML) policy, you can detect anomalous AWS Console login events in connected AWS cloud accounts.

This policy allows you to understand why an event is considered anomalous compared to the expected behavior. In addition, you get visibility into the most influential contributing factors and the confidence level of the detection accuracy.

For details, see the AWS ML Policy documentation.

Extend Posture to Use Auto-Remediation with AWS Cloud Resources

This feature allows you to automate the process of maintaining and improving the security and compliance posture of your AWS infrastructure, reducing the risk of security breaches and operational disruptions. This extends remediation to AWS Terraform resources.

First, create Terraform configuration files that define the desired state of your AWS resources. Sysdig provides automated remediation for fixing risks by opening a pull request (PR) directly on the IaC code files for your acceptance.

For details, see Compliance – Evaluate and Remediate.

RBAC Permissions in Posture for Accept Risk, Open PR

Administrators can now define granular role permissions to allow risk acceptance and opening pull requests for posture/compliance findings. These permissions have been retroactively added to the existing default roles of Team Manager and Advanced User.

For details, see Detailed Role Permissions.

Runtime Threat Detection Rules

Our Threat Research team has released several versions of the rules in the last month, including 31 brand new rules. Additionally, older rules have been deprecated. Below are the release notes for the most recent rules changes.

https://docs.sysdig.com/en/docs/release-notes/falco-rules-changelog/

Rule Changes

• Added the following rules:
  • Query to Window Management System Detection
  • Suspicious Access To Kerberos Secrets
  • Service Discovery Activity Detected
  • Access to Clipboard Data Detected
  • SES Attach Policy to Identity
  • SES Update Identity Policy
  • SES Delete Identity Policy
  • Task Scheduled with Highest Privileges
  • Password Policy Discovery Activity Detected
  • Hide Process with Mount
  • Modify Grub Configuration Files
  • Simple Email Service (SES) Verify Identity
  • SES Update Account Sending
  • SES Delete Identity
  • SES Create SMTP
  • SNS Delete Subscription
  • SNS Delete Topic
  • SNS Get SMS Sending Information
  • Organization Update Service Control Policy
  • Organization Create Service Control Policy
  • Organization Delete Service Control Policy
  • Repository Fork Set to Public
  • Repository Fork Set to Private
  • Attach SES Policy to User
  • Auditd Logging Commands
  • Repository Fork Set to Public
  • Ransomware Filenames Detected
  • New GitHub Action Workflow Deployed
  • Okta Multiple Application Requests with Invalid Credentials
  • Push on Github Actions Detected
  • Okta MFA Bypass Attempt
• Deprecated the following rules:
  • Malicious process detected
  • Creation attempt Azure Secure Transfer Required Set to Disabled
  • Azure Access Level creation attempt for Blob Container Set to Public
  • Azure Blob Created
  • Azure Blob Deleted
  • Azure Create/Update a Storage Account
  • Azure Delete a Storage Account
  • Azure Delete Function Key
  • Azure Create/Update a Storage Account
  • Azure Create/Update a Storage Account

Default Policy Changes

• Added the following rules:
  • Query to Window Management System Detection
  • Suspicious Access To Kerberos Secrets
  • Service Discovery Activity Detected
  • Access to Clipboard Data Detected
  • Password Policy Discovery Activity Detected
  • Hide Process with Mount
  • Modify Grub Configuration Files
  • Ransomware Filenames Detected
  • New GitHub Action Workflow Deployed
  • Okta Multiple Application Requests with Invalid Credentials
  • Push on Github Actions Detected
  • Okta MFA Bypass Attempt
  • SES Attach Policy to Identity
  • SES Update Identity Policy
  • SES Delete Identity Policy

• Updated the policy for rules:
  • Ransomware Filenames Detected
  • Contact K8S API Server From Container
  • nsenter Container Escape
  • AWS CLI used with endpoint url parameter rule
  • Ransomware Filenames Detected
  • Azure Blob Created, Azure Blob Deleted

Sysdig Monitor

Sysdig Default Pricing for Cost Advisor

Cost Advisor will now use Sysdig Default prices in instances where pricing information is unavailable, such as when viewing on-premises Kubernetes clusters. Additionally, Cost Advisor has been enhanced to help you identify the billing profile associated with a specific Kubernetes cluster.

Embedded Images in Metric Alert Notifications

Alert Notifications sent to Slack, email, and Pagerduty will now include a visual snapshot of the time series data that triggered the alert rule. This means less dashboard hunting at 2AM and the ability to snooze or escalate without opening your laptop.

Group Outlier Alerts

Take advantage of the new Group Outlier alert type to detect anomalous behavior. Utilize Group Outlier alert rules to spot any hosts that are acting differently from the usual group patterns, or to highlight unusual patterns in operational metrics.

Sysdig Agents

12.19.0, December 2023

Feature Enhancements

Changed HTTP Health Endpoint to Bind to Localhost

Changed the HTTP health endpoint to only bind to the localhost interface. If you are using Helm, upgrade to the Sysdig Agent Helm Chart v1.18.2 or higher. For more information, see Agent Health.

Export Additional Agent Health Metrics Using Prometheus Exporter

The Sysdig Agent can now use a Prometheus exporter to expose additional agent health metrics. For more information, see Agent Health.

Due to the sensitive nature of some of these metrics, you may want to ensure that the Prometheus exporter endpoints are not exposed outside of your cluster.

Added Profiling Fingerprint Generation to Secure Light Mode

You can now enable Profiling in secure_light mode by setting the falcobaseline.enabled parameter to true in the dragent.yaml, or by specifying –set agent.sysdig.settings.falcobaseline.enabled=true if you install the agent via Helm chart.

Modified Audit Tap Message Delivery Policy

Audit Tap messages are now delivered even if they contain only file access records.

Defect Fixes

Improved Health Monitoring for Agent Subprocesses

Health monitoring for agent subprocesses now covers all subprocesses spawned.

Added Socket Timeout for the Proxy Connection to the Collector

Sysdig Agent now utilizes a socket timeout when connected to the collector via proxy. This allows the connection to recover faster without an agent restart when an issue occurs.

Reports Correct Values for Container CPU Usage in Kubernetes v1.26

Resolved an issue that impacted the calculation of CPU usage for containers in Kubernetes v1.26.

Detect App Check Metrics

Sysdig Agent now can successfully detect app check metrics. This fix enables SCM_RIGHTS to transfer file descriptors across all types of processes. Previously, if a file descriptor transferred via SCM_RIGHTS was for a socket serving app check metrics, the agent could not detect and query it for app check metrics. This presented missing app check metrics after a process reload.

SDK, CLI, and Tools

Sysdig CLI

v0.8.2 is still the current release. The instructions on how to use the tool are available at the following link:
https://sysdiglabs.github.io/sysdig-platform-cli/

Python SDK

Python SDK is still at v0.17.1. More details on leveraging this tool can be found at the following link:

https://github.com/sysdiglabs/sysdig-sdk-python

Terraform Provider

We have just released the 1.20.0 version of Terraform provider. This release includes:

• Add group outlier alert type
• Support sidecar mode for serverless-agent (disabled by default)
• Switch to agent-kilt 0.0.2 for serverless-agent

https://docs.sysdig.com/en/docs/developer-tools/terraform-provider

Terraform Modules

• AWS Sysdig Secure for Cloud remains unchanged at v10.0.9
• GCP Sysdig Secure for Cloud remains unchanged at v0.9.10
• Azure Sysdig Secure for Cloud remains unchanged at v0.9.7
  

Falco VSCode Extension

v0.1.0 is still the latest release.

https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0

Sysdig Cloud Connector

New Cloud Connector changes to (v0.16.59) under helm chart 0.8.8.

