Sysdig | Knox Anderson

Sysdig and PagerDuty: a Superior Alerting Experience

Knox Anderson — Mon, 18 May 2020 16:00:00 +0000

One of the most common ways that users interact with Sysdig (and all monitoring tools, really) is through alerts. You get a notification that something is wrong – hopefully before you hear about it from your users – and you need to go investigate. We’ve worked hard to make this alert-response experience as smooth and intuitive as possible in Sysdig.

We take pride that our customers report massive improvements in mean time to resolution when they’re troubleshooting (think 10X+). Along these lines, to help teams respond quickly, we’ve integrated with PagerDuty for alert notifications.

Our integration with PagerDuty is one of the most used integrations within the Sysdig platform. By hooking up your Sysdig account to your PagerDuty account, you can automatically route Sysdig-generated notifications directly through PagerDuty. This lets you manage your on-call duty and route all your alerts accordingly, from one central location.

We’ve taken our integration with PagerDuty one step further by linking notification status across the two apps. Now, Sysdig doesn’t just push notifications to PagerDuty, we’ll also automatically keep the status of that notification up to date!

Status of notifications in Sysdig Monitor is tracked in two ways:

First off, if a threshold condition resolves to an acceptable state, then a notification will automatically be moved to an “OK” status. This way you still have a record of the issue, but you know that your system is no longer in an alert-worthy state.
Second, you can manually resolve any notification as well. This way, if you’ve investigated a situation, or are otherwise not concerned for any reason, you can dismiss the notification, and clear up your alert dashboard.

You can of course sort all of your notifications by status within Sysdig Monitor, so that only the most important will filter to the top:

And now, with this feature, if any notification is resolved in Sysdig Monitor, we will automatically push the resolved status of the alert to PagerDuty. This way you can keep your PagerDuty notifications list clean, and not have to interface with the same notification in multiple places.

The design of this feature is based on conversations we’ve had with many current Sysdig Monitor users about their preferred workflows with PagerDuty. We’re always looking to improve though, and will be continuing to add new features based on feedback going forward.

If you’d like to give Sysdig a shot, please don’t hesitate to sign up for a free trial above! If you’re already a PagerDuty user, you’ll hit the ground running.

The post Sysdig and PagerDuty: a Superior Alerting Experience appeared first on Sysdig.

Scanning images in Azure Container Registry

Knox Anderson — Sun, 05 Jan 2020 06:27:15 +0000

Use of container platforms like Azure Kubernetes Service (AKS) is accelerating quickly and driving the need for cloud-native security automation. This includes key workflows like image scanning across CI/CD pipelines and registries. Sysdig Secure integrates with Azure Container Registry (ACR) to provide image scanning for AKS and other container platforms. Sysdig analyzes Common Vulnerabilities and Exposures (CVE) within OS packages as well as 3rd party libraries to help DevOps teams know what to fix. In addition, Sysdig Secure identifies misconfigurations that should be remediated before pushing to production.

In this blog we will dive deeper into how to integrate Sysdig Secure with ACR to scan images for Kubernetes for security and compliance purposes. Sysdig has offered unified visibility and security for container and Kubernetes deployments on Azure for years. Now with native CI/CD and registry integrations, you can shift security visibility earlier into your build pipeline.

About Azure Container Registry

ACR provides a container image registry that allows you to store container images for all types of orchestration platforms including Kubernetes, Docker, and Red Hat OpenShift as well as Azure services such as App Service, Machine Learning, and Batch. ACR handles private Docker container images as well as related content formats, such as Helm charts, OCI artifacts, and images built to the OCI image format specification.

Azure Container Registry Security and Sysdig Secure

Scanning images in Azure Container Registry is the same as scanning from any other Docker v2 compatible registry. Once configured, the entire registry or individual images and tags can be analyzed and then evaluated against a Sysdig Secure Scanning policy.

The first step is to pass the ACR credentials into Sysdig Secure to give access to the registry. Once configured the Sysdig Secure scanning engine can pull any image stored within the registry into the engine for analysis.

When an image is pulled into the scanning engine Sysdig Secure will provide visibility into:

Official OS packages
Unofficial packages
Configuration files
Artifacts such as Javascript NPM modules, Python PiP, Ruby GEM, and Java JAR archives
Secrets, credentials like tokens, certificates and other sensitive data
Known vulnerabilities & available updates

These artifacts are then stored and evaluated against custom scanning policies to spot vulnerabilities, misconfiguration, or compliance issues within your images.

Scanning Container Images in Azure Container Registry

Adding an image to the scanning engine from ACR is as simple as copying the registry URL/image/tag into the Sysdig Secure UI and clicking scan image. This process can also be easily scripted to import all images and to watch repositories for updates.

Once an image has been analyzed a report will be generated that has the outcome of the policy evaluation, all vulnerabilities discovered in OS packages, configuration files, and many other artifacts that are stored for audit and compliance reasons.

