What are the Google Cloud Technology Partner awards?

Google Cloud believes in going above and beyond for its customers and extensively leverages its partners as customer champions in this mission. To recognize the standout performance of its partners, Google Cloud hosts the partner awards.

The criteria for receiving the Partner of the Year award in the Technology category are consistently stringent. Previous champions included in this esteemed list are organizations and platforms such as NetApp, GitLab, and MongoDB, in their respective categories.

Criteria for Winning Technology Partner for Security

Aside from measuring the quantitative value of the impact created by the partner for Google Cloud customers, this award segment recognizes one partner that expertly augments Google Cloud’s security solutions to help meet and exceed the following quality/feature requirements:

• Visualization and monitoring of their customers’ network and application deployments for vulnerabilities
• Security and compliance risks management
• Remediation assistance and customer information protection

Note: Sysdig has won this for the Configuration, Vulnerability Management, and GRC segment.

5 key reasons Sysdig was chosen

1. Benefits to customers when leveraging Sysdig with Google Cloud

Today’s security landscape is defined by multi-cloud environments, dynamic containerized workloads, and evolving threats. Visibility gaps, threat detection complexities, and compliance demands hinder the ability to secure critical applications and infrastructure. In the cloud, every second counts. Sysdig stops attacks in real time by instantly detecting changes in risk with Runtime Insights built on open source Falco.

Sysdig works within the Google Cloud ecosystem and correlates signals across workloads, identities, and services to uncover hidden attack paths and prioritize the risks that matter most. Typical results that customers achieve when using Sysdig and Google Cloud together:

• Save 1.5 hours per vulnerability and 50% in operational overhead
• 3:1 tool consolidation with a unified cloud-native app protection platform
• Up to 95% reduction in vulnerability noise

Learn more about how Sysdig has helped various Google Cloud customers.

2. Sysdig provides a unified view of cloud posture

Sysdig correlates assets, activity, and risks across domains, giving real-time visibility into attacks. Customers can visualize exploitable links across resources to uncover attack paths to sensitive data. The Sysdig Cloud Attack Graph is enriched with runtime insights, and real-time detections reveal active lateral movement, helping customers quickly stop attacks.

3. Sysdig’s unique value proposition for prioritizing active cloud risk

Cloud Security Posture Management (CSPM) requirements have shifted as cloud adoption has accelerated. The first wave of cloud adoption required periodic posture assessments to ensure compliance and provide visibility into cloud assets. Today, that is not enough and we believe that organizations need to focus on “Active Cloud Risk.”

Sysdig helps manage the active risks within the production systems, eliminating alert fatigue and noise by up to 95%. It surfaces and prioritizes top risks that are exploitable and actively running, like in-use software packages with critical vulnerabilities. This way, our customers can easily connect the dots and uncover hidden attack paths that are enriched with in-use packages and live events. Learn more.

4. Sysdig’s robust partnership with Google Cloud

Our partnership was formalized three-plus years ago and already serves and creates value for more than 75 organizations across the globe today. This strategic relationship is based on shared values and holistic alignment on topics like Generative AI, and contributions/collaborations for various CNCF-graduated open source projects, such as Falco and Kubernetes. Customers can purchase Sysdig through the Google Cloud Marketplace, and Sysdig is hosted natively as a SaaS on Google Cloud. Visit our Google Cloud Security landing page to learn more.

5. Sysdig integrates seamlessly with the Google Cloud ecosystem

Sysdig’s Cloud-Native Application Protection Platform (CNAPP) helps customers protect their Google VMs, GKE, Anthos, Google Cloud Run/Build, Google Cloud Registries, Google COS, and Google Cloud Artifact Registries.

Further, it seamlessly integrates with Google Cloud security products, such as Google Security Command Center and Google Chronicle SIEM, so that all the security data enriched by Sysdig can be used directly by Google Cloud security infrastructure. Learn more.

Ready to see Sysdig + Google Cloud in action?

Click the banner below to learn more about how you can use Sysdig to secure your Google Cloud infrastructure via a virtual hands-on workshop.

If you prefer something short and hands off, join our joint webinar with Google Cloud:

Additional resources:

1. Sysdig and Google Cloud joint solution brief
2. Sysdig and Google Cloud partnership page
3. Sysdig and Google Cloud webinars

The post Why Sysdig has been recognized as the Google Cloud Technology Partner of the Year 2024 appeared first on Sysdig.

Why is traditional EDR not enough?

The Gartner 2021 Hype Cycle for Cloud reports 99% of breaches start with cloud misconfigurations. Thus, having a philosophy of protecting just traditional endpoints such as servers, laptops, desktop PCs, and mobile devices with EDR (Endpoint Detection and Response) software is not enough.

What are the highlights of the integration?

The integration of Sysdig with Cybereason XDR enables Cybereason customers to tap into a broad and diverse set of threat information and runtime insights for cloud and containers. This partnership further deepens Sysdig’s commitment to bring its deep CDR expertise to complementary solutions within the security ecosystem.

Here are some highlights of the Sysdig + Cybereason integration:

• Sysdig’s Cloud Detection and Response – powered by Falco open source software – generates alerts and warns about suspicious events. These events, including cloud context metadata, are incorporated as signals within Cybereason’s XDR.
• Cybereason XDR will further enrich and correlate these signals against endpoint, identity, and network data sources.
• Joint customers benefit from Sysdig detections to identify broader Malicious Operations (MalOps) and provide automatic response recommendations.

What is the focus of this integration?

Cloud and container events identified by Sysdig are pulled into Cybereason XDR and displayed as a part of its “Suspicious Events.” These events can be then correlated with other security events generated from endpoints, networks, and identity data sources within Cybereason.