Admission Controller

New Admission Controller release (3.9.36) under helm chart 0.14.17.

Sysdig CLI Scanner

Sysdig CLI Scanner latest version is v1.6.3.

https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/

Sysdig Secure Inline Scan Action

The latest release is v3.6.0.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

The Sysdig Secure Jenkins Plugin remains at version v2.3.0.

https://plugins.jenkins.io/sysdig-secure/

Prometheus Integrations

Prometheus Integrations has been updated to v1.24.0. This release contains updates to KEDA & OPA integrations.

Open Source

Falco

Falco 0.36.2 is still the latest stable release:

https://github.com/falcosecurity/falco/releases/tag/0.36.2

New Website Resources

Blogs 

How Financial Services Organizations Can Stay Compliant – Without Sacrificing Security

Fuzzing and Bypassing the AWS WAF

Honeypots with vcluster and Falco: Episode II

Sysdig Stands Alone: GigaOm Names Sysdig a Leader and Outperformer for Cloud Workload Security

Webinars

SEC’s Cyber Wake-up Call: The Evolving Role of the CISO

Banking on Security: Defending Against Cyber Threats and Regulatory Demands

Generate This: Bringing AI to Cloud Security

Navigating Cloud Threats: The Art of Swift Detection and Response

Fix-What-Matters-First

Securing Success: Saiyam Pathak’s 2024 Guide to CKA and CKS Certification

How to Stop Cloud Attacks in Real-Time with Runtime Insights

Every Second Counts: Delivering Secure, Compliant Financial Services in the Cloud

Sysdig Education 

Windows Monitoring

Registry Image Scanning

Detecting a Cryptomining Malware Attack with Falco and Prometheus

The post What’s New in Sysdig – January 2024 appeared first on Sysdig.

Building on the positive momentum generated by the array of features unveiled in October as part of our industry-leading Cloud-Native Application Protection Platform (CNAPP), Sysdig released the 5/5/5 Benchmark for Cloud Detection and Response at SANS CyberFest 2023, a new framework that outlines how quickly organizations should detect, triage, and respond to attacks in the cloud.

Operating securely in the cloud requires a mindset shift in regard to time, and with that, cloud security programs need to hold themselves to a modernized benchmark: 

• Five seconds to detect
• Five minutes to correlate insights and understand what’s happening
• Five additional minutes to respond

Download the 5/5/5 Benchmark for Cloud Detection and Response.

Stay tuned for more updates from Sysdig, and let’s get started!

Sysdig Secure

Improved Home Page

Sysdig is pleased to announce a new and improved Home page! The Home page offers a clean, visual representation of the most important issues in your environment and a curated list of the top tasks required. The default tab Home encompasses the Dashboards, and the other tab contains Recommendations.

For the Home page dashboards to display data, you must have completed basic onboarding and at least one data source must be connected. Otherwise, the page will provide prompts for completing those setup tasks.

What is displayed in Dashboards is dependent on what has been installed. To learn more, read the docs.

Star Favorite Compliance Views

You can now select specific Policy + Zone combinations you want to see tracked on the Home page. Details are in the Compliance documentation.

Supported Web Browsers

Sysdig supports, tests, and verifies the latest versions of Chrome and Firefox. Other browsers may also work but are not tested in the same way.

Sysdig Monitor

Supported Web Browsers

The latest versions of Chrome and Firefox are tested, verified, and supported for Sysdig Monitor as well as Secure. However, note that other browsers may also work but are not tested with the same rigor.

Sysdig Serverless Agent

4.3.0 Hotfix Nov. 08, 2023

This hotfix updated the CloudFormation template, orchestrator-agent.yaml, to include default values for autoscaling. When autoscaling is disabled, the autoscaling parameters now default to 0.

For Installation and Upgrade steps, see AWS Fargate Serverless Agents.

SDK, CLI, and Tools

Sysdig CLI

v0.8.2 is still the current release. The instructions on how to use the tool and the release notes from previous versions are available at the following link:

https://sysdiglabs.github.io/sysdig-platform-cli/

Python SDK

The Python SDK remains at  v0.17.1. 

Terraform Provider

We have just released the 1.18.0 version of Terraform provider. This release includes the following features:

• Pass provider alias to cloud account creation call
• Remove quotes for boolean values
• Implement cloud account creation for Azure
• Enable acceptance test for Secure cloud account

https://docs.sysdig.com/en/docs/developer-tools/terraform-provider

Terraform Modules

• AWS Sysdig Secure for Cloud remains unchanged at  v10.0.9
• GCP Sysdig Secure for Cloud remains unchanged at v0.9.10
• Azure Sysdig Secure for Cloud remains unchanged at v0.9.7
  

Falco VSCode Extension

v0.1.0 is still the latest release.

https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0

Sysdig Cloud Connector

New Cloud Connector changes to (v0.16.55) under helm chart 0.8.6.

Admission Controller

New Admission Controller release (3.9.35) under helm chart 0.14.14.

Sysdig CLI Scanner

Sysdig CLI Scanner latest version is v1.6.1.

https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/

Sysdig Secure Inline Scan Action

The latest release is v3.6.0.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

The Sysdig Secure Jenkins Plugin remains at version v2.3.0.

https://plugins.jenkins.io/sysdig-secure/

Prometheus Integrations

Prometheus Integrations has been updated to v1.23.2: 

• Change: Replace HelpIcon with QuestionMarkCircleHelpIcon
• Fix: OpenShift/rancher integration labels
  

Sysdig On-Premises

Sysdig On-Premises has been updated to 6.6.0 with the following changes.

Upgrade process

Supported upgrades from: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

Sysdig Secure

Nexus and Google Support for Container Registry Scanning

The Image Registry Scanning functionality in the Sysdig Vulnerability Management engine has been updated to support scanning for the Nexus Repository and the Google Artifact Registry (GAR).

For more information on running the scanner, see the Registry Scanner documentation.

Reporting for Image Pipeline Vulnerability Scanning

The Vulnerability Management engine now supports Reporting for Image Pipeline Scanning. The engine now has reporting for all scanning functionality (Runtime, Registry, Host, and Pipeline). Pipeline reporting mirrors the Runtime and Registry reports, with just a change in the scoping context.

What?

• This feature enables the easy collection and reporting on Pipeline scans over a given time period.

Why?

• With this addition, we have completed normalizing the data output functions across the VM scanning set.

Exception UI improvements for threat detection rules

Sysdig is introducing a new, user-friendly exception builder. The new exception UI, built in to the Rules Editor, helps users create, update, modify, and delete exceptions for threat detection rules.

For more information, see Manage Threat Detection Rules.

Advanced users can apply Tuning suggestions

To simplify identifying and applying exceptions, we are enabling the ability for Advanced Users and Team Managers to see and apply Tuning suggestions from Insights and Event detail pages.

To enable:

1. Log into Sysdig Secure as Admin and go to Settings.
2. Toggle Advanced User Tuner Enablement on.

Sysdig Monitor

Metrics Usage Enhanced with Dashboards and Alerts Usage Metadata

Metrics Usage now displays which Dashboards and Alerts are using a given metric, enabling you to better understand the value a given metric provides to teams.

UX Improvements for PromQL Query Explorer

The PromQL Query Explorer editor has been updated with quality of life improvements for a better user experience while running queries:

• Only relevant labels to the query metrics are now displayed in the autocomplete prompt.
• Labels are automatically selected and displayed in the query results table.

Notification snapshot for Metric Alert notifications

Metric Alert notifications forwarded to Slack or email include a snapshot of the triggering time series data. For the Slack Notification channels, you can toggle the snapshot within the notification channel settings. When the channel is configured to Notify when Resolved, a snapshot of the time series data that resolves the alert is also provided in the notification.