This report has details showing knoxsds.azurecr.io/cassandra:latest has passed the policy evaluation, including image metadata, vulnerabilities, and even JAR archives information included in the image.

Conclusion

Hopefully you can see how easy it is to get up and running with both Azure Container Registry and Sysdig Secure. If you’d like to see the integration in action sign up for a trial and follow our blog for more posts about securing containers on Azure.

The post Scanning images in Azure Container Registry appeared first on Sysdig.

Introducing Sysdig Secure 2.2: Kubernetes auditing, compliance, and access control.

Knox Anderson — Tue, 11 Dec 2018 05:01:21 +0000

Over the past four years we’ve helped hundreds of organizations run reliable, secure, and compliant Kubernetes and Openshift clusters. Some of the key themes we’ve seen from organizations that have successfully grown their Kubernetes footprint are: they have immaculate labeling, understand how to leverage internal Kubernetes features to harden their platform, and understand what developers need access to and manage it with RBAC and namespaces. Even though you’ve probably seen all of these as best practices, being diligent that they always happen will take you a long way. In the 2.2 version of Sysdig Secure we’ve released a set of features with bidirectional integrations between your Kubernetes or Openshift cluster and Sysdig Secure. The data from Kubernetes helps the workflows in Sysdig Secure follow the same procedures you’d use within Kubernetes for access control and analysis. While the vulnerability and configuration data from Sysdig Secure allows Kubernetes to become more advanced in the prevention of unwanted images running on the cluster. Let’s dive into some of the new features in 2.2. Sysdig Secure 2.2 is out! Native #Kubernetes and #Openshift #security Click to tweet

Kubernetes audit events

Adds new detections based on audit data from the Kubernetes API

Sysdig is the first cloud-native security provider to tap the recently released Kubernetes Audit Policy, creating an additional feed of events to monitor. Virtually all cluster management tasks are done through the API server; therefore, the audit log contains all changes made to the cluster. By tapping the kube-apiserver, Sysdig can alert administrators of suspicious and notable behavior. These alerts help users quickly identify incidents that could negatively impact the business and lets operators answer who did what, where, and when.


File: Create-Modify-Configmap-With-Private-Credentials.yaml
-----------------------------------------------------------

- macro: contains_private_credentials
  condition: >
    (ka.req.configmap.obj contains "aws_access_key_id" or
     ka.req.configmap.obj contains "aws-access-key-id" or
     ka.req.configmap.obj contains "aws_s3_access_key_id" or
     ka.req.configmap.obj contains "aws-s3-access-key-id" or
     ka.req.configmap.obj contains "password" or
     ka.req.configmap.obj contains "passphrase")
- rule: Create/Modify Configmap With Private Credentials
  desc: >
     Detect creating/modifying a configmap containing a private credential (aws key, password, etc.)
  condition: kevt and configmap and kmodify and contains_private_credentials
  output: K8s configmap with private credential (user=%ka.user.name verb=%ka.verb configmap=%ka.req.configmap.name config=%ka.req.configmap.obj)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]

Sysdig teams

Service based access control

Sysdig Secure 2.2 introduces service based access control, providing customized reports and dashboards that give users access to only the information that is pertinent to them. The ability to control team privileges to hosts, namespaces, clusters, and deployments, exposes information only to those who need it, making it easier to respond to incidents and adding another layer of security by limiting exposure to information outside the scope of individual teams. DIG DEEPER

Kubernetes vulnerability management

Admissions controller

Sysdig Secure 2.2 has added ability to natively integrate with Kubernetes admission controllers. Through mutating webhooks, Kubernetes can authenticate with Sysdig Secure to prevent unscanned or vulnerable images from being deployed on a cluster. This non-intrusive approach allows organizations to validate images at the Kubernetes level rather than the container-runtime.

Service oriented compliance

Leveraging Kubernetes labels to improve operations and reporting

With the introduction of Kubernetes resource-specific scheduling of CIS Compliance Benchmarks, Sysdig Secure 2.2 further eases the pain of measuring and enforcing compliance across a distributed environment. Scoping enables users to limit scans to specific Kubernetes resources, which saves time by limiting compliance checks to the logical entities that are important to auditors. Learn more about compliance on implementing container compliance for Docker and Kubernetes with Sysdig Secure.

Security analytics

Integrating metrics for advanced reporting

For users who pair Sysdig Monitor with Sysdig Secure 2.2, they have access to more than 90 new metrics that are sent to the Sysdig platform. By viewing Sysdig Secure metrics with the Sysdig Monitor data on the same dashboards, enterprises gain visibility into the performance, health, compliance, and security posture of their environment on a single dashboard.

