With only 5 minutes to perform cloud investigations and block attacks before they are executed, Sysdig Sage for CDR accelerates analysis and investigation, allowing users to prioritize what matters. With Sysdig Sage, users can focus on attack responses rather than spending time connecting the dots or retrieving key information to understand the attack’s big picture and impact.

What is Sysdig Sage for CDR?

Sysdig Sage is a generative AI cloud security analyst – an expert that empowers users, letting them ask questions about their runtime events in natural language within Sysdig Secure’s Events Feed.

The Events page provides an overview of security events occurring across your infrastructure, allowing you to dive deep into specific details, distinguish false positives, and configure policies – based on open source Falco – to enhance security.

Sysdig Sage elevates these capabilities infusing AI into security analysis operations, delivering:

• Statistics of security events: Review top statistics for runtime security events based on various groupings such as policy name, rule (event type), severity, and more. This will help users streamline the analysis and quickly identify and focus on events that are relevant to the investigation
• Explanation of security events: Sysdig Sage can provide details about runtime events to users and dig deeper into them – for example, to explain the command lines that generated them. 
• Suggested next steps: Sysdig Sage for CDR can get behavioral details from sample runtime events to summarize what happened at a broader level and suggest some next steps to fix and remediate the issues. This will help users move faster and immediately take action.
• Context awareness: Sysdig Sage for CDR provides a fully integrated experience. It understands what users are navigating in the Secure UI and can control it, allowing users to quickly jump to the events and information relevant to their investigation.

See Sysdig Sage in action

As someone working in security operations, you might want to easily navigate, filter, and focus on relevant events. When viewing the Sysdig Events feed, you want to be able to understand the events you need to focus on.

You might filter out low and medium-severity events but still have tons of events to process. This is when Sysdig Sage can speed up your work. You are one click away from asking “Can you summarize these events?” Sysdig Sage will understand that you activated these filters in the UI and only focus on high-severity events that occurred in the last 6 hours:

You can then click on “Link to events” to quickly reach the events you want to analyze in the UI and keep the conversation going with a focus on the event you want to look at more closely:

At this point, you might want to better understand why the user was allowed to perform that action and if it represents a threat:

Now that you connected the dots, you will be able to start crafting your remediation strategy:

And finally: the big picture. Is the threat you analyzed part of a broader security incident? Let’s ask Sysdig Sage!

In just a few questions, you were able to refine your analysis, get all the needed information without leaving Sysdig Secure, and get guidance on what steps to take.

Unlock the power of AI for cloud security

Cloud attacks happen fast. Sysdig Sage for CDR is the ultimate secret weapon to equip security teams to achieve the 555 Benchmark for Cloud Detection and Response, quickly make informed decisions, rapidly respond to threats, and save time on the most complex tasks.

With Sysdig Sage you can:

• Supercharge skills: Whether a novice or expert, Sysdig Sage for CDR will help you understand your runtime events.
• Save time: Focus on outcomes, not the analysis. 
• Get actionable insights: Know where to start and reduce time to respond – from hours to seconds.
• Collaborate better: Level set knowledge across teams. 

By reducing analysis time to just seconds and seamlessly connecting the dots, Sysdig Sage for CDR impacts daily security operations, supercharging CNAPP capabilities with the power of AI.

Come talk to us about Sysdig Sage at our Black Hat booth.

Webinar: Outpacing cloud attackers with GenAI

Join Sysdig CTO, Loris Degioanni, to learn more about advanced AI strategies for rapid threat detection and response.

REGISTER NOW

The post Sysdig Sage™ for CDR: Accelerate analysis, investigation and response appeared first on Sysdig.

To streamline investigation and help teams understand how to respond to fast-moving cloud attacks, AI for cloud security needs specialized, domain-specific programming, contextual awareness, and the ability for teams to have multi-step conversations that transform data into actionable insights.

Navigating cloud complexity

Cloud ecosystems and technology stacks can be incredibly complex. Navigating the intricacies of public and private clouds, containers, and Kubernetes requires domain expertise. Even seasoned professionals can find it challenging to stay ahead of the latest tech as it relates to cloud threats. For this reason, there is a tangible benefit to having an AI analyst that can instantly deliver the collective wisdom of human experts and the continuous learnings of AI models. 

Responding under pressure

Cloud security teams are under tremendous pressure as they race against the clock. When it’s crunch time, insufficient answers from an AI chatbot, or delays as you search for information aren’t just stressful; they can give adversaries the upper hand. During an investigation or incident response, a lot of time can be wasted trying to determine what something is and how to respond. The proper response for a given scenario may be less obvious to less experienced team members. Getting fast, accurate assistance can make a difference between data and workloads being impacted – or not.