Platform

Settings page refresh

Settings page in Sysdig Secure and Monitor has been enhanced to provide you a superior user experience:

• Improved color scheme for the dark mode.
• Unified layout and components to establish consistency between Sysdig products.
• Better navigation through the new header component.

Defect fixes

• Fixed an issue in the Explore module where promlegacy_* metrics could prevent metric counts from loading.

Falco Threat Detection Rules Changelog

Several versions of the rules have been released in the last months. Below are the release notes for the most recent rules changes.

https://docs.sysdig.com/en/docs/release-notes/falco-rules-changelog/

Rule Changes

• Reduced false positives for the following rules:
  • Modification of pam.d detected
  • Possible Backdoor using BPF
  • Packet socket created in container
  • Dump memory for credentials
  • Launch Remote File Copy Tools in Container
  • Suspicious cron modification
  • Base64-encoded Shell Script Execution
  • Fileless Malware Detected (memfd)
  • eBPF program loaded into Kernel
  • Launch Ingress Remote File Copy Tools in Container
  • Write below etc.
  • Escape to host via command injection in process
  • eBPF program loaded into kernel
  • Non sudo setuid
  • Mount launched in Privileged Container
  • Change thread namespace
  • Set Setuid or Setgid bit
  • Launch Sensitive Mount Container
  • Launch Root User Container
  • Write below root
  • Packet socket created in container
  • Launch privileged container
  • Diamorphine Rootkit Activity
  • Read Environment Variable from /proc files in Container
  • Search Private Keys or Passwords
  • SSH keys added to authorized_keys
  • Change memory swap options
  • Kernel startup modules changed
• Added the following rules:
  • Container image built on host
  • Leave Organization
  • EC2 Add User Data
  • SSM Get Parameter
  • EC2 Get User Data
  • Shutdown or Reboot detected
  • Get Federation Token with Admin Policy
  • Full Visibility on Federated Sessions
  • GCP CloudRun Service Started
  • Create Key Pair
  • Stop EC2 Instances
  • Get Lambda Function
  • Attach IAM Policy to Group
  • Escape to host via command injection in process

• Improved the following conditions
  • System procs network activity
  • Potential UAC bypass using Registry manipulation
  • Dump memory for credentials
  • Execution of binary using ld-linux rule
• Improved the output for the following rules
  • Github Webhook Connected rule
  • Okta ruleset
  • Shutdown or Reboot detected rule
• Updated the IoCs Ruleset with new findings
• Updated description for the Malicious C2 IPs or domains exploiting log4j rule
• Updated theSysdig AWS Notable Events policy
• Improved the Windowssuspicious_network_binaries list
• Improve tags for the AWS RDS Master Password Update
• Improved MITRE tags

Default Policy Changes

• Added the following files:
  • Shutdown or Reboot detected
  • Get Federation Token with Admin Policy
  • Full Visibility on Federated Sessions
  • GCP CloudRun Service Started
  • Create Key Pair
  • Stop EC2 Instances
  • Get Lambda Function
  • Attach IAM Policy to Group
  • Escape to host via command injection in process
• Updated the Remove MFA from user in Okta policy.
• Updated the policy for rules:
  • Change memory swap options
  • EC2 Instance Connect/SSH Public Key Uploaded
  • SSM Get Parameter

Open Source

Falco

Falco 0.36.2 is the latest stable release. 

https://github.com/falcosecurity/falco/releases/tag/0.36.2

New Website Resources

Press Releases

Sysdig Debuts New Benchmark for Cloud Detection and Response

Sysdig Extends the Power of Detection and Response to Include Windows Server and Malware Threat Detection

Blogs 

Securing Servers in the Cloud Requires a Cloud Centric Approach

Why Traditional EDRs Fail at Server D&R in the Cloud

Is Traditional EDR a Risk to Your Cloud Estate?

Webinars

Fix What Matters First: Bridging Code and Cloud Security

Generate This: Bring AI to Cloud Security

Safeguarding Identities

Events

AWS re:Invent 2023 – Cloud Security Powered by Runtime Insights

BlackHat Europe 2023

Sysdig Education 

Sysdig. Secure Every Second: https://www.youtube.com/watch?v=c7mqQOwQv3U 

Unparalleled Cloud Visibility in Action with Sysdig’s Enhanced Searchable Inventory: https://www.youtube.com/watch?v=D6lnQhU0xD0

Rethinking Cloud Security with Sysdig’s CNAPP: https://www.youtube.com/watch?v=19QjEmXbvqY 

Strengthening Your Security with Agentless Vulnerability Management: https://www.youtube.com/watch?v=M0YpW-1WqqU 

Sysdig Attack Path in action: https://www.youtube.com/watch?v=Exiw48ClOYE 

The post What’s New in Sysdig – November 2023 appeared first on Sysdig.

The last few weeks have been really exciting at Sysdig. We unveiled Sysdig’s Industry-Leading Cloud-Native Application Protection Platform (CNAPP), leveraging the Cloud Attack Graph, powered by Runtime Insights to correlate assets, detect risks, and provide real-time insights. You can read more about it in this article or watch this informational video.

Sysdig and Docker also announced a partnership to accelerate and secure Cloud-Native Application Delivery at the 2023 DockerCon. Sysdig’s runtime insights will be integrated into Docker Scout to help developers prioritize risk and move faster. This integration will help customers reduce software supply chain noise, prioritize the insights that matter, and build leaner container images. Sysdig is the first runtime security integration in Docker Scout. You can read more about it in our press release.

Stay tuned for more updates from Sysdig, and let’s get started!

Sysdig Secure

Custom Posture Controls

You can now tune your compliance results by customizing your posture controls. This includes the ability to customize the evaluation parameters and severity. 

This feature requires new Posture Control edit permissions, which are automatically granted to the Team Manager and Advanced User roles. Administrators can manage these privileges for all roles under Settings as follows: 

[Select role] → Policies → Posture Controls

Reporting for Image Pipeline Vulnerability Scanning

The Vulnerability Management team is pleased to announce the release of Reporting for Image Pipeline scanning. The Vulnerability Management engine now has reporting for all scanning functionality (Runtime, Registry, Host, and Pipeline). Pipeline reporting mirrors the Runtime and Registry reports, with just a change in the scoping context.

Admission Controller v0.14.9 Released

Kubernetes audit events are now enriched with container metadata to give additional insight into your infrastructure. With this enhancement, all the pod events now display container.name, pod.name, and pod.namespace labels. You can view these labels on the Secure Event detail panel for events such as Create HostNetwork Pod and Attach/Exec Pod.

Exception UI Improvements for Threat Detection Rules

Sysdig is introducing a new user-friendly exception builder. The new exception UI, built into the Rules Editor, helps users create, update, modify, and delete exceptions for threat detection rules. For more information, see Manage Threat Detection Rules.

Cloud Logs

Sysdig introduces a new product bundle intended for users who are interested in Cloud Detection and Response (CDR) for Cloud Logs but do not want to use Cloud Security Posture Management (CSPM). For more information, see Cloud Logs.

Agent Tags Support through Zone Scopes in Posture

Do you need to scope your Zones using the Agent Tags applied to your hosts and clusters?

You can now add Zone scopes: Kubernetes and Host with Agent Tags attributes. Add Agent Tags Key:Value pairs just as you add Labels. See the Posture Host Analyzer installation for details.

Advanced Users Can Apply Tuning Suggestions (Preview)

To simplify identifying and applying exceptions, we are enabling the ability for Advanced Users and Team Managers to see and apply Tuning suggestions from Insights and Event detail pages.

