Nowadays, an increasing number of companies are eager to integrate runtime intelligence into their security tools. This innovative approach yields numerous benefits, such as noise reduction, and provides developers and security teams with the necessary context to focus and address the most critical issues first. Fixing and prioritizing vulnerabilities in the early stages of the software lifecycle has become significantly easier thanks to features like runtime insights.

Checkmarx and Sysdig are working together to facilitate this transition. Checkmarx’s One AppSec platform now incorporates Runtime Insights from Sysdig’s Cloud-Native Application Platform (CNAPP), empowering application security teams to efficiently prioritize and resolve security issues at cloud speed.

Benefits of Using Checkmarx with Sysdig Runtime Insights

Sysdig’s Risk Spotlight enables developers to address vulnerabilities posing immediate risks by providing runtime insights context.

Now, let’s explore some of the advantages of integrating Sysdig’s Risk Spotlight into our partner Checkmarx.

Minimize the noise

Sysdig’s unique view on how vulnerabilities impact on applications allow joint Checkmarx and Sysdig customers to identify the most imminent security risks. Through the integration of runtime intelligence into Checkmarx’s Software Composition Analysis (SCA) tool, developers can now prioritize addressing the most critical vulnerabilities in use. This is accomplished effectively by significantly reducing noise by up to 95%.

Reduce the vulnerability fatigue

Developers often find themselves overwhelmed by the volume of vulnerabilities they encounter daily, leading to a flood of security issues. Through the Checkmarx SCA and Sysdig partnership, an effective developer feedback loop is established, offering precise, meaningful, and actionable insights seamlessly integrated into the software lifecycle. With this collaboration, Checkmarx users gain access to runtime data, enabling them to make more informed decisions, reducing their burden, and enhancing their overall software development experience.

Accelerate software delivery

Utilizing runtime insights enables developers to prioritize the most critical vulnerabilities for immediate resolution while deferring others that are not actively exploited at runtime. This new approach streamlines the software development and delivery process, facilitating faster iteration cycles from development to deployment. Develop, address, and deliver with greater speed and efficiency.

How to Enable Runtime Insights Integration Step by Step

Prerequisites

First, for the sake of simplicity, let’s get right to the point. It is assumed that you are familiar with both security tools: Sysdig and Checkmarx. Additionally, it’s necessary to have at least one active user account on both platforms. This is essential as it is mandatory to possess a Sysdig Risk Spotlight API token to enable the integration and access runtime insights within Checkmarx.

As a part of integrating Sysdig runtime insights with Checkmarx SCA workflow, it is necessary to initiate an image scan task. Checkmarx has designed this process to be streamlined through a single command line utilizing Checkmarx One CLI and Checkmarx SCA resolver tools. Additionally, the open source Syft is also used in this workflow for image scanning.

Let’s set up our environment:

1. Download and configure Checkmarx One CLI, ensuring you insert your Checkmarx AST API Token when prompted. Leave the remaining fields blank.

$ wget https://github.com/Checkmarx/ast-cli/releases/download/2.0.62/ast-cli_2.0.62_linux_x64.tar.gz $ tar zxvf ast-cli_2.0.62_linux_x64.tar.gz $ cx configure Creating directory Setup guide: https://checkmarx.com/resource/documents/en/34965-68621-checkmarx-one-cli-quick-start-guide.html AST Base URI []: AST Base Auth URI (IAM) []: AST Tenant []: Do you want to use API Key authentication? (Y/N): Y AST API Key []: <PASTE_YOUR_API_KEY_HERE>

2. Download Checkmarx SCA resolver tool.

$ wget https://sca-downloads.s3.amazonaws.com/cli/latest/ScaResolver-linux64.tar.gz
$ tar zxvf ScaResolver-linux64.tar.gz

3. Download and install Syft.

$ curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

Enable Checkmarx + Sysdig integration

As of March 2024, Checkmarx users who wish to enable the Sysdig integration should contact a Checkmarx representative for assistance with the process.

How to run the Checkmarx scanner

1. Create a new Checkmarx project.

$ cx project create --project-name java-demo-app

Project ID                           Name          Created at Tags Groups
----------                           ----          ---------- ---- ------
cdbabb8f-b984-4984-a47e-e625f39d2828 java-demo-app 11-28-23   []   []

2. Run a new image scan task.

$ cx scan create --project-name java-demo-app -s '/home/victor/cicd-secure-scan/myapp' --branch stam-branch --scan-types sca --debug --async --sca-resolver './ScaResolver' --sca-resolver-params "--log-level Debug --scan-containers true --images quay.io/vhernandomartin/myimage:latest --containers-result-path /home/victor/cicd-secure-scan/myapp/.cxsca-container-results.json"

3. Check the new scan task in the Checkmarx UI.

Conclusion

This new partnership enhances the capabilities of both Checkmarx and Sysdig customers by strengthening shift-left security with invaluable runtime insights. Together, Checkmarx and Sysdig present a unique approach to detecting and responding to security threats.