In the Cybereason UI, high-priority threats, known as Malicious Operations (MalOps), are displayed as visual attack stories, complete with response recommendations and triage from the 24/7 Cybereason Managed Detection and Response team.

Below is an example of a spear-phishing attack visualized within Cybereason with data from Sysdig about compromised AWS Cloud accounts. In this scenario, Sysdig alerts Cybereason that disallowed users for AWS have elevated their privileges. Cybereason is then able to identify, for instance, whether these users had an anomalous login, which may have originated from an AWS account credential compromise via a spear-phishing attack.

What are the benefits of the integration?

Here are some of the expected benefits of this integration for security practitioners:

1. Increased visibility into security risks from cloud and containers – Cloud native applications’ extra complexity generates blind spots that require specialized insight.
2. Improved ability to detect and respond to threats – There is projected to be a significant reduction in mean time to detect (MTTD) and mean time to resolve (MTTR) for threats originating in the cloud.
3. Increased efficiency and productivity.

What does the future of the partnership look like?

By combining the strengths of Sysdig and Cybereason, our goal is to provide a solution to help customers better protect their entire IT environments. As we progress the partnership, we will explore additional opportunities such as incorporating additional security insights, and incorporating the joint solution into Cybereason’s Managed Detection and Response services. Stay tuned!

Learn More

• Cybereason blog about Sysdig partnership
• Sysdig Cloud Detection and Response page

The post Boost Detection and Response with Cybereason and Sysdig appeared first on Sysdig.

Sysdig is now bringing this successful vulnerability management philosophy to our partners in the ecosystem to better serve our joint customers. The idea is to integrate with existing customer workflows (e.g., incident response, alert triage, etc.) and provide similar benefits within these much-loved platforms, like ServiceNow.

To quote one of our joint customers: “We are able to autotune Sysdig, which enables us to focus on the most pressing issues, filter our rules, and reduce the burden of alert fatigue. Within the first few weeks, we achieved a 30% reduction in alerts without sacrificing security.”

Sysdig Secure with ServiceNow CVR

Taking the previously mentioned philosophy further, the team at Sysdig wanted to create a direct impact on our customers’ entire vulnerability management lifecycle and go beyond vulnerability detection and prioritization. The ServiceNow Vulnerability Response and Configuration Compliance for Containers application, commonly referred to as ServiceNow Container Vulnerability Response (CVR), offers this exact opportunity as it allows for vulnerability triage, response, and troubleshooting automation.

ServiceNow CVR has a number of capabilities, but a key feature is its ability to receive and process container-related metadata. Since containers are instantiated images, the CVR application allows for container correlation with corresponding base images and registries. It also facilitates the management of components like packages and versions. You can also correlate elements with National Vulnerability Database (NVD) CVEs and other Configuration Management Database (CMDB) assets.

Sysdig has created an official CVR connector app to integrate Sysdig Secure with ServiceNow CVR so that customers can send insights about their container workloads along with granular cloud-native context and in-use packages details to the ServiceNow platform.

The top 3 benefits of using Sysdig Secure with ServiceNow CVR

Alert triage activities involve evaluating and prioritizing security alerts to determine the severity of threats and whether they should be escalated to incident response. Security engineers and analysts often face a high volume of alerts due to the inclusion of irrelevant threat data and a lack of tools providing context and understanding.

At the crux of this integration, Sysdig’s unique Runtime Insights feature equips ServiceNow CVR users to prioritize the remediation of in-use vulnerable packages actually loaded in memory and therefore exposed to risk at runtime. This results in quicker, more effective prioritization, reducing the number of vulnerabilities to fix by up to 95%.

They key benefits of integrating Sysdig with ServiceNow CVR are:

• Vulnerability prioritization: Prioritize vulnerability remediation within the ServiceNow platform based on “in-use” security context sent from Sysdig, and combine it with other important vulnerability parameters like exploitability, criticality, and CVE report date.
• Faster triage and assignment processes: Ingest Sysdig detected container vulnerabilities into the ServiceNow Container Vulnerability data model as CVIs (Container vulnerability items), and automate tasks like triage, contextualization, and assignment.
• Quicker and more accurate incident response activities: Leverage vulnerability details for asset management, security workflow orchestration, automation, visualization, and response – ultimately reducing your total time to resolve.

Adding to this is the bonus benefit of being able to map Sysdig-secured assets, such as images and registries, in ServiceNow’s Config Management Database (CMDB) to get a more comprehensive understanding of risk.

Our VP of Technology Alliances at Sysdig, Bryan Smoltz, explains, “Our integration with ServiceNow CVR allows our customers to get detailed information about vulnerabilities directly in their ServiceNow interface. Using Sysdig to help prioritize these vulnerabilities, security and developer teams are able to quickly address real threats and speed up the MTTR.”

How to set up the integration?

To get started, you can refer to the documentation and installation guide on the Sysdig CVR app page. Please note that while the Sysdig integration connector is available at no cost, you must purchase the ServiceNow CVR app. Visit the store or talk to your ServiceNow rep or partner for more details.

Additionally, the ServiceNow NVD integration module is recommended to import CVEs information into ServiceNow so you can better understand your vulnerability exposure.

For details on how to install plugins in ServiceNow, refer to the ServiceNow Plugin Activation Overview. You will need to have an admin user role within your ServiceNow instance to get started.

Vulnerability prioritization and remediation

Runtime vulnerabilities for containers are detected by Sysdig Secure and flagged in the UI if they are “in-use”:

Through the integration, these vulnerabilities are imported periodically into the ServiceNow platform based on a the interval of your choice (e.g., daily), and get represented as “Container Vulnerable Items” in ServiceNow.