Accelerating human response with a purpose-built AI cloud security analyst

When you have only minutes to respond, the ability to have a conversation that helps you quickly understand a cybersecurity event and how to address it is extremely powerful. To provide this level of support requires capabilities beyond just collecting and compiling data from external sources. By employing multi-step reasoning, contextual awareness, and specialized domain-specific programming, AI for cloud security can offer a truly autonomous and comprehensive approach to security analysis.

This is the approach we’ve taken with Sysdig Sage, Sysdig’s AI cloud security analyst. Sysdig Sage interacts with users through human-like conversations, helping to peel back the layers of security events. 

Architecturally, Sysdig Sage uses an autonomous agents approach, leveraging multiple specialized AI agents that work collaboratively with a common goal: to simplify and accelerate security and enable a faster, better-informed human response. This unique architecture uses advanced agent-based reasoning to not only collect data, but also to provide meaningful, context-aware recommendations that are directly useful for security decisions.

Key capabilities of Sysdig Sage

Multi-step reasoning: Sysdig Sage helps security teams peel back the layers of sophisticated cloud threats through in-depth conversations. Start with a simple question and ask follow-up questions to dive deeper, gaining a clearer understanding of runtime events. Straightforward answers and suggested queries enable quick comprehension of security implications and risks in complex cloud estates.

Contextual awareness: Sysdig Sage understands the context of what users are currently observing in the Sysdig UI and provides precise answers based on that context. It helps you navigate the platform UI, directing you to visualizations that provide a deeper understanding of a given event. As a result, team members of all skill levels get the help they need to manage more and escalate less.

Guided response: Beyond summarizing and explaining threats, Sysdig Sage suggests proactive response actions, prevention strategies, and process improvements. It empowers you to take full advantage of the real-time nature of the Sysdig platform, along with insights available from the Sysdig Threat Research team. Considering the speed at which attacks progress in the cloud, fast answers on how to stop threats are key.

Using Sysdig Sage, cloud security teams are equipped to handle complex security tasks:

• Incident investigation: Analyze incidents to determine root cause, including performed activities, cloud context, and responsible identities.
• Prioritization: Prioritize threats based on multiple factors, including severity and potential impact.
• Risk mitigation: Get effective strategies for mitigating identified risks and enhancing security posture and practices.

And, since Sysdig Sage is multilingual – with support for over 80 languages – you can take advantage of its insights in the language of your choice.

Comparing Sysdig Sage with traditional AI assistants

Sysdig Sage is a true AI security analyst. Looking at the landscape of AI assistance currently available, here’s how Sysdig Sage stacks up:

Insight generation vs. data aggregation

• Traditional AI assistants: Focus on collecting and compiling data from various sources.
• Sysdig Sage: Goes beyond aggregation to generate actionable insights through advanced agent-based reasoning.

Contextual awareness

• Traditional AI assistants: Use a separate prompt interface with little or no UI interaction.
• Sysdig Sage: Aware of the data the user is observing as context for queries; links users to directly relevant UI views.

Decision support vs. information presentation

• Traditional AI assistants: Present summarized information for review.
• Sysdig Sage: Provides detailed, step-by-step reasoning to support critical security decisions.

Adaptive problem-solving

• Traditional AI assistants: Focus on specific use cases (i.e. remediation information).
• Sysdig Sage: Tackles unforeseen challenges by combining autonomous agents’ specialized skills. Adaptability ensures AI remains effective in the face of evolving security threats.

Enhanced collaboration

• Traditional AI assistants: Support single tasks.
• Sysdig Sage: Acts as a true AI security analyst, supporting users in a free-flowing, contextual manner. Facilitates collaboration between human analysts and AI assistance.

Conclusion

As cloud security threats rapidly evolve, so too must capabilities for cloud security. AI capabilities built with multi-step reasoning and contextual awareness give defenders a new way to understand events, reduce escalations, and streamline response. If you’re new to cloud security, having an AI companion to offer insights and advice can help quickly build your skills and aid you in making the right call in the face of threats. And, if you’re a security veteran, finding ways to save time is likely at the top of your list – AI can help. 

Sysdig has designed its cloud security analyst, Sysdig Sage, to function like a team of experts by your side – always available to help you stay ahead of adversaries in an increasingly complex cloud landscape. We invite you to read the next blog in our launch series to learn more and see Sysdig Sage in action.

Webinar: Outpacing Cloud Attackers with GenAI

Join Sysdig CTO, Loris Degioanni, to learn more about advanced AI strategies for rapid threat detection and response.

REGISTER NOW

The post Sysdig Sage™: A groundbreaking AI security analyst appeared first on Sysdig.

What’s new: Layered Analysis capabilities

Layered Analysis enhances our container security toolkit by offering a granular view of container images, breaking them down into their composing layers. This capability enables more accurate identification of vulnerabilities and optimized remediation workflows by clearly discerning whether vulnerabilities belong to the base image or the application layers, aiding in proper team assignment and resolution.