Wrapping up

If you’re at KubeCon stop by our booth p14 to learn more about these features and see them in action. If you’re remote and want to follow along online we have two sessions where we’ll be covering the opensource project falco. Introductory Session to Falco https://kccna18.sched.com/event/I1Xv?iframe=no Deep Dive covering integrating Kubernetes Audit events with Falco https://kccna18.sched.com/event/I1p9

The post Introducing Sysdig Secure 2.2: Kubernetes auditing, compliance, and access control. appeared first on Sysdig.

Service based access control with Sysdig Secure Teams.

Knox Anderson — Thu, 06 Dec 2018 11:01:21 +0000

While you’re likely familiar with role-based access control, Sysdig teams introduce the concept of service-based access control. With service-based access control, administrators can define groups of users that have access to policy events, policy configuration, and scanning data limited to a service or set of services, as defined by your orchestration system (think Kubernetes, Mesos, and the like). You might be asking, “Why is this important?” And you should be. Our answer is: Because this is the way your organization wants to work. Service-based access control is ideal to reduce the exposure of data to those who actually need it, and also makes users more productive through focusing them on data that is relevant to them. Your platform team is thinking about how to support these development teams, and enable self-service for them, while at the same time keeping an eye on the entire operation. Your SecOps team is looking to isolate access to data while not impeding developer productivity. That’s a lot of demands, all at once, and service-based access control can address them. Before we describe Teams in more detail, let’s take a look what our beta users did with this functionality.

Security scenarios for Teams: Microservices, Kubernetes, compliance, and more

We’ve been happy to see a large number of potential uses for teams appear as customers tested this new functionality with us. Here’s a quick review of what we’ve heard so far.

The classic “dev vs prod” split: Many organizations prefer to limit the number of people accessing data related to their production services. This is about isolating physical infrastructure and the applications on top.
Microservices where each team needs to only see their own dashboards and field its own alerts: By scoping down the data accessible to individual development teams and their related services, developers can more effectively focus on the information that is relevant to them. This is about building teams based on logical isolation using orchestration or config management metadata.
Platform as a service where ops teams need to see the entire platform: This is somewhat the flip of the previous use case, enabling certain people to see all data for all services as well as the underlying hardware. This is perfect for managed service providers who are managing a multi-tenant environments, or devops teams using a similar model within their own organization.
Restricted environments: An even more specific use case of the microservices example to limit data access for security and compliance: Certain services, such as authentication and billing, may have a very specific set of individuals authorized to access them.
Organizations or environments that need to segment incident response for efficiency: This is a wide ranging use case. We’ve seen very large organizations form teams just to simplify access; smaller organizations create ephemeral teams to troubleshoot a particular issue; or teams formed to optimize QA & support access to system data.

How to set up Sysdig Teams

To set up a team, you really need to just do two things:

Set the scope for a team based on orchestration metadata from Kubernetes, Mesos, and Swarm, as well as other characteristics of your environment.
Assign users to any number of teams based on the services or infrastructure they need access to.

Teams in action

Let’s take a look at how teams will change your experience with different areas of Sysdig Secure.

Vulnerability management & image scanning

The gif below starts off with a view that SecOPs users would use within Sysdig Secure. They can see every image that’s running in the environment and whether or not it’s passed its scanning policy evaluation. By switching to the Example-Java-App team which is scoped to kubernetes.namespace.name = Example-Java-App we can now see the view that developers of that team would experience when logging into Sysdig Secure. They can only see the images that roll up into pods, services, and deployments that are part of that namespace.

Policy creation

Policy creation is also limited to the entities that are within the scope of a team. Users of the Example-Java-App team can only apply policies to entities scoped below the Example-Java-App namespace within kubernetes. This gives App Developers and Service Owners the ability apply policy to the services they have created without impacting anything else in the infrastructure. In the image below we can see the only deployment scoping options available are the deployments within the namespace of the team. Here are some potential use cases app Developers could define for the services running within their namespace:

Defining the images they expect to run within the namespace
Defining the registry location that all images within that namespace should come from
Defining which kubernetes deployments within their team should have inbound/outbound connections
Defining which processes they’d expect to run within the images they have built that are deployed to that namespaces.

Other examples could include scheduling compliance tasks to run daily in some AWS regions and weekly in others, or allowing traditional security teams to write policies that apply to just hosts and not your kubernetes infrastructure.

The post Service based access control with Sysdig Secure Teams. appeared first on Sysdig.

Sysdig Secure 2.0 – adds vulnerability management, 200+ compliance checks, and security analytics.