To enable:

1. Log into Sysdig Secure as Admin and go to Settings
2. Toggle Advanced User Tuner Enablement on

This will become the default behavior starting Oct. 15th.

Support for Rancher Kubernetes Engine (RKE2)

We are happy to announce the support for Rancher Kubernetes Engine (RKE2) which, lacking an official CIS benchmark, is supported by the addition of a new in-house policy.

Sysdig Secure Coverage Improvement for AWS

Sysdig Secure posture control library has been expanded to improve its AWS resources coverage. The control library now includes 26 new controls providing support for 17 new resource types (both deployed and from Terraform code) across the following AWS services:

• Amazon DynamoDB
• Amazon EC2
• Amazon Elastic File System (EFS)
• Amazon Kinesis
• Amazon RDS
• Amazon SageMaker
• Amazon Simple Queue Service (SQS)
• AWS Elastic Beanstalk
• AWS Network Firewall
• AWS Systems Manager (SSM)

OOTB Policy Content Updates

The following policies have gone through updates:

• Sysdig Mirantis Kubernetes Engine (MKE) Benchmark v1.1.0
  In collaboration with Mirantis, we have updated some of the audits in order to provide more accurate results.
• AWS Well Architected Framework
  The Well Architected Framework has been augmented with 26 new controls, providing support for the recently added resource types, as well as for some of the already existing.

As a fundamental part of the support for Rancher Kubernetes Engine, Sysdig now provides the following new policy:

• Sysdig Rancher Kubernetes Engine (RKE2) Benchmark v1.6.0
  The hardening guide provides prescriptive guidance for hardening a production installation of RKE2, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the CIS Kubernetes benchmark. It is to be used by RKE2 operators, security teams, auditors, and decision makers.

Sysdig Monitor

Metrics Usage Enhanced with Dashboards and Alerts Usage Metadata

Metrics Usage now displays which Dashboards and Alerts are using a given metric, enabling you to better understand the value a given metric provides to teams.

Notification Snapshot for Metric Alert Notifications (CA)

Metric Alert notifications forwarded to Slack or Email include a snapshot of the triggering time series data. For the Slack notification channels, you can toggle the snapshot within the notification channel settings. When the channel is configured to Notify when Resolved, a snapshot of the time series data that resolves the alert is also provided in the notification.

This feature is released as controlled availability.

Sysdig Agents

12.17.1 Oct. 24, 2023

This hotfix is applicable only to Sysdig on-prem deployments. It fixes an issue where the agent generates events in large numbers when Legacy Compliance is enabled due to incorrect throttling. 

12.17.0 Oct. 17, 2023

Feature Enhancements

Capability for Malware Detection

Sysdig Agent provides the ability to detect malware and suspicious binary execution by using known bad hashes on hosts and containers.

When a malware control policy is enabled, the agent computes the hash for every binary execution and checks if the hash matches any of the known malicious ones. On match, the agent will prevent the execution and generate an event.

Your environment requires Linux kernel v5.0 or beyond for malware detection to work.

This feature is enabled by default. To disable globally on the agent, add the following to the dragent.yaml file:

malware_control:
  enabled: false

To enable the feature for the underlying host node, add the following to the dragent.yaml file:

protections:
  malware_control:
  enable_for_host: true

Use Protocol Buffer to communicate to Kubernetes API Server

Cointerface uses Google Protocol Buffers as a wire format for communicating with the Kubernetes API server.

Update OpenSSL Library to OpenSSL v3.1 and include a FIPS-Validated Crypto Module

In light of OpenSSL v1.1.1 reaching end-of-life, this release updates its bundled OpenSSL libraries to v3.1.3.

Additionally, this release bundles a FIPS-validated OpenSSL crypto module with the agent. Adding the crypto module removes the requirement for user-provided, FIPS-validated OpenSSL shared libraries when the fips_mode configuration parameter is set to true.

This update breaks the agent’s backward compatibility with OpenSSL v1.1.1. If you have configured the openssl_lib parameter, do one of the following:

• Provide OpenSSL v3.1 shared libraries
• Remove the parameter and rely on the bundled OpenSSL shared libraries

End of Support for OpenShift v3

Sysdig Agent versions beyond 12.17.0 will no longer be supported on OpenShift 3. v12.17.0 will be the last version supporting OpenShift 3.

Defect Fixes

Prevent transition during restarts

The agent will no longer release the Kubernetes delegation lease during teardown to avoid unwanted transitions during restarts.

Policy scoping in Fargate now respects agent labels

Fargate agents will no longer skip agent labels when performing policy scoping.

Display resolved IPs in the Network Security Policy egress

The agent uses improved logic to resolve services and endpoints, and therefore, the network communications in some namespaces will not be dropped as unresolved.

Use get_mm_exe_file()

A safer version of the Linux kernel API call is used where get_mm_exe_file() is available.

Show correct Kubernetes status

Fixed defects in the Kubernetes status reporting. The kube_workload_status_available and kube_workload_status_unavailable metrics should report correct values even when the cluster node count changes, and the Kubernetes status should reflect the state correctly after the cointerface switches run modes.

Prevent unintended agent restart

A defect was fixed where an invalid message from the backend caused an unintended agent restart.

Store device metrics as expected

A defect was fixed where I/O metrics for devices were not stored.

Display Kubernetes cluster association correctly

A defect was fixed which caused incorrect agent association with Kubernetes clusters on the Agents page in the Data Sources UI.

Display correct time series count in Prometheus logs

Filtered timeseries counts in Prometheus statistics logs are now reported correctly.

SDK, CLI, and Tools

Sysdig CLI

v0.8.2 is still the current release. The instructions on how to use the tool and the release notes from previous versions are available at the following link:
https://sysdiglabs.github.io/sysdig-platform-cli/

Python SDK

Python SDK updated to v0.17.1.

Terraform Provider

We have just released the 1.15.0 version of Terraform provider. This release includes:

• Feature: Adding api only secure onboarding support

https://docs.sysdig.com/en/docs/developer-tools/terraform-provider

Terraform Modules

• AWS Sysdig Secure for Cloud remains unchanged at v10.0.9
• GCP Sysdig Secure for Cloud remains unchanged at v0.9.10
• Azure Sysdig Secure for Cloud remains unchanged at v0.9.7

Falco VSCode Extension

v0.1.0 is still the latest release.

https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0

Sysdig Cloud Connector

New Cloud Connector changes to (v0.16.54) under helm chart 0.8.6.

Admission Controller

New Admission Controller release (3.9.34) under helm chart 0.14.12.

Sysdig CLI Scanner

Sysdig CLI Scanner latest version is v1.6.0.

https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/

Sysdig Secure Inline Scan Action

The latest release remains unchanged at v3.5.0.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

The Sysdig Secure Jenkins Plugin remains at version v2.3.0.

https://plugins.jenkins.io/sysdig-secure/

Prometheus Integrations

Prometheus Integrations has been updated to v1.23.0:

• Fix legacy Pod Overview Dashboard
• Update OOTB Openshift/Rancher dashboards required metric

Sysdig On-Premises

Sysdig On-Premises has been updated to 6.5.0 with the following changes.

Upgrade process

Supported upgrades from: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the Release Notes. This repository also includes the on-prem installation instructions.

Use of MinIO

Starting from release v6.5.0, MinIO has been added to the on-prem stack, specifically importing the MinIO binary from the upstream, for use in conjunction with Sysdig services.

You can download the MinIO source code in this repository. It is licensed under the AGPL 3.0.

This product includes software developed at MinIO, Inc. Copyright: MinIO Project, (C) 2015-2023 MinIO, Inc.