Key benefits

• Enhanced accuracy and reduced time to fix: Identify vulnerabilities at each container image layer, pinpointing the specific package and instruction responsible, thereby reducing fix time.

• Facilitate attribution and ownership: Discern whether vulnerabilities belong to the base image or the application layers, aiding in proper team assignment and resolution.

• Actionable insights: Receive practical, contextual recommendations to expedite and prioritize vulnerability resolution.

Detailed insights with Layered Analysis

Container images are constructed in layers, with each change or instruction during the build process creating a new layer. Layered Analysis helps detect and display vulnerabilities and packages associated with each image layer, identifying different remediation actions and ownership depending on the layer introducing the vulnerabilities.

For example, vulnerabilities in the base OS layer, such as an end-of-life (EOL) Alpine version, can be remediated by updating the base image version, a task typically performed by the security team. In contrast, vulnerabilities in the application or non-OS layers, such as outdated Go libraries like Gin or Echo, can be addressed by updating the versions of libraries and dependencies, tasks that fall to the development teams.

How to enable and use Layered Analysis

Layered Analysis is now generally available and requires the following components for full functionality:

• Cluster and Registry Scanners: Automatically supported with platform scanning.
• CLI Version 1.12.0 or Higher: Ensure you are using the latest CLI version.
• CLI Enhancements: Utilize new flags (–separate-by-layer and –separate-by-image) to modify output and view image hierarchy or layer information.
• JSON Outputs: Updated to include new fields for detailed layer information.

Exploring the image hierarchy

Understanding the image hierarchy is key to Layered Analysis, as shown in the screenshot below.

This view shows the difference between base images and application layers, helping you quickly identify where vulnerabilities come from:

• All layers: Shows the total number of vulnerabilities in the final image, including both application and OS layers. If a vulnerability is fixed in an intermediate layer, it won’t be included in the total count.

• Base Images (prefixed with FROM): Display vulnerabilities present in the base image, including those inherited from parent images.

• Application layers: Only show vulnerabilities introduced in the application layers, excluding those from base images.

Actionable recommendations

Layered Analysis doesn’t just identify vulnerabilities; it also provides recommendations to fix them. You’ll receive suggestions to upgrade base images, address the worst vulnerabilities in application layers, and fix problematic packages. 

These actionable insights help streamline the remediation process, ensuring that vulnerabilities are addressed efficiently and effectively.

Full visibility of image history

Layered Analysis also offers full visibility into the history of your container image. You can see packages that existed in previous layers but were removed in subsequent layers. 

While these packages no longer pose a security issue, having this historical view is invaluable for understanding the evolution of your image and ensuring comprehensive security management. 

This helps teams trace back through changes, making it easier to collaborate and maintain a secure container environment.

Investigate single layers

Another powerful feature of Layered Analysis is the ability to investigate single layers of your container image. You can see exactly what packages exist in each layer and identify any vulnerabilities introduced at that specific stage. 

This granular investigation capability allows teams to pinpoint the source of security issues and understand the impact of each layer’s changes. By isolating and analyzing single layers, you can more effectively manage and remediate vulnerabilities.

Leveraging Layered Analysis for better security

Layered Analysis empowers security and development teams by providing a clear and actionable view of container image vulnerabilities. By enhancing the precision of vulnerability identification and optimizing remediation workflows, teams can effectively reduce risks and improve overall security.

With Layered Analysis, teams can pinpoint exactly where a vulnerability was introduced, identifying the specific layer responsible. This capability is particularly useful in large organizations where multiple teams are involved in containerized applications lifecycle, from building images to deploying and monitoring their health — such as infrastructure engineers creating/curating base images, developers packaging applications, and all of them working together to make sure workloads are as secure and vulnerability free as possible and security patches are promptly applied. By tracing vulnerabilities back to their source, teams can determine responsibility and ensure accountability.

By clearly distinguishing between base image and application layer vulnerabilities, Layered Analysis enables more efficient routing of remediation tasks. Security teams can focus on updating base images to mitigate inherited vulnerabilities, while development teams handle issues within the application layers. This structured approach not only streamlines the remediation process but also enhances the overall security posture of containerized environments.

Want to learn more? Reach out to your Sysdig representative, or book a demo here!

The post Introducing Layered Analysis for enhanced container security appeared first on Sysdig.

OpenSSH versions older than 4.4p1 – unless patched for previous CVE-2006-5051 and CVE-2008-4109) – and versions between 8.5p1 and 9.8p1 are impacted. The general guidance is to update the versions. Ubuntu users can download the updated versions. 

According to OpenSSH infosec researchers, this vulnerability may be difficult to exploit. 

Their investigation disclosed that under lab conditions, the attack requires, on average, 6-8 hours of continuous connections until the maximum amount accepted by the server is met.

Why is CVE-2024-6387 significant? 