ServiceNow users can then take further action, such as kickstarting remediation workflows. More importantly, the severity of Container Vulnerability Items will be raised in the event the vulnerable packages is in-use. This ensures that the critical vulnerabilities that might pose runtime risk are prioritized for remediation.

If you’re a Sysdig Secure and ServiceNow user, we encourage you to try out the integration. We will continue to refine and improve the plugin so we would love your feedback! You can communicate with us from the Sysdig in-app chat, via our support team, or through your customer success rep.

Additional resources:

• Learn more about the Sysdig and ServiceNow partnership, visit the Sysdig + ServiceNow integration page.
• Read the ServiceNow Container Vulnerability Response documentation
• Not a Sysdig customer? Start a free trial.

The post Reduce resolution time for container vulnerabilities with ServiceNow & Sysdig appeared first on Sysdig.

Sysdig is a premier Google Cloud Platform (GCP) partner and has been working with Google towards the common goal of supporting our customers and securing their cloud journey for the last seven years. Sysdig is focused on securing and monitoring workloads running on Google Cloud – including Google Kubernetes Engine (GKE), Autopilot, Anthos, and more. All these various elements of GCP can be protected using Google Security Command Center. Learn more about how to enhance your GCP security.

The Sysdig platform provides visibility and security built on Falco, Sysdig OSS, and Open Policy Agent (OPA), which are the open standards for runtime threat detection and policy management. You can spin up a Sysdig account on GCP to quickly get started.

Sysdig Secure with Google Security Command Center

To better serve our customers, Sysdig has now integrated with Google Security Command Center so that you can send Sysdig-enriched events to Google SCC as part of your incident troubleshooting and remediation workflow.

Google Security Command Center is GCP’s premier security and risk management platform, allowing you to:

• Gain centralized visibility and control
• Discover misconfigurations and vulnerabilities
• Report on and maintain compliance
• Detect threats targeting your Google Cloud assets

Sysdig Secure provides an event-forwarding feature that can send security data onward to different security and risk management platforms. For Google’s SCC, Sysdig Secure is able to provide enriched runtime cloud events, giving you added visibility and context.

Bryan Smoltz, (VP of Technology Alliances, Sysdig) states: “Our integration with Google’s SCC allows our customers to visualize Sysdig events directly on their SCC portal. Looking at these events, security teams are able to confidently investigate suspicious activity and correlate it with the happenings within the broader GCP ecosystem.”

Speed up your security operations with Sysdig Secure

Alert triage involves steps to gauge the event’s severity and launch an appropriate incident response. Sysdig has a feature known as “in-use” which shows what vulnerabilities currently exist in the images deployed to production and if these vulnerabilities have known exploits. This reduces the number of vulnerabilities to fix by almost 95% leading to quicker prioritization. Using Sysdig Secure as a part of your SOC speeds up:

• Vulnerability prioritization
• Alert triage processes
• Incident response activities

How do we set up the integration?

(The following steps showcase how to leverage Sysdig Secure with Google’s SCC. Although working, this integration is in beta and not officially supported by Sysdig yet as we are still carrying out rigorous testing with it.)

We validated a proof-of-concept for connecting Sysdig Secure with Google SCC. Follow the below-mentioned steps to quickly integrate these two security systems. Or check out the Sysdig Secure product documentation here.

1. Set up Sysdig Secure account

It’s easy to get started with Sysdig Secure. Just go to Start Free Trial | Sysdig to begin with a free 30-day trial.

2. Access Google’s SCC

You can do this by logging into the GCP console and navigating to the Security Command Center.

3. Prerequisites: IP whitelisting, Enabling APIs for SCC, Service Accounts

In the GCP console enable the SCC API and the IAM API. Update your firewall and allow inbound requests from these Sysdig Event Forwarder IP addresses to enable Sysdig to handle event forwarding. A service account with the right permissions is required that can be uploaded to the Sysdig UI.

4. Set up the Google SCC integration within Sysdig

Within Sysdig Secure, go to “Settings” > “Event Forwarding” and select “Add Integration.” Choose SCC. Then, enter the integration name, the workspace ID, and the secret key. Also, select runtime events as the data types you wish to forward to Google SCC.

5. Dive into the event details on Google SCC

Now, you can explore and investigate suspicious activity detected by Sysdig Secure within SCC.

Proof of concept: Generate events to be detected by Sysdig & forward to SCC

Once the integration is done, Sysdig Secure will be able to forward any cloud-related event to the Security Command Center.

1. Generate an event on your GCP

1) For our testing purposes, we generated a security event that involved deleting a GKE cluster via console UI/CLI. The event together with its context gets captured and shown in the Sysdig UI as follows: (In the image below: “Insights > Cloud Activity” dashboard)

2. View the event on your SCC UI

We can now verify that the same events appear on our Security Command Center UI. To locate them easily, the option “SOURCE TYPE > Sysdig” can be checked.

3. Expand details of the event on your SCC UI

We can click on any event to expand on its details within SCC. SCC allows us to check the context of the finding.

Other resources

• Sysdig and Google partnership page 
• Sysdig and GCP resources
• Sysdig Secure on Google Cloud Marketplace

The post Sysdig Secure and Google Security Command Center Integration – Why, What, How appeared first on Sysdig.

Cloud adoption and digital transformation have enlarged attack surfaces that can be exploited by malicious actors to harm your organization. Traditional SIEMs and EDRs fall short as they are not cloud-native and also difficult to scale. Further, there are inherent fixed costs that need to be considered when adopting any modern threat detection apparatus.