Knox Anderson — Thu, 14 Jun 2018 07:36:19 +0000

A little over 2 years ago we opensourced Sysdig Falco with the goal of providing a robust detection engine that the community could use to securely run containers in production. Since the launch we expanded the default ruleset and have had 750,000+ downloads of Sysdig Falco. Organizations like cloud.gov and Yahoo have used Falco to detect behavioral anomalies across their containerized infrastructure. We then integrated the falco engine into our Cloud-native intelligence platform and launched Sysdig Secure. Sysdig Secure 1.0 built on top of the deep visibility we had from Sysdig Monitor to provide run-time detection, audit, and forensics capabilities. Sysdig Monitor and Sysdig Secure share a unified agent that instruments the host OS and collects system calls. This single low impact agent provides monitoring, security, troubleshooting, and forensics capabilities without needing to instrument any individual containers or configure exporters. Today with the beta release of Sysdig Secure 2.0 we’ve extended the capabilities of our platform by adding vulnerability management, 200+ container compliance checks, and security analytics. With native CI/CD and registry integrations as part of the Sysdig Cloud-Native intelligence platform we’ve moved our visibility earlier into the software development lifecycle. Let’s take a look at some of the new features of the 2.0 release!

Vulnerability Management

Sysdig Secure’s vulnerability management capabilities help organizations bring application security, compliance, and quality closer to the developer. Through native integrations with common tooling in the software delivery chain Sysdig Secure enables teams to avoid and resolve security issues before a build is completed or a container is ever deployed. Image Analysis – Perform an inspection of an image to generate a detailed report of the contents of the image. Including:

Official OS Packages
Unofficial OS Packages
Configuration Files
Language Modules – NPM, PiP, GEM, and Java Archives
Image metadata & more

We’ll then automatically correlate the contents of the image with our vulnerability feeds to give insight into vulnerable packages, files, etc. CI/CD Security – Easily configure Sysdig Secure to scan images as part of your build process through a native Jenkins plugin or easily through API’s. Fail builds, trigger warnings, and enforce compliance easily by including image scanning every time a container goes through your build process. Container Registry Integrations- Scan images stored in any any Docker V2 compatible registry such as CoreOS Quay, Amazon ECR, Docker Private Registries, Google Container Registry or JFrog Artifactory, Microsoft ACR, SuSE Portus and VMWare Harbor. Policies – Configure policies for your build pipeline or your registries to evaluate images against user defined policies for: vulnerabilities, operating system packages, 3rd party packages, software libraries, Dockerfile checks, file contents, configuration files, and image attributes. Run-time Alerting – Alert if unscanned images are deployed into production environments, if a new vulnerability is discovered in a package of an image that’s running in production, or if the scan status of one your running images changes. Kubernetes Vulnerability Management – tie back information about unscanned images, or scan results to Kubernetes clusters, namespaces, and deployments to categorize risk and prioritize image patching and upgrades. Vulnerability Feeds – Continuously updated vulnerability and package data from OS vendors, package repositories, and the National Vulnerability database.

Compliance

Containers offer an opportunity for better security. They’re lightweight, have a smaller attack surface, and are immutable. However, the rate at which they’re deployed and short lifecycle means that configuration can be missed as time goes on. Sysdig Secure 2.0 eases the pain of measuring and enforcing compliance across a distributed environment through compliance controls, audit checks, policies, and results. Sysdig automatically scans the infrastructure with requirements based on Center for Internet Security (CIS) configurations and hardening benchmarks. Users can scope and schedule Docker and Kubernetes benchmarks to measure and maintain Kubernetes compliance.

Security Analytics

One of the things every security team needs to be able to do is report on the status of their environment and how it’s changed over time. Sysdig Secure 2.0 provides rich metrics about events, compliance, and vulnerabilities enabling deeper analytics and a better understanding of the environment. Security metrics tied back to containers, images, hosts, and Kubernetes entities enable users to easily determine how different organizations, applications, and services are trending in risk and compliance.

What’s next?

If you’re interested in learning more about what Sysdig Secure can do, or want to see any of these features in action, request a trial or demo!

The post Sysdig Secure 2.0 – adds vulnerability management, 200+ compliance checks, and security analytics. appeared first on Sysdig.

Auditing container activity – A real example with wget and curl using Sysdig Secure.

Knox Anderson — Thu, 24 May 2018 06:53:10 +0000

One of the first questions Sysdig Secure and Sysdig Falco users have is how do I audit container activity or detect when X happens inside a container, on a host, or anywhere in my environment. In today’s example we’ll cover detecting curl and the use of other programs that fetch contents from the web. There are illegitimate reasons to execute curl, such as downloading a reverse shell or a rootkit, but there are many legitimate reasons as well. In either case detecting the usage of web fetch programs in general is something many organizations need to do for compliance reasons. If you’re new to the Falco rules syntax I recommend you check out some of these great resources to get up and running:

The Falco wiki – check out the default rules and learn the basics of lists, macros, etc
The Sysdig wik i – learn the filtering syntax that falco rules use to detect unwanted behavior
Blog – Getting started writing falco rules
Blog – Friends don’t let friends curl | bash
A Katacoda scenario that goes through the steps of creating and triggering falco rules.