Sysdig Secure

Vulnerability Management landing page

Sysdig Secure offers a landing page to identify, track, and initiate Vulnerability Management workflows. This is designed to support users looking to see trends, priorities, and top action items on the vulnerability risks in their environment. The landing page covers all the scanning capabilities for images, workloads, and hosts, as collected by the installed scanners: vulnerability CLI, registry, host, and runtime. All widgets on the page enable a workflow to take action or export data to your native information security tool ecosystem.

What?

• Enable Vulnerability Managers to easily identify changes in vulnerability Risk Posture (trends), most pervasive vulnerabilities, newest released vulnerabilities, and infrastructure segments with the most vulnerabilities.
• Enable Program Managers to get easy insight into Policy posture on findings.
• Enable Architects to easily access the data regarding scan counts and adoption rates.

Why?

• Give a Vulnerability Management team an easy place to prioritize and manage vulnerabilities at a program level.

Container Registry Scanning

Image Registry Scanning functionality is available as part of the Sysdig Vulnerability Management suite in on-prem deployments.

This feature provides an added layer of security between the pipeline and runtime stages, allowing you to gain complete visibility into potential vulnerabilities before deploying to production.

The supported vendors are:

• AWS Elastic Container Registry (ECR) – Single Registry and Organizational
• JFrog Artifactory – SaaS and On-Premises
• Azure Container Registry (ACR) – Single Registry
• IBM Container Registry (ICR)
• Quay.io – SaaS
• Harbor

Once the container registry is instrumented and analyzed, you can generate registry reports to extract, forward, and post-process the vulnerability information.

Added Vulnerability Management APIs

The following new API endpoints have been released in Technical Preview to list and filter vulnerability scan results for Pipeline, Registry, and Runtime, as well as to fetch detailed scan results in JSON format:

• Get a list of pipeline scan results: GET /secure/vulnerability/v1beta1/pipeline-results
• Get a list of registry scan results: GET /secure/vulnerability/v1beta1/registry-results
• Get a list of runtime scan results: GET /secure/vulnerability/v1beta1/runtime-results
• Get full scan results: GET /secure/vulnerability/v1beta1/results

These API endpoints are applicable only to the current Vulnerability scanning engine.

New Vulnerability Management engine for airgap environments

The new Vulnerability Management engine, a major upgrade to the vulnerability and image scanning functionality for the Sysdig Secure product, is available in airgapped on-prem deployments. Contact your Sysdig representative for technical support.

Major highlights

• Scanning time has been drastically reduced: 8x faster on average!
• Additional data for vulnerabilities and remediation
  • CVSS scores and metrics: Network Attack Vector, Privileges Required, etc.
  • Flagging of publicly available code exploits
  • Suggested package fix version
• Risk spotlight: Focus on the vulnerabilities that Sysdig detects in active packages at runtime. This is a new filter that only shows CVEs with active packages, to save time browsing infrastructure and to help focus on high-impact CVEs.
• New Vulnerability Reporting module
  • Up to 14 days retention of individual reports
  • Ability to generate a report instantly from the UI
• Flexible policies that can be attached to the different runtime and security contexts

Migrate to the new scanning engine

The new vulnerability management engine uses a different data storage, API, host components, and user interfaces than the legacy scanning.

• Contact your Sysdig representative. They will guide you through the process of migrating your subscription and vulnerability management configuration to the new engine.
• For more information, see Vulnerabilities.

Defect Fixes

• Addressed a number of critical and high vulnerabilities
• Fixed the issue where Compliance v2 reports return 204 status
• Fixed the issue where you are forced to use the email address format for login when LDAP is enabled. You can now log in using your username.
• Post GKE Nodepool upgrade elastic search pods no longer fail to start
• Added support for Linux cgroup v2 to the Sysdig PostgreSQL implementation for memory optimization

Falco Threat Detection Rules Changelog

Our Threat Research team has released several versions of the rules in the last month, including 169 new rules to extend support for Azure. Below are the release notes for the most recent rules changes.

https://docs.sysdig.com/en/docs/release-notes/falco-rules-changelog/

Rule Changes

• Added the following rules:
  • CodeBuild Create Project with Miner
  • CodeBuild Start Build with Miner
  • CodeCommit Create Repository
  • CodeCommit Git Push
  • CodeBuild Create Project
  • CloudFormation Create Stack
  • SSH keys added to authorized_keys
  • SageMaker Create Notebook Instance Lifecycle Configuration
  • Image Builder Create Component
  • Amplify Create App
  • EC2 Create Auto Scaling Group
  • Potential IRC connection detected
  • CodeBuild Start Build
  • ECS Create Cluster
  • EC2 Create Launch Template
  • Change memory swap options
  • GLIBC “Looney Tunables” Local Privilege Escalation (CVE-2023-4911)
• Reduced false positives for the following rules:
  • Mount launched in privileged container
  • Kernel startup modules changed
  • Read SSH information
  • Possible Backdoor using BPF
  • Suspicious Cron Modification
  • Fileless Malware Detected (memfd)
  • eBPF Program Loaded into Kernel
• Updated MITRE tags
• Updated the IoCs Ruleset with new findings
• Improved the sysdig_commercial_images & log_files lists
• Improved host and container tags

Default Policy Changes

• Added the following rules:
  • GLIBC “Looney Tunables” Local Privilege Escalation (CVE-2023-4911)
  • AWS CLI used with endpoint url parameter
  • Hexadecimal string detected
  • Unexpected Unshare event in Container
  • Disallowed SSH Connection Non Standard Port
  • Azure Suspicious IP Inbound Request
  • GCP Change Owner
  • Container escape via discretionary access control
• Updated the policy for:
  • Suspicious device created in container
  • Modification of pam.d detected
• Added SSM rules to awscloudtrail policy
• Added the Sysdig Azure Threat Intelligence policy

Open Source

Falco

Falco 0.36.1 is the latest stable release:

https://github.com/falcosecurity/falco/releases/tag/0.36.1

We suggest reviewing the release notes for 0.36.0 (released late September), which contains a number of major enhancements, as well as some breaking changes:

https://github.com/falcosecurity/falco/releases/tag/0.36.0

New Website Resources

Blogs

When Seconds Count: Expanding Real-Time Capabilities Across CNAPP

CVE-2023-38545: High Severity cURL Vulnerability Detection

How Sysdig can Detect Impersonation Attacks in Okta IdP

Agentless Vulnerability Management: A Complete Guide to Strengthening Your Security

eBPF Offensive Capabilities – Get Ready for Next-gen Malware

Scarleteel 2.0 and the MITRE ATT&CK framework

AWS’s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation

Webinars

How to Stop Cloud Attacks in Real-Time with Runtime Insights

Strengthening Cyberattack Preparedness Through Identity Threat Detection and Response (ITDR)

Rethinking Security at Cloud Speed

Combating Critical Cloud Vulnerabilities

Cloud Security Turbocharged: A Wild Ride of Innovation, Threats, and Staying Ahead

Beyond CSPM: Mastering Cloud Defense in the Age of Rapid Attacks

Sysdig Education

Sysdig Sage: https://www.youtube.com/watch?v=LoPaplPV4KA

Intro to Secure (video): https://www.youtube.com/watch?v=jJv4_HTxwVI

Intro to Monitor (video): https://www.youtube.com/watch?v=SyD_4sNadAQ

Vulnerability Management Landing Page (video): https://www.youtube.com/watch?v=1_uPQnVKZAI

Sysdig Live: https://www.youtube.com/watch?v=bo1D-jQssw8

Process Trees: https://www.youtube.com/watch?v=wqf_ZY_cqwQ

The post What’s New in Sysdig – October 2023 appeared first on Sysdig.