A combination of Cloud Workload Protection Platform (CWPP) and Security information and event management (SIEM) solutions have become critical to provide clear signals and security intelligence to teams so that they do not fail to detect any suspicious activity.

Brief primer on Google’s security stack and Chronicle

Starting in 2022 Google has made heavy investments and also acquisitions of cloud security companies. Today, this enhanced security stack from Google includes:

1. Mandiant as the incident response provider & consulting partner
2. Google Chronicle for SIEM functions
3. Seimplify for SOAR functions within Chronicle one platform
4. Google Cloud and Virus Total for sourcing threat intelligence
5. EDR integrations to enrich threat intelligence

Google Chronicle is a premier SIEM solution for the cloud that skips the problems associated with traditional SIEMs and also takes away the associated CAPEX investments. It focuses on the following 6 important value drivers:

1. Speed and data quality of the logs ingested
2. Driving SOC analyst productivity
3. Lowering the total cost of ownership vs traditional SIEM setups
4. Lowering time to extract value
5. Performance
6. Threat visibility

Why is it a good idea to use a tool like Google Chronicle?

With Chronicle, you hunt for threats with the speed and scalability of Google Cloud’s technology to get instant analysis and context on any incident.

It has a unified data model that allows for deep learning and correlation analysis of suspicious activity. Chronicle’s sophisticated threat hunting and security analytics get amplified with Seimplify. This helps you streamline SOC operations so that it takes less time to investigate incidents.

3 ways in which Sysdig Secure adds value with Google Chronicle

Threat detection and incident response for runtime security are necessary capabilities for comprehensive cloud security. Sysdig Secure and Google Chronicle together:

1. Make SOC teams’ journey easy by unfolding evidence, providing answers and remediation faster and clearer to security threats.
2. Enable customers to extract more value from the data we collect from their cloud workloads in their runtime environments.
3. Foster cross-functional value with security, compliance, and DevOps teams.

Why should you use Sysdig Secure with Chronicle? Hear it from ApreeHealth

Sysdig has validated its security, monitoring, and compliance capabilities with multiple GCP-related services. Sysdig and GCP have a common goal of helping customers ship cloud apps faster by helping them see more, secure more, and save time in troubleshooting deployed microservices.

Reason 1: Sysdig Secure has powerful threat detection capabilities

Sysdig’s Secure is built with the Falco rules engine at its core which makes it simple to detect suspicious activity. Sysdig Secure can then forward enriched events from Sysdig to Google Chronicle SIEM and SOAR setups.

Reason 2: Sysdig lends deep and contextual visibility to Google Chronicle

Sysdig Secure is able to look into system call-level detail for containers and hosts. It leverages Falco rules to detect activity, such as the spawning of a terminal shell within a container. By monitoring Kubernetes API calls together with system calls, it can detect suspicious activity and then send the details, including Kubernetes context, over to Chronicle. With Sysdig you can go beyond the capabilities of agentless solutions and:

• Have multiple Falco rules tagged by the relevant best practices/compliance mandates
• Enhance Google Chronicle’s security capabilities beyond cloud metadata and audit logs
• Get the full context about activities within container and host workloads at runtime

Reason 3: Chronicle (SIEM and SOAR) allows for extensive forensic activities based on the event data provided by Sysdig Secure

These capabilities can be summarized as follows:

• Data visualization of threats and suspicious activities on dashboards
• Correlation with other data points to further investigations
• Alerting based on advanced forensics

Runtime security: The core of the integration

Sysdig Secure provides an event forwarding feature that sends Runtime Policy Events detected by Falco rules to Google’s SIEM and SOAR platforms. This enables you to view and correlate Sysdig security findings directly in the tools you use for analysis or use these events as triggers within your SOAR playbooks.

Phil Williams (SVP, Partnerships, Sysdig) states: “Security teams can be reassured only when an incident forensic story is fully narrated with its minutest details. With Sysdig integration, security teams will extract even more value from their discoveries using Google Chronicle’s powerful security intelligence features. Combining the workload side of the story with the network and cloud metrics – Security teams will now have higher confidence that an event led to a compromise in addition to the coordinates to mitigate, investigate impact radius, and identify actors and means.”

How to set up the integration?

The following steps showcase how to leverage Sysdig Secure with Google Chronicle. Although working, this integration is in beta and not officially supported by Sysdig yet as we are still carrying out rigorous testing with it.

We validated a proof-of-concept for connecting Sysdig Secure with Google Chronicle. Follow the below-mentioned steps to quickly integrate these two security systems.

Step 1 – Set up the Google Chronicle integration within Sysdig

Within Sysdig Secure, go to “Settings” > “Event Forwarding” and select “Add Integration.” Choose Chronicle. Then, enter the integration name, and the API secret key. Also, select “Runtime Policy Events” as the type of event data you wish to send to Google Chronicle.

Step 2 – Dive into event details from Sysdig on Google Chronicle

In the Google Chronicle, you can dive deeper into any event from the list of all Sysdig events, and then use it for further forensic investigations.

Step 3 – Set up Google Chronicle visualizations for Sysdig events

Besides forensics, you can also visualize all the Sysdig events with Looker dashboards for Chronicle. These visualizations can then be added to relevant threat investigation dashboards.

Additional resources

• Sysdig and Google partnership page
• Sysdig and GCP resources
• Sysdig on Google Cloud Marketplace

The post Sysdig Secure-Google Chronicle Integration – Why, What and How appeared first on Sysdig.

Prerequisites for a successful SIEM implementation

Prerequisite 1: Source asset identification

A good SIEM strategy includes the identification of critical assets that send key data, plus the context, logs, and events around the data into the SIEM. 