Name the Web Fetch Programs

First, create a list + macro that names the programs that count as “web fetch programs”. Here’s one possibility. By convention, “binaries” are used to name programs, and “programs” refer to a condition that compares proc.name to a list of binaries. Also note the good practice of parentheses surrounding the condition field of each macro to ensure it is always treated as a single unit.

list: web_fetch_binaries
items: [curl, wget]

macro: web_fetch_programs
condition: (proc.name in (webfetchbinaries))

Capture Spawning a Web Fetch Program

Next, write a macro that captures any exec of a web fetch program. Here’s one way, using the existing spawned_process macro:

macro: spawned_process
condition: evt.type = execve and evt.dir=<

If you have any questions about the filtering syntax on the condition check out some of the available filters documented here Next combine the web_fetch_programs and spawned_process macros, to have a single macro that defines “curl or wget were executed on my system”:

macro: spawn_web_fetcher
condition: (spawned_process and web_fetch_programs)

Add exclusions, define the rule

When creating this rule we’ll want to add a macro that adds the ability to name a set of exceptions and combine that with the macros we created earlier. Note use of the container macro to restricts the rule to containers. To monitor for this behavior on all hosts and inside containers just remove the container macro in the condition below.

macro: allowed_web_fetch_containers
condition: (container.image startswith quay.io/my-company/services)

rule: Run Web Fetch Program in Container desc: Detect any attempt to spawn a web fetch program in a container condition: spawn_web_fetcher and container and not allowed_web_fetch_containers output: Web Fetch Program run in container (user=%user.name command=%proc.cmdline %container.info image=%container.image) priority: INFO tags: [container] Now you’re all set to use this rule in your environment with falco. Next we’ll cover adding this rule to Sysdig Secure so you can have more controls over the scope of where a policy applies, take actions like killing or pausing a container, or record all the system activity before and after this web fetch event for forensic analysis. To add this rule to Sysdig Secure copy the rule and exclusion into the custom rules section, and then save it be able to add the rule Run Web Fetch Program in Container to a policy.

Create Policy Associated With Rule

Now, create a Sysdig Secure policy associated with the rule. This policy can be scoped by container and orchestrator labels so you can apply it to different areas of your infrastructure depending on their security and compliance needs. Actions like killing a container can also be taken. By switching to the falco tab within the policy you can select the new rule Run Web Fetch Program in Container to apply it to the policy you just created.

Verify Policy Is Working

Finally, a command like docker run –rm byrnedo/alpine-curl https://www.google.com should result in a policy event: Within this policy event you’ll get full context of what triggered the event and where it occurred in your physical and logical infrastructure. Hopefully this example provides an easy way to get started writing your first falco rules to audit the activity occurring inside your containers. If you need help contact us on Slack and share any rules you create with the community by submitting a PR to the Sysdig Falco project.

The post Auditing container activity – A real example with wget and curl using Sysdig Secure. appeared first on Sysdig.

Sysdig Secure 1.5 – enhanced kubernetes security & compliance; integrates with Google Cloud.

Knox Anderson — Fri, 27 Apr 2018 22:15:29 +0000

The Sysdig Secure 1.5 release furthers our goal of unifying security, performance monitoring, and forensics. This release includes a new UI and workflows to make security & Kubernetes compliance accessible to application developers as well as security teams. Sysdig Secure 1.5 brings feedback about what AppDev’s, Platform Operators, and Security Operations teams want: An easy way to configure policy, detect events, and mitigate threats as quickly as possible.

Updated Look & Feel of the Sysdig Intelligence Platform

We’ve updated the interface of both Sysdig Monitor and Sysdig Secure to bring a more modern look and feel to our products, while also providing more real estate within the app to what matters most: Your data. Switching between monitor and secure is just a click and any grouping configuration, notification channels, or integration work is automatically shared and can be used across products.

Kubernetes Security for the App Developer

Sysdig Secure allows users to scope policies by any piece of relevant metadata in their environment. If an app developer is responsible for a specific image, or an orchestrated service they can easily apply a single policy to protect all the containers associated with a given label or tab. The same goes for Platform Operators or SecOps teams who need to configure policies to an availability zone or Security group for compliance reasons. In this screenshot you can see the different kubernetes deployment options that can be used to scope policies to help protect containers at scale. Besides being able to scope policies by metadata our customers wanted a simple way to configure policies so that everyone in the organization can understand them. This falls in nicely with the DevSecOps mantra of you build it, you secure it, you run it. Our new enhanced policy rules let you easily whitelist and blacklist processes, container images, files, ports, and more, while still allowing you to cover advanced scenarios with Falco based rules. This screenshots shows all the different policies configured based on scope in your environment. The policy editor shows how users can easily limit inbound/outbound connections or detect unwanted activity on a range of ports.

Default Policies mapped to Compliance Frameworks

Sysdig Secure makes it easier to ensure that your organization is meeting its compliance regulations in many ways. One new method by which we achieve this is by mapping our default policies to common compliance regulations. That means the secops team or a developer can more easily understand why a rule is being applied, and if a violation occurs, what the potential impact of that violation is. Sysdig secure comes with dozens of out-of-the-box policies today, that typically cover 90%+ of an enterprise’s needs. With the new policy editor, creating that last 10% is a simple task for any cybersecurity or devops professional.