Sysdig Announces Revolutionary Generative AI Defense for Cloud Security! Sysdig Sage is a generative AI assistant built on a unique AI architecture specifically designed for cloud security. Sysdig Sage goes beyond typical AI chatbots to employ multi step reasoning and multidomain correlation to quickly discover, prioritize, and remediate risks specific to the cloud. It also leverages the power of Sysdig runtime insights to reveal hidden connections between risks and security events that would otherwise go undetected. You can find more information on this here.

Stay tuned for more updates from Sysdig, and let’s get started!

Sysdig Secure

Agentless Threat Detection for GitHub (CA)

Your GitHub organizations can be now secured with Sysdig agentless CDR, which extends its capabilities adding the first Git provider to the list of supported sources. By installing the Sysdig app on GitHub, it will be possible to enable our Falco-powered threat detection capabilities. Read how to do that in our documentation. You will also find policies and rules provided and maintained constantly by our Threat Research Team, along with the possibility to create your own custom ones.

Agentless Threat Detection for Okta (Preview)

Sysdig agentless CDR extends its coverage by adding support for Okta, the first Identity provider in the list of supported sources. You can now connect Okta organizations to Sysdig and use the power of Falco rules to detect threats in your environment. Along with the customizability of Falco rules, Sysdig provides managed policies and rules that are constantly being updated.

Control Access to Zones and Posture Policies

Sysdig is introducing two new permission items under Sysdig Secure → Policies:

• Zones (Read, Edit)
• Posture Policies (Read, Edit)

These permission items enable administrators to control who can edit access to Zones and Posture Policies, including APIs.

Existing roles are updated with the following permissions:

• Default Roles: Team Manager, Advanced User:
  • Zones → Edit, Posture Policies → Edit
• All Existing Custom Roles and Default Roles: Service Manager, Standard User, View Only:
  • Zones → Read, Posture Policies → Read

Runtime Rule Tuner Updated

When applying exceptions to tune rules and turn down noisy event notifications, the interface has been simplified and improved.

• Exception information now presented in easy-to-understand name/value pairs
• Values can be freely edited
• Explicit “Apply” button added for each exception, making the choices conscious and avoiding security blindspots
• If you are using Terraform to manage exceptions, you can now view the suggested exception as a Terraform snippet and copy/paste it into your Terraform file
• Impacted policies and any already-applied exceptions are displayed to help you make more informed decisions

See how to use the improved feature in the Events feed. You can also access it from Insights.

Sysdig Monitor

Cost Advisor reaches GA, packed with new features

We’re excited to announce a significant milestone in Sysdig’s journey towards helping teams get visibility into, and optimize Kubernetes Costs. Cost Advisor is now generally available and we’ve made significant improvements.

• Private Billing, currently available for AWS, reconciles costs with your specific AWS billing agreements. Usage of reserved and spot instances, as well as savings plans and other discounts will be used to calculate costs. This integration will be useful for customers that want more accurate costs instead of relying on public on-demand pricing.

• We’ve added support for storage, load balancer, and idle costs. This paints a fuller picture of your Kubernetes costs where workloads are leveraging persistent volumes and load balancers, and idle costs gives platform teams insights into the cost of used cluster capacity – a great indicator as to whether a cluster can be reshaped or scaled down.
• Cost Explorer empowers users to explore costs in detail with granular segmentation. This helps users understand, for example, what is the cost of a workload that is running across multiple clusters.
• Cost Reports streamlines cost reporting processes with the ability to set up period report generation that can be exported to 3rd party systems, and Slack and email notifications help create a culture of cost discipline. 

• We’ve made improvements to workload rightsizing to give users more control over the recommendations provided. Depending on whether a workload is production / HA grade, or a staging / dev setup, when rightsizing a workload users can choose between more conservative or aggressive recommendations.

New Alerting Capabilities

Sysdig has recently introduced a new feature that enables users to manually resolve triggering alerts. This enhancement allows users to exercise direct control over the alert resolution process. In addition, Sysdig Monitor now includes the automatic deactivation of orphaned alert occurrences. Orphaned alert occurrences refer to alerts triggered by entities that no longer report data. This automatic deactivation process ensures that alert occurrences originate only from entities that are actively providing data to Sysdig Monitor. For example, it prevents situations where alerts are triggered by a database that was decommissioned months ago, eliminating potential confusion.

Furthermore, Sysdig Monitor now incorporates the Alert Resolution Delay for PromQL Alerts. This feature is designed to curtail noisy alert resolutions by imposing a requirement that an alert condition must remain resolved for a user-defined duration before being marked as officially resolved. This aspect adds a layer of precision to the resolution process, leading to a more efficient alert management workflow.

Metrics Usage

Metrics Usage has been updated with two new features (Total Time Series Count panel, Per-metric Time Series Churn Over Time & Label Exploration).

Monitoring Integrations

• Added support for Istio 1.16.
• Added an option in Windows Installer to change the Prometheus agent port.
• Added time charts for CPU and Memory usage in the Cluster Capacity Planning Dashboard.

Sysdig Agents

12.16.0 August 08, 2023

Feature enhancements

Supports Control Group v2

Control groups v2 (cgroups v2) are now supported in the Sysdig Agent. In particular, the v1 freezer subsystem is not mounted when using cgroups v2, which causes potential compatibility issues.

Collects node labels

Sysdig Agent can by default collect the node-role.kubernetes.io/* labels set on nodes.

Known issues

Container Limits to Drift Control

• For kernel versions below v5.13, Drift Control can monitor up to 128 containers per node.
• For kernel versions v5.13 or above, modify the container limit using one of the following methods:
  • Open the sysctl -n fs.fanotify.max_user_groups file and set the new value by using sysctl -w fs.fanotify.max_user_groups=<new_limit>.
  • Open the cat /proc/sys/fs/fanotify/max_user_groups file and run echo <new_limit> > /proc/sys/fs/fanotify/max_user_groups.
    Replace <new_limit> with your choice of container limit.

Defect fixes

Removed compliance manager support

Compliance manager functionality has been removed from Sysdig Agent. The feature was not supported anymore and yet it appeared in a security audit as having a vulnerability. For these reasons, this functionality has been dismissed.

Ignores non-running pods for scraping

The Prometheus k8s-pods job configuration has been modified to drop scrapes from non-running pods.

Enables FIPS mode

The agent can now enable FIPS-compliant (Federal Information Processing Standards) mode even if the whole system isn’t in FIPS-compliant mode.

Resends unacknowledged policy events

Sysdig Agent attempts at resending unacknowledged policy events when the collector disconnects.

Adds missing health metrics in secure modes

An additional metric is collected in the secure and secure_light modes. The protobuf output for secure and secure_light mode now includes an aggrSamplingRatio aggregation field, weighted to the negotiated metrics interval.

SDK, CLI, and Tools

Sysdig CLI

v0.7.14 is still the latest release. The instructions on how to use the tool and the release notes from previous versions are available at the following link:

https://sysdiglabs.github.io/sysdig-platform-cli/

Python SDK

The Python SDK remains at v0.16.6.

Terraform Provider

We have just released the 1.12.0 version of terraform provider. This release includes:

• Add form based prometheus alert type
• Add change alert type
• Add resource for silence rule
• Add new notification channel types
• Add missing arguments to (legacy) webhook notification channels
• Add missing arguments to monitor slack notification channels
• Allow usage of alerts v2 on IBM
• Hotfix cspm policy creation

https://docs.sysdig.com/en/docs/developer-tools/terraform-provider

Terraform Modules

• AWS Sysdig Secure for Cloud remains unchanged at v10.0.9
• GCP Sysdig Secure for Cloud remains unchanged at v0.9.10
• Azure Sysdig Secure for Cloud changed to v0.9.7
  • Support use of Reader role in Trust Relationship module (#91)
    • feat: Support using Reader CSPM role
  • linting fixes

Falco VSCode Extension

v0.1.0 is still the latest release.

https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0

Sysdig Cloud Connector

New Cloud Connector changes to (v0.16.47) under helm chart 0.8.2:

Admission Controller

New Admission Controller release (3.9.25) under helm chart 0.11.3.