Prerequisite 2: Data quality

Garbage in, garbage out. To get the right type of data fed into your SIEM, you need to get it from the correct sources. 

Prerequisite 3: Logging levels

You also need to ensure that the rules controlling the event stream flowing into the SIEM do not cause too many false positives, but maintain a deep level of visibility.

Thus, the policies, rules, and filters with regard to event streams become critical to your SIEM’s success. You must consider whether you have the right systems in place to send the right event streams to your SIEM. 

Why is Sysdig Secure & Microsoft Sentinel a winning partnership?

Sysdig Secure with Microsoft Sentinel – Block Diagram

Reason 1: Sysdig Secure has powerful threat detection capabilities 

At Sysdig’s core is the open-source Falco rules engine. This makes it easy to look for suspicious activity and then send enriched events from Sysdig onward to your SIEM setup, such as Microsoft Sentinel. 

Reason 2: Sysdig lends deep and contextual visibility to Microsoft Sentinel 

For example, Falco can identify any container-related activity and then alert on it. However, this may include legitimate activities happening within the container. Sysdig Secure is able to look into system call level detail and offers rules to detect activity, such as the spawning of a terminal shell within a container. In addition to Falco, Sysdig Secure leverages core Kubernetes features and has access to Kubernetes API calls as another important data source. By monitoring Kubernetes API calls together with system calls, it can detect suspicious activity and then send the details, including Kubernetes context, over to Microsoft Sentinel. 

Other sophisticated rules within Sysdig Secure cover data manipulation, SSH tampering, and even detect drift with regard to your deployed images in production. Sysdig truly takes Falco capabilities to the next level and is becoming the choice cloud detection and response tool in the market.

Reason 3: Microsoft Sentinel allows for extensive forensic activities based on the data provided by Sysdig Secure

These capabilities can be summarized as follows:

• Data visualization on dashboards 
• Correlation with other data points and further investigations 
• Alerting based on advanced forensics 

This Microsoft Sentinel partnership is a key part of Sysdig’s broader initiative to enhance cloud security and container security for organizations.

What are the various events/datasets that can be analyzed by Microsoft Sentinel (sent from Sysdig Secure)?

Sysdig Secure provides an event forwarding feature that sends different types of security data to third-party SIEM platforms and logging tools. This enables you to view and correlate Sysdig security findings directly in the tools you use for analysis. The list of events can be enumerated as follows:

1. Activity Audit: A list of events containing commands, file activity, network activity, and kubectl activity.
2. Audit Tap: Using these events, DevOps teams can fingerprint every process connection, giving full process-level visibility into the entire environment, including every network connection attempt. Teams can monitor every connection made by a process, even if a connection is unsuccessful.
3. Sysdig Platform Audit: If one needs to audit and report on the use of Sysdig secure itself.
4. Benchmark Events: When your infrastructure fails certain benchmarks, such as CIS (Center for Internet Security).
5. Secure Events Compliance – How you are doing with regards to tracking with regards to compliance mandates such as HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), and NIST (National Institute of Standards and Technology).
6. Host and Container Vulnerabilities: Image and host vulnerability information discovered by scans during build and runtime
7. Runtime Policy Events: Events detected that violate configured Falco runtime security rules.

How to set up Sysdig Secure to forward events to Microsoft Sentinel?

We validated a proof-of-concept for connecting Sysdig Secure with Microsoft Sentinel. Follow the below-mentioned steps (and prerequisites as required) to quickly integrate these two security systems.

(Prerequisite steps)  

A. Set up Sysdig Secure account 

Sysdig Secure – Overview page

It’s easy to get started with Sysdig Secure. Just go to Start Free Trial | Sysdig to begin with a free 30-day trial.

B. Configure the Microsoft Sentinel instance

Microsoft Sentinel – Home

On your Microsoft Azure portal, make sure you have enabled an instance of Microsoft Sentinel. This instance will allow you to perform SIEM-related tasks.

C. Set up a log analytics setup within your Microsoft Sentinel 

Azure Log Analytics Workspace

This basically sets up Azure Monitor Logs for data collection with regard to Microsoft Sentinel.

D. Create a dedicated workspace ID and token from your Azure Portal​

Azure Workspace & Agents management

This workspace ID and token are necessary for setting up a secure integration to exchange data between Microsoft Sentinel and any other SaaS software, such as Sysdig Secure.

(Main steps)  

Step 1 – Set up the Microsoft Sentinel integration within Sysdig 

Sysdig Secure Integrations Setup

Within Sysdig Secure, go to “Settings” > “Event Forwarding” and select “Add Integration.” Choose Microsoft Sentinel. Then, enter the integration name, the workspace ID, and the secret key. Also, select what type of event data you wish to send to Microsoft Sentinel.

Step 2 – Set up the Microsoft Sentinel query

Microsoft Sentinel – Query Setup

In the Microsoft Sentinel UI, go to “Logs>>New Query.” Then, select the list of all Sysdig Secure events and run the query. This gives you a list of all Sysdig events, including events from Falco runtime threat detections.

Step 3 – Dive into event details from Sysdig on Microsoft Sentinel

Microsoft Sentinel – Event Details

In the Microsoft Sentinel UI, you can dive deeper into any event from the list of all Sysdig events, and then use it for further forensic investigations.

Step 4 – Set up Microsoft Sentinel visualizations for Sysdig events

Microsoft Sentinel – Dashboard

Besides forensics, you can also visualize all the Sysdig events within Microsoft Sentinel. These visualizations can then be added to relevant threat investigation dashboards.