Increased Investigation efficiency

If a policy condition is met and an event is triggered a security analyst must quickly understand if the event is malicious activity, if the existing policy must be tuned, or if there is no issue. We’ve expanded our event feed to group related events in the same timeframe as well as provide a robust summary to make the event classification process easier. All events are also enriched with full kubernetes context, meaning no additional manual log correlation is needed to find out all the services a particular image may relate to. Within the details section a user can quickly see full details about why a policy violation occurred and how it can relate to the rest of your environment. Here we can quickly see the connect was attempted on port 81 by the nginx – g daemon off; command.

Sysdig Secure + Cloud Security Command Center

Google’s Cloud Security Command Center helps security teams gather data, identify threats, and act on them before they result in business damage or loss. In this latest release we’ve added an integration between Sysdig Secure and the Cloud Security Command Center. Sysdig events will be correlated to 2 kinds of resources from Google Cloud Platform: compute instances, either launched manually or part of a GKE instance pool, and also container images from the Google Container Registry. Sysdig Secure enriches all events from containers with all the relevant instance, container image, Kubernetes scope, and cloud metadata. To make events more meaningful to Kubernetes Security teams add the different custom Kubernetes properties from Sysdig into the findings table, including cluster id, namespace, deployment or pod. Check out what customers are saying about the integration: “We chose to develop on Google Cloud for its robust, cost-effective platform. Sysdig is the perfect complement because it allows us to effectively secure and monitor our Kubernetes services with a single agent,” said Ashley Penny, VP of infrastructure, Cota Healthcare. “We’re excited to see that Google and Sysdig are deepening their partnership through this product integration.” Sysdig Secure enriches all events from containers with all the relevant instance, container image, Kubernetes scope, and cloud metadata. To make events more meaningful to Kubernetes Security teams add the different custom Kubernetes properties from Sysdig into the findings table, including cluster id, namespace, deployment or pod.

Conclusion

If you want to hear about some of the benefits directly from customers who have unified monitoring and security operations check out these case studies from SunRun and Quby. We’re constantly releasing new features to and resources to help organizations meet compliance and security needs in their new containerized environments.

Container and Kubernetes compliance.
Visit Sysdig Brightalk Channel for sessions on best practices securing containers.

The post Sysdig Secure 1.5 – enhanced kubernetes security & compliance; integrates with Google Cloud. appeared first on Sysdig.

Sysdig Secure February Release

Knox Anderson — Thu, 22 Feb 2018 22:10:07 +0000

We’ve been busy at work over the winter adding new functionality to Sysdig Secure and wanted to round up some of the features we released over the holiday season and in first month of the year. There are three main themes in this February release.

Kubernetes Oriented Security- Security event topologies, default dashboards, & policy management
Improved Policy Management – New default policies & updated falco rule editor
New Enterprise Integrations – Secure authentication & notification channels

Kubernetes Oriented Security

Many of the new policies and pieces of functionality we introduced revolved around tighter integrations with the orchestrator. When customers get their first containerized application into production they often think about what is needed to protect the container, when their real goal is delivering a stable, secure service. To make it easier to view which policies are protecting hosts, containers, services, cloud regions, etc we’ve add the ability to group policies by scope. This shows how policies can be viewed based on the scope to which they apply. Here we can see the specific policies configured to protect containers in my prod kubernetes namespace. Topology Maps We also released Topology maps for event analysis. Topology maps allow Security Analysts to quickly identify where events have happened on a host or service, and escalate to the proper development and operations teams in charge of those services. The maps are also useful to quickly identify any network dependencies between hosts, containers, and services as well as uncover unexpected connections. Depending on the scope, analysts can see all the entities in a grouping hierarchy, the network connections between them and the count of events that have happened during the timeframe. In the example below we show what topology maps look like from both a physical and logical perspective. This map first shows the events in kubernetes cluster from a physical perspective, and the a logical view based on the Kubernetes metadata. Notice how much easier it is to detect what applications have events in the service-oriented view. Overview Dashboard Policy events can also be visualized through the overview dashboard within the events page. The overview dashboard gives analysts and administrators a quick overview of which policies, hosts, containers, and deployments had the most events over the selected timeframe. It’s also a great way to get an at a glance summary of how many hosts the agent is installed on and the severity of the events that have occurred. *The overview dashboard is a good way to bridge the gap between your SecOps team and developers. Quickly identify images and applications that have had incidents to set priority with developers. *

New Kubernetes & AWS Policies

We also added two new default policies to cover Kubernetes & AWS API access. The Kubernetes API has been a popular target for cryptojacking so we added a new policy to detect any connection to the K8s API Server besides those that are explicitly allowed.