Sysdig CLI Scanner

Sysdig CLI Scanner changed to v1.5.1.

When you run cli-scanner with the --json-scan-result parameter, the severities in JSON keys are not capitalized anymore. For example:

"vulnTotalBySeverity": {

"Critical": 2,

"High": 65,

"Low": 24,

"Medium": 107,

"Negligible": 417

},

…has been changed to:

"vulnTotalBySeverity": {

"critical": 2,

"high": 65,

"low": 24,

"medium": 107,

"negligible": 417

},

This change impacts the following JSON objects:

• vulnTotalBySeverity
• fixableVulnTotalBySeverity

https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/

Sysdig Secure Inline Scan Action

The latest release remains unchanged at v3.5.0.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

The Sysdig Secure Jenkins Plugin remains at version v2.3.0.

https://plugins.jenkins.io/sysdig-secure/

Prometheus Integrations

Prometheus Integrations remains at 1.16.0:

https://github.com/draios/prometheus-integrations/releases/tag/v1.16.0

Integrations:

• Fix: Preserve istio_build and pilot_proxy_convergence_time_bucket metrics on IstioD job
• Feat: Add support for Istio 1.16
• Docs: Fix k8s-PVC integration prerequisites
• Feat: Add in Windows Installer an option to change the Prometheus agent port
• Fix: Some control plane integrations have wrong label used for aggregation
• Feat: Tweak PromQL filters in order to avoid great amount of TS in the subqueries
• Test: Create a test to check the Prometheus jobs files are correct

Sysdig On-premise

On-prem release v6.4 is the latest release!

Upgrade process

Supported upgrades from: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the Release Notes. This repository also includes the on-prem Installation instructions.

Platform fixes

• Fixed an issue with fresh installations and upgrades with FIPS mode enabled on backend hosts.
• Fixed an intermittent issue accessing the Sysdig UI when using a newly created team.
• Fixed an init container issue for the sysdigcloud-feeds-db deployment that would use the wrong mount point.

Falco Threat Detection Rules Changelog

Several versions of the rules have been released in the last months. Below are the release notes for the most recent rules changes.

https://docs.sysdig.com/en/docs/release-notes/falco-rules-changelog/

• Reduced false positives for the Launch Root User Container rule.
• Added the following rules:
  • AWS ECS Create Task Definition
  • AWS RDS Master Password Update
  • AWS IAM Credential Report Request
• Updated the IoCs Ruleset with new findings.
• Improved the network_tool_binaries list.
• Added support for accept4 syscall.

Default policy changes

Added the following rules:

• AWS ECS Create Task Definition
• AWS RDS Master Password Update
• AWS IAM Credential Report Request
• Improve condition for Azure RDP Access Is Allowed from The Internet rule
• Improve condition for Azure SSH Access Is Allowed from The Internet rule

Default policy changes

Remove the AWS IAM Credential Report Request rule from policy.

• Reduced false positives for the following rules:
  • Write below root
  • Set Setuid or Setgid bit
  • Possible Backdoor using BPF
  • Non sudo setuid
  • Launch Sensitive Mount Container
• Updated the IoCs Ruleset with new findings
• Improve output for the Fileless Malware Detected (memfd) rule

Default policy changes

Removed Packet socket created in containercode> from the Sysdig Runtime Notable Events policy.

• Reduced false positives for the following rules:
  • Execution from /tmp
  • Launch Privileged Container
  • Packet socket created in container
• Updated the IoCs Ruleset with new findings
• Reduced false positives for the following rules:
  • Packet socket created in container
  • Change thread namespace
  • AWS SSM Agent File Write

Default policy changes

Downgraded AWS rules.

Open Source

Falco

Falco 0.35.1 is now available.

https://github.com/falcosecurity/falco/releases/tag/0.35.1

New Website Resources

Blogs

LABRAT: Stealthy Cryptojacking and Proxyjacking Campaign Targeting GitLab

Prioritize Vulnerabilities Faster with Checkmarx and Sysdig

Boost Detection and Response with Cybereason and Sysdig

Google’s Vertex AI Platform Gets Freejacked

2023 Global Cloud Threat Report: Cloud Attacks are Lightning Fast

CVSS Version 4.0: What’s New

Webinars

Aug. 7th – Rise Together: Empowering Women at Work

Aug. 17th – Beyond the Neon Lights: Top Takeaways from Black Hat USA

Aug. 25th – Threat Hunting in the Cloud Solutions Forum 2023

Sysdig Education

Sysdig Sage: https://www.youtube.com/watch?v=LoPaplPV4KA

Kraken Discovery Lab: VULNERABILITY MANAGEMENT HANDS-ON WORKSHOP on Aug. 30th!

Intro to Secure (video) – https://www.youtube.com/watch?v=jJv4_HTxwVI

Intro to Monitor (video) – https://www.youtube.com/watch?v=SyD_4sNadAQ

Vulnerability Management Landing Page (video) – https://www.youtube.com/watch?v=1_uPQnVKZAI

Sysdig Live – https://www.youtube.com/watch?v=bo1D-jQssw8

Process Trees – https://www.youtube.com/watch?v=wqf_ZY_cqwQ

The post What’s New in Sysdig – August 2023 appeared first on Sysdig.

This month, Sysdig Secure Live has been enabled for all the users!

Secure Live is a powerful tool that assists in the response and investigation into security events, vulnerabilities, and misconfigurations in your infrastructure under one pane of glass, with a simple way to scope the part of the infrastructure you are investigating.

Stay tuned for more updates from Sysdig, and let’s get started!

Sysdig Secure

Sysdig Secure Live Is Enabled for All Users

Sysdig Secure Live has been enabled for all users. For more information on this feature, see the following:

• Secure Live
• Secure Live – Preview

Policy Scope Deprecation: Kubernetes Workload Labels

Deprecation Notice: To improve agent performance and decrease load on the Kubernetes API, the Kubernetes workload metadata will no longer be a valid scope configuration, starting Oct. 18, 2023.

Why: When a policy with one of these scopes is applied, every agent must request the metadata from the Kubernetes API for all clusters. We have found that most policies are created for namespaces, clusters, or other metadata local to the agent. Many of the policies that used this metadata in the scope were used to make an exception for all rules in that policy. Sysdig supports Falco exceptions that are more targeted to a process, container, image, etc. in a specific rule, making for more targeted security rules that provide better performance and security coverage.

What: The following workload metadata will be deprecated from policy scoping:

• kubernetes.daemonset.name
• kubernetes.deployment.name
• kubernetes.statefulset.name
• kubernetes.replicaset.name
• kubernetes.cronjob.name
• kubernetes.cron.name*

Outcome: Existing policies with these scopes will continue to work but cannot be modified with the same labels. New policies cannot be created with these labels in the scope.

Recommendation: If you have used one of these scopes to apply a rule or set of rules, replace with scope for kubernetes.namespace.name + container.name.

Example: Replacing kubernetes.deployment.name

Old scope:

kubernetes.namespace.name 	= default AND
kubernetes.deployment.name 	= nginx

Supposing a container called nginx exists inside the deployment nginx. Replace it with:

kubernetes.namespace.name 	= default AND
container.name 			= nginx

You can also get more specific by using images:

kubernetes.namespace.name	= default AND
container.name 			= nginx AND
container.image.repo 		= quay.io/nginx

Admission Controller v0.11.3 Released

Admission Controller v0.11.3 is released. This release removes the Kubernetes workload name from legacy scan secure events, allowing those events to be aggregated in the Secure Events Overview dashboard.