Conclusion

A Microsoft Sentinel SIEM (or any SIEM for that matter) is only as useful as your organization’s efforts to understand and leverage it regularly. Its effectiveness is primarily based on your security team’s ability to see suspicious events tracked by monitoring and logging systems – and also on how these events present and elevate different business risks. Give Sysdig Secure a try with your Microsoft Sentinel setup to fully extract value from your SIEM setup and SecOps teams!

The post Extract maximum value from your Microsoft Sentinel SIEM with Sysdig Secure appeared first on Sysdig.

IBM and Sysdig are helping clients, including those in heavily regulated industries such as financial services, to build a modern cyber resilient platform stack designed to improve security, business agility, and sustainability, and also reduce overall costs. Businesses can leverage the next generation of IBM LinuxONE’s highly secure and sustainable platform to deploy critical workloads, OpenShift clusters and others across hybrid cloud environment(s).

Phil Williams, Sysdig’s Senior Vice President of Strategic Alliances, quotes: “Our relationship with IBM for the IBM LinuxONE and IBM zSystems is a key component of our broader initiative for security that is rooted in open source. Sysdig is positioned as a technology partner to support IBM in the LinuxONE Emperor 4 server launch with its unified security and monitoring solution compatible with these secured and sustainability-oriented machines.”

IBM and Sysdig: Joint value creation

IBM LinuxONE Emperor 4 is designed to help companies of all sizes to build a highly secured, sustainability-focused, scalable, agile infrastructure. With IBM LinuxONE, businesses can:

• Build a sustainable enterprise by reducing carbon footprint and costs
• Develop a secure cyber-resilient system with privacy and protection
• Deliver consistent transactional service levels with a massively scalable system

In synergy with IBM LinuxONE, Sysdig products can help customers build a security‑focused, Kubernetes‑based foundation for developing, deploying, and managing applications in containerized and cloud environments. Together, Sysdig and IBM deliver a cloud‑native monitoring and security platform to help clients confidently run containers, Kubernetes, Red Hat OpenShift, and Linux on the new IBM LinuxONE Emperor 4 servers.

IBM and Sysdig: Key use-cases

Here are a few business use-cases on how Sysdig running on IBM LinuxONE Emperor 4 can help organizations through a unified platform to deliver security, monitoring, and compliance functionality in a container and microservices-friendly architecture:

Security governance for workloads running on IBM LinuxONE servers Set and enforce policies across containers, Kubernetes, Red Hat OpenShift Container Platform, and Linux hosts to maintain higher levels of security for IBM LinuxONE-based applications.	Image scanning and vulnerability management Scan and block container vulnerabilities in the CI/CD pipeline and identify vulnerabilities in running images across containers, Kubernetes, Red Hat OpenShift and Linux workloads.
Runtime security for workloads running on Red Hat OpenShift or Kubernetes Detect anomalous behavior with the Falco engine and prevent threats using Kubernetes native controls such as Pod Security Policies.	Continuous compliance and benchmarks validation Help ensure compliance across the container lifecycle for standards like NIST, PCI, GDPR, and HIPAA. Validate that configurations at every logical layer of your infrastructure meet security best practices based on CIS Benchmarks for Kubernetes and Linux.
Prometheus-based monitoring for IBM LinuxONE Deep visibility for containers and Kubernetes – allowing for troubleshooting and customization of metrics.	Audit and forensics Reconstruct system activities correlated with Kubernetes application context for forensics and incident response.

Ecosystem Partnership with IBM

Sysdig is excited to be working closely with the IBM ecosystem to bring new innovations to our joint clients. Customers can benefit from open standards and an ecosystem that LinuxONE offers including linux-based applications, modern DevOps and a variety of popular software. This can also help to address operational barriers when customers deploy and manage technologies on cloud-native infrastructure. Check out the following resources to learn more:

• IBM Z and Cloud Modernization Center – Partner Ecosystem
• IBM zSystems Application Environment Modernization with Sysdig
• Brief: Sysdig for IBM zSystems and IBM LinuxONE

Additional resources 

• Learn more about IBM LinuxONE → https://www.ibm.com/it-infrastructure/linuxone
• IBM Partner Page on Sysdig.com → https://sysdig.com/partners/ibm/
• Red Hat Partner Page on Sysdig.com → https://sysdig.com/partners/red-hat/
• Sysdig Secure Product details → https://sysdig.com/products/secure/
• Sysdig Monitor Product details →https://sysdig.com/products/monitor/

The post IBM LinuxONE and Sysdig: Building cyber resilient systems in hybrid cloud environments appeared first on Sysdig.

Sharing the responsibility for Security

Microsoft Azure’s security model for the cloud divides the responsibility between Microsoft and customers based on the following principles:

• Microsoft protects the underlying infrastructure
• Customers put the practices, protocols and tooling in place to protect the workloads

The nuances of the shared responsibilities have been illustrated in detail for SaaS, PaaS, IaaS and On-Prem in the below diagram that can be found in this Microsoft article.

CNAPP with Microsoft Azure

The responsibility of securing the cloud workloads, applications and services on Microsoft Azure lies with the customer. Microsoft however provides a handy set of tools that can help with CNAPP (cloud-native application platform protection) and also related (CWPP – cloud workload protection, CSPM – cloud security posture management) use cases that can smooth the journey of cloud adoption and operations for the customers.

For a detailed explanation of these terms please read this article. Below is a list of solutions and services that many Microsoft Azure customers commonly leverage as an à la carte collection of monthly subscriptions:

Microsoft Defender for Cloud

Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure resources and now is also offering some multi-cloud capabilities dependent on Azure Arc.