- rule: Contact K8S API Server From Container
  desc: Detect attempts to contact the K8S API Server from a container
  condition: outbound and k8sapiserver and container and not k8s_containers
  output: Unexpected connection to K8s API Server from container (command=%proc.cmdline %container.info image=%container.image connection=%fd.name)
  priority: NOTICE
  tags: [network, k8s, container]

We also added another policy around API services where we’ll detect unexpected attempts from containers to communicate with the EC2 Instance Metadata Service.

- rule: Contact EC2 Instance Metadata Service From Container
  desc: Detect attempts to contact the EC2 Instance Metadata Service from a container
  condition: outbound and fd.sip="169.254.169.254" and container and not ec2metadatacontainers
  output: Outbound connection to EC2 instance metadata service (command=%proc.cmdline connection=%fd.name %container.info image=%container.image)
  priority: NOTICE
  tags: [network, aws, container]

New Policy Editor

We’ve made it easier for users to bring their existing falco rules and add new rules to Sysdig Secure by adding a rules editor in the Sysdig Secure interface. Just copy in any custom rule, save it, and it will be added to the default ruleset and available within the policy editor. *Quickly add a new rule to your default falco rule set directly within the UI. *

Enterprise Integrations – SSO authentication & new notification channels

Single Sign On Authentication We wanted to streamline your user experience by releasing Single Sign On (SSO) for Sysdig Secure. Our SSO solution provides support for the most common methods of SSO, across both our cloud offering and our on-premise software offering:

Google Authentication
SAML
OpenID (Cloud)
LDAP (On-premise)

Find more details on how to configure SAML and OpenID. New Notification Channels We’ve also added support for new notification channels as well as webhooks to route any event to a Incident Management ticketing system, or some your SIEM of choosing.

The post Sysdig Secure February Release appeared first on Sysdig.

Sysdig’s Top Viral Blogs of 2017

Knox Anderson — Thu, 18 Jan 2018 20:01:16 +0000

2017 was a big year for Sysdig: New opensource projects, a round of funding, community conferences, and even a new product, Sysdig Secure, to set the foundation for what will be a great 2018. While all of that is awesome, what really brings you to our blog is the content that dives deep into system internals.

Let’s recap 2017 by focusing on the viral blogs that climbed up hackernews and into your twitter feeds. We’re going by the data and looking at the blogs that you, the readers visited most in 2017.

1. Container isolation gone wrong

At it’s peak this blog had 164 users coming to the blog per minute. Containers can have separate quotas for CPU, memory, storage… what could possibly go wrong?

One of the main advantages of embracing containers is “lightweight virtualization”. Since each container is just a thin layer around the containerized processes, The user gains enormous efficiencies, for example by increasing the container density per host, or by spinning containers up and down at a very fast pace.

However, as the troubleshooting story in the article will show, this lightweight virtualization comes at the cost of sharing the underlying kernel among all containers, and in some circumstances this can lead to surprising and undesirable effects that container users typically don’t think about.

This troubleshooting tale is rather involved. I’ve started from the basics and worked up to the more complex material in the hope that readers at all levels can get value out of it. Read More

2. Kubernetes monitoring guide

If 2016 was the year of containers, then 2017 was the year of Kubernetes. This blog kicks off a 4 part series covering Kubernetes monitoring, alerting, troubleshooting, and how customers are actually using kubernetes in production.

With over 21,000 stars on GitHub, over a thousand committers, and an ecosystem that includes Google, RedHat, Intel, and more, Kubernetes has taken the container ecosystem by storm. It’s with good reason too: Kubernetes acts as the brain for your distributed container deployment. It’s designed to manage service-oriented applications using containers distributed across clusters of hosts. Kubernetes provides mechanisms for application deployment, service discovery, scheduling, updating, maintenance, and scaling. But what about monitoring Kubernetes? Read More

3. Docker usage report

As someone who’s attended DockerCon for the last 3 years it’s been pretty impressive to see the community grow around containers. This data driven post looks at how people are using Docker in their application environments right now.

Many Docker usage reports are based on user surveys. These are incredibly useful to understand intent and objectives, but can sometimes be inconsistent with how people are actually adopting Docker within their environments right now. The main question we wanted to answer was, “How are people using Docker in their application environments right now?” As the premier container monitoring solution, Sysdig is in a fantastic position to answer this question with actual Docker usage data across hundreds of customers. Read More The top 5 #sysdig viral container blogs of 2017 Click to tweet

4. Sysdig Inspect

Ok, Ok, I know earlier I said we’d keep release posts out of the list, but Sysdig Inspect was too good. It’s not everyday that someone builds an Opensource GUI for system call analysis.

Sysdig is routinely praised by users for the richness of the data it’s able to capture and for the ability to store system, application and container that data into capture files that can be easily shared with other people.