Do you want to learn more? Visit the Checkmarx site on the Sysdig ecosystem portal for further information, or register to watch the below webinar.

The post How to Prioritize Vulnerabilities with Checkmarx and Sysdig Runtime Insights appeared first on Sysdig.

With more and more sophisticated security attacks actively occurring nowadays, security teams need to hold themselves to a modernized benchmark. The 555 Cloud Detection and Response Benchmark, built in partnership with our customers, industry analysts, and the Sysdig Threat Research Team (TRT), sets a new standard for operating securely in the cloud.

Sysdig is collaborating with Tines, one of our Threat Detection and Response (TDR) technology partners, to integrate with orchestration and automation features that help security teams tackle the most complex attacks. The Tines smart, secure workflow platform tears down barriers to timely response and reduces the complexity of automation for TDR. DevSecOps, operations, and security teams can now simplify security workflows, shorten response time, and ultimately stay ahead of potentially major security incidents.

Detect, triage, and respond at cloud speed

The 555 Benchmark sheds light on the time it takes attackers to cause harm once they exploit vulnerabilities. It also challenges organizations to perform at a higher level to respond faster than attackers:

• 5 seconds to detect security threats
• 5 minutes to triage and correlate
• 5 minutes to initiate a response

Initiating a quick and effective response can be tricky. Human latency makes reaching a 5 minute response time extremely difficult. One of the most recent examples of a complex and sophisticated attack is Scarleteel. Discovered by the Sysdig Threat Research team in early 2023, with Scarleteel, bad actors gained access to a system by exploiting a vulnerability, then not only performed malicious activity like running cryptominers, but also moved laterally after stealing credentials via abusing and attacking the cloud metadata API. What initially seemed to be a single-target attack, quickly became a much more serious and complex security threat spread throughout the cloud infrastructure. If not stopped in a timely manner, an attack of such a magnitude can cause unrecoverable damage.

Adding automated response to the equation with Tines

DevSecOps, and security operations teams triage and analyze massive numbers of security findings as they emerge. Live data if available, besides dumps or captures gathered from containers or cloud services, are fundamental elements for any forensics efforts and incident investigation. However, responding immediately, without delay, is a must. Security Orchestration, Automation and Response (SOAR) tools help to tackle critical security menaces like Scarleteel.

Sysdig partner, Tines, is a next-gen, no-code SOAR tool that empowers security teams to respond automatically to security threats.

The way it works is simple. Users can either choose to use predefined stories (workflows) available in the Tines library, or come up with their own workflow definitions. Workflows are the way data is handled, transformed, and processed towards reaching a desired state.

In order to support workflow creation, Tines comes with tons of out-of-the-box actions for interacting with almost every vendor in the IT landscape. Tines users only need to select the actions they want to use from the library, drag and drop, configure, and connect actions to achieve an outcome.

So far so good. But how can Sysdig and Tines can help with detecting and responding to the most complex and modern security attacks like Scarleteel?

SOAR to overcome security threats

Thanks to the Sysdig and Tines partnership, joint customers can take advantage of SOAR techniques to respond to security threats. It expands response capabilities to stop security attack patterns like Scarleteel. Let’s see it in action!

This is how the Scarleteel story by Sysdig looks like with Tines. In short, the data flows the following way:

1. Initial security events are gathered from the Sysdig API endpoint, and triaged by an action set in Tines workflow. Meanwhile, Tines keeps looking for any new Sysdig security events, which may provide additional context as to what’s unfolding in real-time.
2. Tines identifies suspicious events from common Scarleteel patterns. This data is sorted and deduplicated to avoid unnecessary noise. If reconnaissance-related Scarleteel events are found, an alert is sent immediately from Tines to inform users a likely Scarleteel attack just started.
3. In workflow stage two, Tines continues analyzing events. If invasive Scarleteel events like stolen credentials or lateral movement are detected, Tines stops the attack automatically by removing permissions in the cloud provider, like AWS IAM.

By implementing very simple workflows like this one, Sysdig and Tines users are not only able to detect complex attacks like Scarleteel, but also automatically stop threats in only a few seconds! Other response actions like step-up monitoring on suspicious processes or terminating compromised containers are also possible depending on the risk appetite of the organization. Thanks to this partnership, exposure, risk, and potential damage are reduced or fully mitigated at cloud speed.

There is more, though. Cloud integrations, project management tools like Jira, CRMs like Salesforce, messaging apps like Slack, and much more can be integrated into your Tines workflow. Expand possibilities by adding new actions to your workflows at any time.