This vulnerability allows an unauthenticated attacker to gain root level privileges and remotely access your glibc-based Linux systems, where syslog() (a system logging protocol) itself calls async-signal-unsafe functions via the SIGALRM handler. Researchers believe that OpenSSH on OpenBSD, a notable exception, is not vulnerable by design as the SIGALRM handler calls syslog_r(), an async-signal-safer version of syslog(). 

What is the impact?

OpenSSH researchers believe the attacks will improve over time –thanks to the advancements in deep learning – and impact other operating systems, including the non-glibc systems. The net effect of exploiting CVE-2024-6387 is full system compromise and takeover, enabling threat actors to execute arbitrary code with the highest privileges, subvert security mechanisms, data theft, and even maintain persistent access. The team at Qualys have already identified no less than 14 million potentially vulnerable OpenSSH server instances exposed to the internet. 

How to find vulnerable OpenSSH packages with sysdig

You can use your inventory workflows to get visibility into resources and security blindspots across your cloud (GCP, Azure and AWS), Kubernetes, and container images. Besides patching, you should also limit SSH access to your critical assets. 

Here’s how you can look for the vulnerable OpenSSH package within your environment using Sysdig Secure:

• Navigate to the Inventory tab
• In the Search bar, enter the following query: 

Package contains openssh

The results show all the resources across your cloud estate that have the vulnerable package. Sysdig provides an overview of all the blind spots that may have gone unchecked within your environment. You can interact with the filters and further reduce your investigation timelines from within a single unified platform.

The need for stateful detections

Exploitation of regreSSHion involves multiple attempts (thousands, in fact) executed in a fixed period of time. This complexity is what downgrades the CVE from “Critical” classified vulnerability to a “High” risk vulnerability, based mostly on the exploit complexity.

Using Sysdig, we can detect drift from baseline sshd behaviors. In this case, stateful detections would track the number of failed attempts to authenticate with the sshd server. Falco rules alone detect the potential Indicators of Compromise (IoCs). By pulling this into a global state table, Sysdig can better detect the spike of actual, failed authentication attempts for anonymous users, rather than focus on point-in-time alerting. 

At the heart of Sysdig Secure lies Falco’s unified detection engine. This cutting‑edge engine leverages real‑time behavioral insights and threat intelligence to continuously monitor the multi‑layered infrastructure, identifying potential security incidents. 

Whether it’s anomalous container activities, unauthorized access attempts, supply chain vulnerabilities, or identity‑based threats, Sysdig ensures that organizations have a unified and proactive defense against evolving threats.

Reference:

https://thehackernews.com/2024/07/new-openssh-vulnerability-could-lead-to.html

https://blog.vyos.io/cve-2024-6387-regresshion

https://www.openssh.com/releasenotes.html

https://github.com/acrono/cve-2024-6387-poc

The post CVE-2024-6387 – Shields Up Against RegreSSHion appeared first on Sysdig.

This particular story started when we noticed a change in a customer’s agent usage. The customer in question was a company operating in the financial industry, and their primary use of our product was in Posture Management, Vulnerability Management, and Threat Detection, so this drop in usage was definitely concerning. 

To make sense of what was happening, we had to work closely with our account team and set up a series of meetings with the customer to diagnose the issue. We learned that the company had gone through staffing and management changes, and new people had ownership of our product. To make things more challenging, the management’s project had gone off track, and they were unsure where Sysdig fit in their new setup. 

This was not the first time we encountered this issue. We knew that with organizational transitions, learning a brand-new tool can be hard to prioritize. 

This is where the playbook-throwing part comes in.

The challenge 

Needing to convince a whole new set of stakeholders to fall in love with the product was a daunting prospect. It became clear we would have to go beyond simple feature-listing. Our customers were staffed with security experts, but business operations are rarely linear and never straightforward. This customer needed a true business partner.

From our conversations, the customer identified some product enhancements they needed to support the size and dynamics of their team. To help them accelerate their innovation, the customer asked us to:

• Include the ability to pass a scan policy with the option of separating OS and application packages. 
• Add additional support for the new EKS version posture requirements.

These modifications were necessary to accommodate the customer’s workflow and security needs.

Our account team deals with account logistics such as quoting, selling, and dealing with other administrative and selling tasks.

Customer Success deals with customer adoption activities, such as consulting customers through issues, delivering workshops on features, keeping customers up to date on features, bug fixes, etc.

What we did

We worked directly with the customer’s application teams to customize the product to their requirements.

During our calls together, we discussed their goals for security tooling and showed how Sysdig could help meet them, using live demos and roadmap sessions with our product team. After we zeroed in on the customer’s needs, the rest of the Sysdig team got on board to build the feature enhancements and additional support options.