Vulnerability Management APIs Added

The following new API endpoints have been released in Technical Preview to list and filter vulnerability scan results for Pipeline, Registry, and Runtime, as well as to fetch detailed scan results in JSON format:

• Get a list of pipeline scan results: GET /secure/vulnerability/v1beta1/pipeline-results
• Get a list of registry scan results: GET /secure/vulnerability/v1beta1/registry-results
• Get a list of runtime scan results: GET /secure/vulnerability/v1beta1/runtime-results
• Get full scan results: GET /secure/vulnerability/v1beta1/results

These API endpoints are applicable only to the current Vulnerability scanning engine.

Sysdig Monitor

OpenID Single Logout Support

Sysdig added support for OpenID Single Logout. Using Single Logout, a user can initiate a logout and terminate all sessions without having to log out from each one individually.

For more information, see Configure OpenID Single Logout.

Enhanced Sysdig Platform Audit

The Sysdig Platform Audit has been enhanced to include username and team name in the audit information in addition to user ID and team ID. The feature is Generally Available.

For more information, see Sysdig Platform Audit.

Support for Inspecting and Initiating Captures

The Captures page has been improved by providing you with the ability to inspect captures as well as initiate captures. Earlier, you could initiate captures only in the old Explore.

For more information, see Captures.

Sysdig Agents

12.15.0 June 28, 2023

Feature enhancements

Process Tree

This version of the Sysdig Agent adds support in Sysdig Secure for the Process Tree visualization which enriches the Events feed for workload-based events. This helps with identifying all the processes that led up to the offending process.

To enable this feature:

1. Modify the agent ConfigMap and set enrich_with_process_lineage=true.
2. Log into Sysdig Secure as administrator and select Settings | Sysdig Labs to toggle the feature on.
   The process tree will be visible in the Events detail pane for the events related to workloads that are triggered from that point on.

Added support for Java 7

In Sysdig Agent versions 12.10.0 to 12.14.1, a Java dependency was upgraded to a version that didn’t support Java 7. As a result, those versions cannot run the Java process which collects JMX metrics on any Java 7 JDKs/JREs. This release downgrades the dependency back to a version that supports Java 7.

Added support for Node Cost Metrics

Sysdig Agent now supports node cost metrics when using the thin cointerface.

Vulnerability fixes

Addressed CVE-2023-0286 by upgrading the OpenSSL version in the agent to 1.1.1t.

Defect fixes

Metrics parity between Secure and Secure Light modes

The Sysdig Agent will now report the same set of metrics in both secure and secure_light modes, which means that the program metrics in secure mode will also be restricted to the dragent process or container.

Enhanced execution time accounting

Fixed system execution time accounting for certain events which would cause incorrect reporting of agent I/O metrics.

Support for s390x for Ubuntu

Recent s390x Linux distributions, including Ubuntu v20.04, require the compiler to support the -march=z13/-mtune=z15 flags when building kernel modules. The gcc version used in agent-kmodule image for the s390x platform has been upgraded to gcc-12, which supports the required flags.

SDK, CLI, and Tools

Sysdig CLI

v0.7.14 is still the latest release. The instructions on how to use the tool and the release notes from previous versions are available at the following link:

https://sysdiglabs.github.io/sysdig-platform-cli/

Python SDK

The Python SDK remains at v0.16.6

Terraform Provider

We have just released the 1.10.0 version of terraform provider. This release includes:

• Ability to manage posture zones
• Ability to fetch posture policies
• Ability to set zones on secure teams

https://docs.sysdig.com/en/docs/developer-tools/terraform-provider

Terraform Modules

• AWS Sysdig Secure for Cloud remains unchanged at v10.0.9.
• GCP Sysdig Secure for Cloud remains unchanged at v0.9.10.
• Azure Sysdig Secure for Cloud remains unchanged at v0.9.5.

Falco VSCode Extension

v0.1.0 is still the latest release.

https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0

Sysdig Cloud Connector

New Cloud Connector release (v0.16.43) under helm chart 0.8.2:

• Fix: add aws-cloudtrail-s3-sns-sqs ingestor type for CIEM
• Fix: FALCO rules error on appending exceptions

Admission Controller

New Admission Controller release (v3.9.24 ) under helm chart 0.11.3.

Sysdig CLI Scanner

Sysdig CLI Scanner remains at v1.5.0.

https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/

Sysdig Secure Inline Scan Action

The latest release remains unchanged at v3.5.0.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

The Sysdig Secure Jenkins Plugin remains at version v2.3.0.

https://plugins.jenkins.io/sysdig-secure/

Prometheus Integrations

A new release of Prometheus Integrations is available:

https://github.com/draios/prometheus-integrations/releases/tag/v1.16.0

Integrations:

• Fix: Preserve istio_build and pilot_proxy_convergence_time_bucket metrics on IstioD job
• Feat: Add support for Istio 1.16
• Docs: Fix k8s-PVC integration prerequisites
• Feat: Add in Windows Installer an option to change the Prometheus agent port
• Fix: Some control plane integrations have wrong label used for aggregation
• Feat: Tweak PromQL filters in order to avoid great amount of TS in the subqueries
• Test: Create a test to check the Prometheus jobs files are correct

Sysdig On-premise

On-prem release v6.3 is live since July 11th

• Risk Spotlight feature is now available for on-premise deployments
• Process Tree Visualization in Events Feed as well
• Full release notes and further information

Falco Threat Detection Rules Changelog

Several versions of the rules have been released in the last months. Below are the release notes for the most recent rules changes.

https://docs.sysdig.com/en/docs/release-notes/falco-rules-changelog/

• Reduced false positives for the following rules:
  • AWS SSM Agent File Write
  • Possible Backdoor using BPF
  • Change thread namespace
• Improved performance for the following rules
  • Shell binaries opening connections
  • Drop and execute new binary in container
  • Updated the IoCs Ruleset with new findings

Open Source

Falco

Falco 0.35.1 is now available.

https://github.com/falcosecurity/falco/releases/tag/0.35.1

New Website Resources

Blogs

Architecting Cloud Instrumentation

How to Deal with Hundreds of Fixes? Choosing the Right Vulnerability Management Solution

SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto

Cloud Defense in Depth: Lessons from the Kinsing Malware

Webinars

July 13 – Black hat webinar Unpacking Supply Chain & Cloud Security Risks

July 18 – Spotting Vulnerabilities at Rest and at Runtime

July 27 – OWASP Kubernetes Top 10 Projects: What Risks You Need to Prioritize in 2023

How mx51 manages security and risk without impacting innovation and efficiency

Lessons from the Trenches: Maintaining Effective Security in Cloud

Navigating Cloud and Container Security Risk

Shift Cloud Security Left and Right with CNAPP, Powered by Runtime Insights

Cut Custom Metrics Cost

Sysdig Education

Monitoring Integrations – https://learn.sysdig.com/monitoring-integrations

Windows Monitoring (hands-on lab) – https://learn.sysdig.com/windows-monitoring

Intro to Secure (video) – https://www.youtube.com/watch?v=jJv4_HTxwVI

Intro to Monitor (video) – https://www.youtube.com/watch?v=SyD_4sNadAQ

Vulnerability Management Landing Page (video) – https://www.youtube.com/watch?v=1_uPQnVKZAI

Sysdig Live – https://www.youtube.com/watch?v=bo1D-jQssw8

Process Trees – https://www.youtube.com/watch?v=wqf_ZY_cqwQ

The post What’s New in Sysdig – July 2023 appeared first on Sysdig.