Conclusion

When it comes to stopping a critical security incident like Scarleteel, time is gold. Adopting a less-than-5-minutes-to-respond strategy should be the goal for companies that want to be safe against bad actors in the cloud.

Sysdig and Tines joined forces in this new partnership to help our joint customers detect, triage, and respond effectively to the most modern and advanced cloud attack techniques. As highlighted in this article, advanced SOAR workflows help with response automation by providing mechanisms to get, correlate, and take action based on real data.

Watch the SOAR Into 2024: Power Your Cloud Detection and Response solution forum presentation to learn more. You’ll hear how to keep your cloud-speed business innovation secure from cloud-speed exploitation.

Click the banner below to watch on-demand:

Dig deeper into GCP with Sysdig integrations

In this new release, Sysdig has prepared a set of new integrations for GCP – from checking the health and performance of your GCP Cloud MySQL, PostgreSQL, or SQL Server instances, to ensuring your GCP compute engine instances are behaving properly. A new bundle of predefined alerts and out-of-the-box dashboards will be automatically shown a few minutes after you configure the GCP integration in the Sysdig Monitor portal.

Conclusion

Integrating GCP with Sysdig Monitor is super simple. Thanks to this new integration, you can now store and explore your own GCP service metrics in a few minutes!

The main public Cloud providers like AWS, Azure, and GCP are integrated into the multi-cloud Sysdig Monitor platform. You can not only monitor and troubleshoot your cloud-native workloads, but also your own cloud provider metrics. In Sysdig Monitor, everything is close by. You can have full control of all your cloud environments from a single place.

Sign up here for a free trial of Sysdig Monitor. While you are there be sure to check out our Kubernetes troubleshooting, managed Prometheus, and cost optimization features.

The post Easily Monitor Google Cloud with Sysdig’s Managed Prometheus appeared first on Sysdig.

Deploying, configuring, and maintaining dozens, maybe hundreds, of Prometheus exporters can be painful. Have you ever found many different exporters for the same software and didn’t know which one best fits your needs? Have any of your exporters ever stopped reporting metrics for some reason? Are you tired of troubleshooting Prometheus exporters issues? In this article, you’ll go through the challenges of running and maintaining Prometheus exporters.

Sysdig Monitor provides tons of integrations out of the box, offering a consolidated observability experience thanks to its automatic integrations and Prometheus exporters wizards. Sysdig offers a smooth experience when integrating third-party software metrics. There’s no need to worry about maintaining Prometheus exporters anymore, Sysdig takes care of that on your behalf.

Do you want to learn more? Keep reading!

What are Prometheus exporters?

A Prometheus exporter is a kind of agent or software that runs in a host or in a container. It is responsible for communicating with a specific software or application (target), and its mission is to fetch information and export this data via a new metrics endpoint.

In terms of architecture and design of Prometheus exporters, the programming language can vary depending on the exporter instrumentation and implementation itself. Every Prometheus exporter can have its own mechanisms to fetch data from its target, via API, endpoint or service already exposed, or any other way. The port where the /metrics endpoint is exposed and the protocol used for that endpoint (http or https) will vary as well.

There are tons of Prometheus integrations available and maintained by the community. You’ll find Prometheus exporters for lots of different use cases, like:

• Kubernetes components
• Databases
• Hardware related stats
• HTTP services
• Storage
• Public APIs services
• …

One of the most known and widely adopted Prometheus exporters in Kubernetes are the kube-state-metrics or the Prometheus node exporter.

For example, as you can see in the following diagram, node exporter Pods are running on every Kubernetes node. This exporter is responsible for fetching all the required data from the nodes, like CPU statistics, filesystem information, or the load average among many others. The node exporter turns this data into metrics and exposes this information in a public /metrics endpoint. Prometheus is able to scrape these and other metrics, and store them in its own TSDB (Time Series Database).

At this point, you may be wondering: Why should I use Prometheus exporters to get metrics from third-party software? Is there any way to bypass this kind of add-on and get metrics straight away? The answer is simple: it depends on the software you want to get metrics from. If it is properly instrumented, and exposes its own metrics endpoint, then you can get metrics. If not, you need to deploy a Prometheus exporter. For example, for etcd monitoring you don’t need any exporter at all.

The Sysdig Promcat team is actively working and contributing to the Prometheus exporters community. One of its missions is to provide open source solutions in the form of Prometheus exporters for multiple applications. These exporters are curated and maintained by the Sysdig engineering team. One of the goals is to facilitate Prometheus exporters adoption and, at the same time, a great user enterprise experience.

Challenges and pain points

It’s time to cover some of the challenges and pain points you might encounter when dealing with Prometheus exporters.