Microsoft Defender for Containers

Microsoft Defender for Containers is an agent-based solution for securing your containers and maintaining the security of your clusters, containers, and their applications. This is a separate subscription from Defender for Cloud.

Microsoft Defender Advanced Threat Protection

This service helps to identify unexpected and potentially unauthorized or malicious activities like Malware, crypto mining or attacks. ATP is a preventative and post-detection, investigative response feature of Microsoft Defender. ATP’s features are standard in many high-end anti-malware packages.

Microsoft Azure Policy

Azure Policy is used to enforce organizational standards and assess compliance. It is a compliance dashboard that helps evaluate the overall state of the environment. It also helps in the enforcement of remediations.

Microsoft Azure Activity Logs

These allow monitoring deployments in the cloud by getting a history of activity for your account subscription, including API calls, SDKs, the command line tools, and Azure services. Sysdig consumes this service (amongst others) as a part of cloud security and compliance continuous feedback.

Microsoft Azure AD and RBAC

Security in the cloud begins with the foundation of Identity. Active Directory (AD) and Role-based Access Control services provide fine-grained access control policies.

Microsoft Azure Purview

This provides a unified data governance solution to govern on-premises, multi-cloud, and software-as-a-service (SaaS) data and allows data consumers to access valuable, trustworthy data management. Combined with other tools, it can help to meet regulations like HIPAA, GDPR, etc.

Microsoft Sentinel

Although as a SIEM from Microsoft, Sentinel itself is not a part of CNAPP, it offers a near runtime threat detection capability that works hand in hand with cloud workload protection.

Sysdig’s value add for Microsoft Azure

Depending on the use case, Sysdig has add-on and complementary features to Azure security services, aimed at the overall strengthening of your cloud security posture on Azure. Here are some scenarios where Sysdig is a solution to consider:

Hybrid-cloud or Multi-cloud scenarios:

You can use Azure Arc to extend Microsoft Defender’s capabilities to GCP or AWS but the implementation itself has added complexity. If you want to simplify and standardize the operations between the (various) cloud and the on-prem infrastructure of your company, a platform like Sysdig that allows for consolidation is a great choice.

Reduction of associated latency and storage costs with SIEM:

Sysdig leverages the open source Falco project for runtime threat detection. This not only leads to earlier detection of threats, but also you can configure Falco rules within Sysdig to send only certain suspicious event feeds to the SIEM. This reduces the ingestion and storage costs associated with your SIEM implementation.

Reduction of dependency on custom features:

Microsoft’s security services are best suited for Azure as they have multiple custom features that are built with Azure in mind. Sysdig’s solution has been used and tested by multiple clients across a variety of cloud platforms – and it has features which can work with different cloud platforms as required.

Continuous compliance:

This use case involves following established and industry-led guidelines or specifications. The main service that relates to compliance in Azure is Microsoft Defender for Cloud. But there are other services needed to achieve full compliance in Azure: Azure Policy, Microsoft Azure Purview and so on. By utilizing Sysdig with Azure, you can have all your compliance controls in one place – be it any control framework such as SOC2, PCI, NIST, ISO-27001, HiTrust, HIPAA, FedRAMP, GDPR or any best practices that come from the CIS Benchmarks and suggested by the cloud provider.

Mix of traditional and container-based infrastructure:

While Microsoft Defender for cloud does a very good job providing security findings regarding the configuration of your cloud account and services, it lacks visibility into container workloads. For inspecting container workloads, you would need to use Microsoft Defender for Containers service. Sysdig provides an overview of your security posture in both worlds, containers and cloud. Similarly, Advanced Threat Protection combined with Microsoft Sentinel does a good job detecting anomalies involving Azure resources like IAM access keys, compute instances, blob storages, and Azure AKS resources. However, these are additional subscriptions that you have to account for in your cloud budget.

With Sysdig you have all the security use cases with one subscription – leveraging the open-source Falco project for the runtime detection capabilities around workload protection, and cloud security monitoring. Sysdig threat detection capabilities detect not only cloud events, but also those that exist on the container workload side like spawning of a shell in a container, modification within sensitive folders, deletion of bash history, etc.

Sysdig Secure thus strengthens Microsoft Azure and multi-cloud security by providing a powerful but simple unified experience with a predictable cost model, covering:

• IaC code scanning threat detection and drift control.
• Vulnerability management.
• Runtime security for cloud, hosts, and containers.
• CSPM
• Incident response and forensics procedures.

Summary table

Below is a summary table of the value add by Sysdig for each of Microsoft Azure tools:

Conclusion

You can check off 101 boxes for cloud and container security by using default Azure tools, and to be wholly protected you need a platform like Sysdig that can:

• Help you protect your multi-cloud and hybrid cloud infrastructure
• Provide runtime threat detection for workloads and go beyond a “static” security mindset
• Deliver a control plane that helps you establish a comprehensive implementation of best practices and compliance frameworks
• Enable multiple checkpoints to ensure build-time security and stop vulnerable images from being deployed

The post Turbocharge your Azure security and compliance posture with Sysdig appeared first on Sysdig.

• Identity and Access Management category for Cloud Infrastructure Entitlement Management (CIEM)
• Threat Detection and Response category for Endpoint Detection and Response (EDR)
• Compliance and Privacy category for Cloud Security Posture Management (CSPM)

What is the AWS Competency Program?

• Working with AWS on rigorous APN competency qualification processes
• Demonstrating AWS business history
• Validating multiple customer references

What does it mean for customers?