Eventually, individual contributors also began to reach out with questions about integrating Sysdig into their infrastructure. With each request, we made significant progress toward reestablishing the partnership between our companies by delivering the features they needed. And these contributions were recognized by the management team, which helped us establish trust within the company.

Results

The team members we worked with went back to management to share the results they were able to achieve with Sysdig as a security partner. This opened up conversation with the customer’s leadership team and created a new champion, their director of cloud security architecture, for Sysdig.

With our new champion’s help, we were able to align strategically and truly move the needle for their business.

With the key support of many Sysdiggers, we delivered on all the feature enhancements the customer had requested. Sysdig now includes the option of separating OS and application packages, while still passing scan policy validation. We also offer extra support for customers who need to meet the new EKS version posture requirements.

The feature enhancements as well as the hours of demos, conversations with multiple stakeholders, and additional support helped our customer meet their security goals, while – crucially – staying on track with their broader business priorities.

Security is a team effort 

We know that security is much more than a checkbox. But, what we talk about less is the huge team effort required to keep an application and its users safe. Modern security teams need to reckon with expanding attack surfaces, threat actors moving at the speed of the cloud, artificial intelligence creating more risks, and working with their developer colleagues to ensure security doesn’t slow down innovation.

Security vendors need to join the team. The modern customer-vendor relationship has to go beyond providing a service and transform into a true business partnership.

As customers embrace Sysdig, our Customer Success team remains dedicated to guiding them every step of the way. We maintain an ongoing dialogue to address any hurdles they encounter, fielding spontaneous inquiries from both customers and their peers, and showcasing the latest product capabilities. 

Stay tuned for more stories — and if you want more details on what Sysdig can do for you, request a demo!

Mazen ensures his customers optimize Sysdig for their business needs, aiming to provide them with the best possible experience.

In this story, Mazen actively engaged with the customer, ensuring their needs were met and fostering a positive experience. His quick responses and dedicated support solidified trust throughout their journey with us.

The post Sysdig Customer Care Chronicles – Security Is A Team Sport appeared first on Sysdig.

But organizations and security teams aren’t alone. Threat actors have been readily adapting their craft to take advantage of cloud speed. As a result, cloud attacks happen fast, rapidly weaving through a target’s cloud estate and drawing on extensive capabilities to achieve their goals. 

A prime example is the SCARLETEEL attack, which can infiltrate an organization, execute cryptominers, uncover cloud credentials, pivot to other cloud accounts, and ultimately exfiltrate proprietary data – all in just 220 seconds. Investigating cloud attacks like SCARLETEEL has traditionally been a laborious, error-prone, and manual process. The odds are stacked against defenders, and the reality is that security teams are often unable to investigate threats before the attack completes. 

That’s why the 5/5/5 Benchmark for Cloud Detection and Response – the only industry standard for cloud security – establishes that you have just five minutes to perform cloud investigations to head off attacks before they can be executed.

What’s new: Enhanced investigations capabilities

Today, Sysdig is streamlining cloud detection and response (CDR) use cases by automating the collection and correlation of events, posture, and vulnerabilities to identities. The cloud context these capabilities provide is unparalleled. An interactive visualization of this information helps analysts instantly conceptualize attacks, unlocking five-minute investigations across the most advanced threats. 

The key new capabilities enhancing investigations include:

• Attack chain visualization
• Real-time identity correlation 
• Investigation workflow optimization

Attack chain visualization 

Security teams can leverage any alert or suspicious finding as a starting point to launch an investigation with the Sysdig Cloud Attack Graph. The graph provides attack chain visualization and empowers security analysts to rapidly understand the relationships between resources, and their implications for the attack chain across any cloud environment.

Sysdig’s attack chain visualization accelerates investigations by automatically correlating cloud and workload events to identities. Deep context from command history, as well as network and file activity, is easily gleaned from the overlays. Sysdig’s automated captures enable analysts to dig deeper by automatically tying digital forensic evidence to the events. Real-time context is combined with vulnerabilities and misconfiguration findings to provide a comprehensive and holistic view of a threat. To further simplify workflows, and narrow an investigation window when necessary, all investigations are MITRE-mapped and filterable. 

Real-time identity correlation 

At their core, all cloud attacks revolve around identities. Whether it be human or machine, one or many, analysts need a way to stitch suspicious findings to identities and their associated behaviors. Sysdig’s enhanced investigation capabilities automatically correlate cloud events with enriched identity data. Using attack chain visualization, analysts can rapidly understand suspicious identity behaviors such as unusual logins, impossible travel scenarios, and malicious IP addresses. With this context, teams can rapidly understand the who, what, where, and how of threat actors in their infrastructure.

This visibility also helps teams to rapidly rightsize excessive permissions, such as by configuring them to permissions from before they were compromised by a malicious adversary. 