• For a single application, you may find several exporters. What is the best exporter? What should you choose? These questions may have an answer after spending time to check which one fits better to your needs.
• Quite often, you’ll find many different images for an exporter. You’ll usually rely on the “latest” tag, but sometimes this is not correctly pinned. It may happen that the image has moved away from the original repository. This can make you waste a lot of effort and time.
• Many base images for exporters may contain a lot of vulnerabilities, exposing you to a high risk.
• The open source community feeds Prometheus with tons of exporters. There are a lot of owners and maintainers, so every exporter has its own configuration, like secrets, variables, configmaps, etc. There are not commonly defined architectures, designs, etc., so every exporter brings its own adventure.
• Prometheus exporters may be outdated or not maintained. That could prevent you from pulling metrics in some circumstances. For example, you may be running a newer version of a specific software and the exporter was designed for previous versions. In such a scenario, the exporter can’t communicate with the API because methods have changed.
• You can find yourself running and maintaining a huge number of exporters. If the application is not instrumented and exposing its own /metrics endpoint, then you need to deploy a dedicated exporter.
• Prometheus scrape configurations are needed every time you want to add a new custom /metrics endpoint. It’s not a big deal, but you may end up configuring and maintaining a large number of jobs.

How Sysdig Monitor integrations works

Sysdig has its own agent to fetch data and pull metrics from your Kubernetes and cloud environments. If you want to learn more about how the Sysdig Agent works behind the scenes, check out this article. You’ll get a better understanding on how metrics are ingested, as well as the benefits of using the Sysdig Agent.

In short, Sysdig Agent has embedded a lightweight Prometheus instance. That way, it’s able to scrape metrics from Kubernetes or custom endpoints as a regular DIY Prometheus. So, there is no need to deploy your own Prometheus instance in Kubernetes, deploy KSM, or deploy Prometheus node exporter.

As discussed here, Sysdig Monitor detects both Kubernetes components and your own third-party workloads. This is achieved thanks to the Kernel insights collection. If you want to check the Prometheus integrations offering, check out the documentation page.

Many of these integrations are enabled by default with Sysdig Monitor, since its portal will show you your metrics data in out-of-the-box dashboards, and will let you choose if you want to enable some of the predefined alerts available for that service.

Some integrations may require manual steps. In some cases, it is required to create a ConfigMap or secrets to allow the agent to get metrics. In that case, Sysdig Monitor offers a full enterprise experience through configuration wizards that will allow you to configure and deploy the integrations in a few guided steps.

Cloud integrations for main Cloud providers are available as well. Just connect Sysdig Monitor with your cloud provider and benefit from a bunch of cloud metrics, along with the out-of-the-box dashboards and alerts for cloud services.

Benefits of using Sysdig Monitor with third-party software integrations

As you already have seen, Sysdig Monitor provides a unique and smooth experience when it comes to third-party applications integrations. From the console, you’ll find a summary with all the information about integrations, from the ones that were already configured to the others that are still pending to be installed.

Let’s enumerate the benefits of Sysdig Monitor integrations vs. Prometheus exporters.

• Monitoring integrations are available for you from day 0. Many of these integrations are already implemented and collecting metrics for you, automatically. Others need extra manual steps, like Secret or ConfigMap creation, but there’s no reason to worry: a guided wizard is available for you.
• Some critical endpoints, like the Kubernetes control plane components, are already monitored and available from the very beginning. There’s no need to deploy any exporter or configure any Prometheus config file.
• The base images used for Sysdig Monitor exporters are maintained by Sysdig. We take care of image version history and maintain correct tagging. UBI images are available.
• Sysdig takes care of image vulnerabilities.
• Monitoring integrations available in the Sysdig Monitor portal are already maintained, tested, and fully functional. You don’t need to worry about stability and other configuration issues. If you deploy the monitoring integration, you’ll get metrics and predefined alerts as promised. Sysdig takes care of the integration lifecycle, ensuring metrics will never stop working.
• Helm charts are available when deploying Sysdig monitoring integrations, which makes the task easier.
• Sysdig Agent is responsible for scraping metrics. You don’t need to maintain or configure any prometheus.yaml file at all. You’ll reduce your burden significantly.

Conclusion

Configuring and maintaining Prometheus exporters can be a tough task. While there are tons of Prometheus exporters created and maintained by the open source community, you may struggle when pulling data from your Kubernetes environments and cloud-native applications.

Sysdig Monitor offers an enterprise solution. You don’t need to worry anymore about which Prometheus exporter from a huge list is the good one, or you won’t have to go through complex exporter installations. Everything you may need is in the Sysdig Monitor portal. Just enjoy the integrations already provided out of the box, and deploy others following a few steps thanks to the guided wizards.

If you want to learn more about how Sysdig Monitor can help with third-party software monitoring, and Prometheus exporters, visit the Sysdig Monitor trial page and request a 30-day free account. You will be up and running in minutes!

The post Prometheus Exporters in Sysdig Monitor appeared first on Sysdig.