• Budget and pricing
• Needs to features fit
• Time to value
• Buy-in from various teams including Cloud Infrastructure, Governance and Compliance, Incident response, Applications, and Security

What does it mean for our partner stakeholders at AWS?

The post Sysdig achieves AWS Security Competency appeared first on Sysdig.

The desire to take advantage of the modern cloud-native paradigm has forced many enterprises to rush to production with Kubernetes and containerized applications. Often, the incorrect expectation with cloud-native adoption is that Ops teams would be able to easily transition their existing security and operational practices, workflows and tooling to these new software development platforms and everything would still work as before.

However, containers and microservices add new abstractions that make it very hard to have visibility of what is going on in your applications. The ephemeral nature of containers combined with the black-box nature of the available tools means that deep data for analyzing security incidents, compliance violations, or performance issues become incredibly hard to obtain.

Older puzzles with newer added complexities

There has been great progress made in the information technology world over the last few years. But with all the technological advancements, threats with regard to cybersecurity and information security have also grown exponentially. They have rightfully become key discussion items for CIOs and IT leaders, and here are some examples of why:

• With cloud services such as serverless functions and managed container services, there are added instrumentation requirements that arise for customers with regard to monitoring.
• The underlying constructs of containers and orchestrator-driven microservices differ greatly from VM or server-based applications. In most cases, legacy security and performance management tools cannot provide context to understand systems risk, health, and performance.
• Being one of the central technologies to cloud-native architectures, Kubernetes in its current state is not secure by default– particularly so due to sharing of kernels between containers. Kubernetes also has issues with privilege escalation leading to unauthorized intrusions into containers due to vulnerabilities and exploits. 

Hence, there is an acute need for better tools that are able to cope with the complexities and risks associated with the changed security, compliance and monitoring requirements of consumers.

Coforge’s experiences in cloud adoption and operations

Coforge (formerly NIIT Technologies) has strong roots in technology education and was in fact founded as an IT Training company in 1981. NIIT Limited expanded its services within a few years to include consulting, software solutions and business process outsourcing. Coforge is uniquely positioned to assist customers adopting cloud and containers:

• With over 2000+ cloud professionals, Coforge globally supports 250+ customers with a strong focus on the Insurance, Travel, Transportation & Hospitality, Banking and Financial Services industries. The company has recently made forays into the Retail, Public Sector, Healthcare & Life Sciences, Hi-Tech and Manufacturing industries as well to solve complex digitization challenges.
• There are over 20,000+ Coforge associates spread across 25 delivery centers to provide innovation and speed to market, to achieve modernization, transformation and deliver superior solutions. 

To ensure that customers get the best-of-breed solutions, Coforge evaluates multiple tools and then helps customers with services to adopt and operate these tools. As an example, for cloud security and visibility, it based its tool evaluation on subjective and weighted criteria such as:

• Intrusion detection capability, recording capability and operational management
• Simplicity to deploy, run and scale
• Open-source vs closed-source
• Incident response and forensics capabilities
• One-stop solution 

Eventually, after multiple proofs-of-concept studies, Coforge decided to adopt Sysdig to power its container solutions and services, with some of the important reasons highlighted below:

• Sysdig has consistently shown thought leadership and is driving the standard for cloud and container security.
• With the Sysdig platform, customers can easily find and focus on issues that leave an organization open to a security incident and indicators of a potential attack.
• Teams can detect and respond to threats and anomalies, find, prioritize and fix application vulnerabilities and manage cloud configurations, permissions and compliance.
• The Sysdig platform provides a single view of risk across cloud and container environments with no blind spots. The platform is built on open standards that make it easier to integrate with existing tools.

How customers can benefit from the partnership

Coforge and Sysdig have a strategic partnership rooted in a common value set of enabling customer success in the new cloud-native paradigm. This partnership is designed to help customers easily migrate workflows and transition to applications built on top of container and cloud services.

Coforge’s container services help customers across all the stages of their container adoption journey. This includes adoption strategy & assessment, design & implementation of different container platforms, deployment/migration & management of applications in containers.

With Coforge’s deep domain expertise and capabilities in cloud, infrastructure & application modernization backed by Sysdig’s security and monitoring prowess, customers can rest assured that a best-in-class solution is being tailored to their unique observability, security, and compliance needs. Coforge has further invested to build a team of cloud security experts with a deep understanding of the cloud-native ecosystem and Sysdig platform to help customers.

Some of the best features of the Sysdig platform to reiterate include the ability to:

• Detect misconfigurations from IaC source files to cloud services with a unified policy.
• Detect and respond to runtime threats across containers, hosts and cloud.
• Unify vulnerability management across containers and hosts. Also better prioritize vulnerabilities based on runtime context and risk.
• Enforce least-privilege access policies with Cloud Infrastructure Entitlements Management (CIEM) to reduce cloud risks.
• Achieve compliance by using out-of-the-box checks to meet regulatory standards (CIS benchmarks, NIST 800-53, SOC2, PCI-DSS, etc.) for containers and cloud. Enable File Integrity Monitoring (FIM) for containers and hosts.
• Monitor containers, Kubernetes, and cloud services – Maximize performance & ensure availability of cloud-native applications by monitoring & troubleshooting using granular data with cloud & Kubernetes context.

Together, Sysdig and Coforge enable customers to take advantage of the things the cloud is optimized to do– develop and deliver rapidly, innovate continuously, scale business and technology operations, trade capital expenses for operational ones and do it all with the necessary security and visibility needed to protect users, data, and resources.

Learn more

• Joint Solution Brief
• Learning hub from Sysdig
• Link to Coforge announcement

The post Tackle cloud-native adoption and security hurdles with Coforge and Sysdig appeared first on Sysdig.