Investigation workflow optimization 

A single purpose-built platform can break silos and streamline downstream activities. Security becomes a critical and valuable business partner by delivering relevant, high-context guidance across key stakeholders. Rapid investigation findings enable prescriptive guidance for response actions across incident response, platform, developer, and DevSec teams. These accelerated findings allow response teams to initiate a response within five minutes, adhering to the five minute response standard outlined in the 5/5/5 Benchmark. 

Closing the loop, the enhanced incident debrief findings these investigations provide (such as what misconfigurations, permissions, and vulnerabilities were abused to perpetuate the attack) can then be shared to tune and harden preventive controls. This focus on perpetual improvement to preventative controls helps ensure incidents are non-recurring, reducing organizational cloud risk.  

Outpace cloud attacks with Sysdig’s enhanced investigations

The acceleration of cloud detection and response is critical to combat modern attacks. The automation-fueled pace of cloud attacks means that investigations must move even faster. Sydig’s enhanced investigations unlock security teams by increasing efficiency, reducing skill gaps, and empowering security and platform teams to make better-informed decisions, faster. 

Join our upcoming webinar, Cloud Investigations in Just 5 Minutes, for a discussion with security experts on the evolution of cloud detection and response and its impacts. 

The post Introducing New Investigation Features for Sysdig Secure appeared first on Sysdig.

With all this in mind, it’s no surprise that according to Forrester research, “cloud detection and response is the next and most important frontier for security operations teams.”¹ To answer this need, Sysdig’s real-time cloud investigation gives organizations back precious time, reduces skill gaps, and grants security and platform teams the ability to make faster, better-informed decisions. 

Sysdig’s new investigation capabilities enable customers to optimize their cloud detection and response (CDR) use cases with automated collection and correlation of all their cloud data, including events, posture misconfigurations, and exploitable vulnerabilities to identities. 

The improved user interface allows security teams to interact with and instantly decipher the most complex attack chains, unlocking your ability to investigate threats in under 5 minutes, as outlined in the 555 Benchmark. 

The key new capabilities enriching your investigations include:

• Attack chain visualization – Leverage any alert or suspicious findings as the root cause to launch an investigation with the Sysdig Cloud Attack Graph. 
• Real-time identity correlation – Enhanced investigation capabilities automatically correlate cloud events with identity data.
• Investigation workflow optimization – A single purpose-built platform breaks silos and streamlines downstream activities for security personas with diverse skill sets.

See our new investigation features in action

Sysdig’s new investigation flow automatically stitches together context from across the Sysdig platform. It rapidly identifies the root cause of events and contextualizes data to speed up investigations in the cloud.

To demonstrate the power of Sysdig’s new investigation capabilities, we simulated a SCARLETEEL attack that exploits a vulnerable application in a containerized workload. This includes steps to establish a reverse shell, download a cryptominer, elevate privileges to disable S3 bucket policies, and steal customer data.

We begin our investigation with the Events Overview dashboard. Security teams may monitor a similar-looking dashboard across your multi-cloud environment. 

If we set the time frame to six hours using the time picker below, we notice a sudden spike in the volume of high-severity events (see Events By Severity widget) within this short time frame. This is unusual; on most days you do not see this many events, and since you must assume any unusual activity could indicate a breach, this aberration is suspicious and warrants a prompt response. Our goal is to triage and collect as much information as possible to create a deep contextual narrative.

First, let’s dive in and look at the events to uncover answers that explain this unusual spike seen on our dashboard. Filter for high-severity events to quickly intercept any ongoing attacks launched by the threat actors. 

We are redirected to the Events feed, where all cloud events are logged and enriched with details, including the triggered Sysdig rules/policies, timestamps, account IDs, cluster names, user names, and the IP address. 

This enables us to visualize the timeline of events leading up to a cloud attack. It also eliminates the skill gap, allowing analysts to easily ascertain the severity of an attack, the impacted cloud workloads, and the compromised user accounts. The search bar at the top and the filters on the left narrow your scope of events to investigate, thereby improving your internal metrics, such as SLAs (service-level agreements), MTTI (mean time to investigate), and MTTR (mean time to respond). 

Sysdig’s Threat Research Team also curates and maintains an exhaustive library of rules you can use, such as the following example:

ruleName = Netcat Remote Code Execution in Container

To filter relevant events within the defined time frame (six hours in our demo), we would simply type the above string in the Search bar. Alternatively, you could also use the left panel to derive similar results. This helps reduce noise, and scopes out relevant events that could explain the unusual spike detected earlier. 

In this scenario, we filter events where Sysdig has detected a Netcat execution on your cloud workload. Netcat is a common tool used by adversaries to assist in illegal activities, and is flagged and quarantined by many antivirus applications. Let’s dive in and review the factors that triggered the above Sysdig rule, including the captured command line, process tree, user and cloud details, vulnerabilities, and the rule tags.

Sysdig provides you enough context to collaborate with diverse personas, such as vulnerability management, developers, security architects, infrastructure, and more, so you can engage with and address any security gaps with clinical precision.

By now, your curiosity has likely been piqued enough to want to uncover the relationships between the impacted resources and the contributing events. 

Our attack chain visualization provides a single graphical overview of the adversary’s tactics, techniques, and procedures. It consolidates data from multiple sources — including posture misconfigurations, existing vulnerabilities, launched processes, and activity audits — to evaluate the impact of the ongoing threat.

Sysdig correlates events and enriches them with deep runtime insights, enabling analysts to rapidly investigate and pivot across any resource, event, or attribute. Our platform helps trace adversary movements across your cloud environment, and potentially prevent them from further compromising your network.

At a glance, you will gain critical understanding of an event’s context, such as: 

• What was the root cause of the event?
• What other systems has the threat actor accessed that may be at risk?
• What processes and commands were run on the impacted workloads?
• What vulnerabilities or misconfigured permissions are in use?
• What permissions and identities were elevated?

The runtime detections (seen to the left) depict a timeline of activities within the specified cluster. They are color-coded to indicate severities.

The graph also enables you to directly interact with the impacted assets. For example, in our demo, the workload legacy-webapp is the impacted resource. If we were to click on it, a list of interactive options enable you to navigate and review the specific factors that led to this high-severity event.

A drawer opens up to the right that provides under-the-hood configuration details of the workload, including the image, cluster name, namespace, and zones. It also collects data across the posture misconfigurations, in-use exploits, activity audit, and launched processes. For example, if you were to navigate to the Posture tab, you’ll observe all the posture findings on the workload (agentless approach), and the reasons why certain controls failed on the impacted workload. 

This level of context and guided remediation helps eliminate friction points, and enables your security teams to make split-second decisions at crunch time.

Now that we are comfortable handling the UI, let’s pivot to Processes, where all the executed commands on the workload are logged at runtime. This helps you to understand whether this was a lone event or part of a bigger threat activity.

From this view, you can see that the user (assuming root privileges) downloaded a few java files on the workload. You have intel by now from the Vulnerabilities tab that your legacy-webapp has a Spring4Shell Java vulnerability (read here for more context). 

Jump in to review the Process Tree for the curl command and trace the adversary movement within your cloud estate.

The process tree traces out the timeline of executed command lines captured by the agent at runtime. It illustrates the kill chain from user to process, including process lineage, container and host information, malicious user details, and impact. Almost immediately, you’ll see an xmrig, which is a cryptominer, weaponized as a trojan that masquerades as a legitimate program but conceals malicious or unwanted functionality. This xmrig was executed a few seconds after the Java files were downloaded on the workload. This is evidence enough that the workload is infected, and you need to respond promptly to contain the attack. 

Now that you have an idea of the what and the why, let’s dig deeper to uncover the who behind these events. The Identity view expands your investigation to discover whether our adversary compromised any legitimate user accounts to execute their objectives.

Here, the user interface displays the impacted user accounts, correlated at runtime with the high-severity events observed at the start of our investigation. The adjacent world map illustrates the captured regions where these accounts may have launched the SCARLETEEL attack. Since time is of essence here, let’s narrow our investigation window to an hour to confirm the threat actor lurking in your network.

Almost immediately, Sysdig filters an EC2 role and a user account Admin6 within this time window.  It also brings forth relevant events associated with the identities on the left. 

The events shown indicate multiple reconnaissance activities within your cloud environment. Unless there’s a scheduled maintenance activity, you usually shouldn’t see these discovery events across your cloud accounts.

After further investigation, the data reveals that the adversary assumed the EC2 role to create access keys for a user account, Admin6, within your environment.

Admin6 does not conform to normal naming standards, and the data indicates that this particular account has elevated privileges and several unused permissions. 

Our hypothesis is now confirmed, and we know for certain that this user account has been taken over by the adversary. You can now take quick corrective steps and optimize your IAM policies to prevent further adversary movement. 

Expand the time window to review all the interactive commands, established connections, file activities, and executable requests related to Admin6.

Sysdig’s deep runtime insights, coupled with automatic cross-cloud context and correlation, enable security and development teams to understand the who, what, where, when, and why of the cloud investigation in just 5 minutes. 

This feature is purpose-built to alleviate your investigation pain points, and sets you up to achieve the 555 Benchmark faster than with any traditional detection and response tools.

Join our upcoming deminar 5-Minute Cloud Security Investigations in Action, a technical demonstration of how Sysdig accelerates cloud-native investigation.

1. Forrester – The Comprehensive Guide To Cloud Detection and Response; Allie Mellen, Andras Cser, Jeff Pollard; April 23rd, 2024. ↩︎

The post How to Cut Cloud Investigations to 5 Minutes with Sysdig appeared first on Sysdig.

Sysdig’s AI Workload Security for AWS AI services provides the visibility needed to establish data security measures that combat the risk of exposing trade secrets, proprietary information, and customer data through unauthorized access to AI workloads. If you have uncertainty about the protection and compliance of AI in your organization, read on to learn more about the common risks and what you can now do to establish and maintain the security, confidentiality, and integrity of AI for your business.

The Growing Challenge of AI Security

GenAI presents great potential but often contains vast amounts of sensitive training data. Organizations must be prepared for a range of security concerns spanning privacy, cyberattacks, regulatory compliance, and breach of intellectual property.

There are concerns that threat actors can use AI to carry out sophisticated attacks and compromise the integrity of an AI system. Growing regulations surrounding AI services only exacerbate the problem. Mandates from around the globe are putting organizations under pressure to ensure proper governance and supervision of GenAI usage.

AI Workload Security for Amazon Bedrock, Amazon SageMaker, and Amazon Q

AWS AI-related services, such as Amazon Bedrock, Amazon SageMaker, and Amazon Q, facilitate the development of GenAI-based applications. AWS gives you integration flexibility, letting you choose to use industry-leading foundational models (FMs) and have built-in enterprise-level security and privacy controls.

• Amazon Bedrock: A fully managed service that supports foundation models (FMs) from many AI companies, like Anthropic, Cohere, Mistral AI, and Amazon, for building generative AI applications.
• Amazon Q: A GenAI–powered assistant that answers questions, provides summaries, generates content, and completes tasks based on customer data and information.
• Amazon Sagemaker: A fully managed service for high-performance, low-cost machine learning (ML). Provides foundation models used to build, train, and deploy AI models at scale.

Organizations are using these AI tools to build and scale tailored generative AI solutions to meet specific use cases and customer needs.

Bridging the AI Security Gap

The pace and speed of security operations must improve to confront AI risks. Many organizations lack the expertise needed to secure AI workloads and identify associated risks. Just as with any cloud service, it’s crucial to prioritize active risks to AI workloads, such as exposed vulnerabilities in production or attempts to manipulate AI requests and responses. Without comprehensive visibility, organizations may find AI doing more harm than good.

Unified Risk Management and Real-Time Insights

Sysdig understands the importance of speed in security response. We created open source Falco for this purpose. By applying automatic discovery with real-time threat detection, we can increase visibility into applications using AI services. Our goal is to help you manage and control AI usage — both legitimate and malicious. Let’s examine a few of the capabilities now available for AWS users who are building with AWS AI services.

Visibility Into AI Risk

Sysdig’s unified risk findings feature offers a consolidated view of correlated risks and events. For AI users, this will help streamline the workflow for prioritizing, investigating, and mitigating AI risks. Our Cloud Attack Graph integrates Risk Prioritization, Attack Path Analysis, and Inventory to provide a comprehensive view of details surrounding a particular risk. By providing a full view of the context of these risks – from where it’s happening, to corresponding vulnerabilities, and detected active threats – you can take swift action to mitigate security issues surrounding Bedrock, Q, and Sagemaker.

Checking Your AI Inventory

A key concern for many organizations is simply knowing where AI is being deployed and used. Our inventory feature helps you to identify the resources in your cloud environment that either have AI packages running or that are related, such as storage and IAM policies or roles. This visibility helps you check various aspects of security posture related to AI deployments, such as public exposure.

AI Workload Detection and Response

Sysdig’s runtime policy engine enables you to select and apply detection and response rules for your AI workloads. You can apply a range of detections – built on Falco – observing activity using a range of available sources, like syscalls, Kubernetes audit, and AWS CloudTrail. This allows you to identify activity that might put your AI workloads at risk, such as reconnaissance activity attempting to discover and exploit your AI services or data tampering.

When a rule is triggered, Sysdig records and displays all of the context and detail associated with an event. This helps you assess the issue and take further action as needed. Sysdig ships with dozens of managed policies, which our Threat Research and engineering teams frequently update to help stay on top of known adversarial tactics.

Preparing for the Future of AI Security

Understanding and managing AI risks is crucial as organizations race to integrate AI into their software. Together with AWS, Sysdig is enabling customers to securely harness the efficiency and speed that AI offers. AWS provides the key building blocks with solutions like Bedrock, Q, and Sagemaker, while real-time AI Workload Security from Sysdig ensures that organizations can safely capitalize on the benefits of AI with confidence.

AWS and Sysdig are ready to help organizations be better equipped to safeguard AI innovation. Extending Sysdig’s CNAPP solution to AWS AI services provides an additional layer of security to meet the growing demands for AI-related business solutions.

Watch our webinar, How to Safeguard GenAI Workloads in Exposed Environments, to hear more about how Sysdig helps secure your AI workloads.

The post Securing AI in the Cloud: AI Workload Security for AWS appeared first on Sysdig.

]]>