However, extracting insights from rich data can be hard. Mastering the art of analyzing sysdig capture files requires dedication and skills. This is why we constantly try to improve workflows around sysdig and find ways to get better insights with less effort. Today, we bring these efforts to a new level with the release of Sysdig Inspect.

Sysdig Inspect is a powerful, intuitive tool for sysdig capture analysis that runs natively on your Mac or your Linux PC, with a user interface that has been designed for performance and security investigation. Read More

5a. Top 20 Docker security tools

As more and more companies move into production environments with containers, security becomes ever more important. This post rounds up the container security ecosystem through every layer of your security stack, from scanning down to forensics. We are keeping the number “20” in the title, but the list has 22 items at this moment… and growing.

There are quite a few Docker security tools in the ecosystem, how do they compare? This is a comprehensive list of Docker security tools that can help you implement some of the container security best practices.

Is Docker insecure? Not at all. Actually features like process isolation with user namespaces, resource encapsulation with cgroups, immutable images and shipping the minimal software and dependencies reduce the attack vector providing a great deal of protection. But, is there anything else we can do? There is much more than image vulnerability scanning and these are 20 container and Docker specific security tools that can help. Read More

5b. Docker vulnerabilities and threats

A list of container vulnerabilities is great, but it’s much more useful if it includes proof of concept examples how to address them in your environment. This post has been one of the more consistently visited pages since it’s release.

There are some specific parts of Docker based architectures which are more prone to attacks. In this article we are going to cover 7 fundamental Docker security vulnerabilities and threats.

Each section has been divided into:

Threat description: Attack vector and why it affects containers in particular.
Docker security best practices: What can you do to prevent this kind of security threats.
Proof of Concept Example(s): A simple but easily reproducible exercise to get some first hand practice.

Docker vulnerabilities and threats to battle

Bonus content

We’re stacking the deck in 2018 and have already released two great posts to start of the new year.

Making sense of Meltdown/Spectre

The IT world was put on its heels this past week as two of the most significant hardware exploits were announced for CPUs from Intel, ARM, AMD, IBM, and others. Early estimates state that as many as 3 billion devices have this flaw (don’t worry, your Apple II and C64 is safe). As there often is with a vulnerability of this magnitude, there’s a ton of noise associated with the problem, which makes it difficult for the average IT professional to get to the facts. So let’s step back from the hyperbole, and break down exactly what the problem is, and how it affects the day to day life of the average IT professional.

Fishing for miners – cryptojacking honeypots in Kubernetes

We run Kubernetes honeypots so you don’t have to. What would happen if you put a K8s cluster up on AWS but left the API Server port (8080) generally open to the outside world? Have attackers moved on from EC2 exploits to container-specific and kubernetes-specific exploits? One way to find out!

The post Sysdig’s Top Viral Blogs of 2017 appeared first on Sysdig.

Monitoring Alibaba Container Service

Knox Anderson — Mon, 18 Dec 2017 18:51:54 +0000

99% of the time HackerNews is an awesome time sink, but every once in awhile something there inspires you to try out a new technology, platform, etc. In this case two fresh slices of pizza and the HN post below were the perfect excuse to try a new cloud platform. We’ll dive into spinning up a container cluster and monitoring Alibaba Container Service.

Alibaba Cloud has been around for awhile, but with their new $300 trial credit offer there’s no reason not to spin up some instances to see what it’s about.

Not to be confused with AWS ECS Alibaba refers to their compute service as ECS and like GCP, AWS, and Azure they have many services for Databases, load balancers, etc. There’s a ton of different free options, but naturally the first thing I wanted to check out was their container service.

Setting up Alibaba Container Service

The Alibaba Container Service makes it easy to get a handful of hosts booted up, then to schedule and run containerized applications on them. But before we dive into visibility let’s take a look at the building blocks of the Container Service. The first thing we need to do to get started is boot up a cluster.

When building a cluster just click through the GUI to choose your Region, Number of nodes, security group parameters and you’re all set.

Now that you’ve got a small cluster of nodes, let’s deploy some applications. There are a couple different options baked into the Container Service Console

Docker Images – Choose any image from the docker public repo and with a single click start that container on your service
Orchestration – use docker compose within the console via orchestration templates, or roll your own orchestrator like kubernetes or mesos
Applications – pre-built application stacks, or applications that you’ve uploaded to run in containers on the nodes in your cluster

I chose to boot up one of the gitlab applications as well as the wordpress service into the cluster we have running.

Installing Sysdig Monitor

Installing Sysdig Monitor in your cluster is crazy fast. Just copy the docker run command or use existing orchestrator facilities like daemonset in kubernetes to get our agent installed. The Sysdig Monitor agent runs as a container on each node, and then loads a non block kernel module via DKMS to start collecting all system, application, network, and custom metrics (statsd, jmx, prometheus) from your system.

Monitoring Alibaba Container Service

Monitoring Physical Infrastructure: Hosts & Containers

One of the first things to do when you get Sysdig Monitor installed in any environment is to look at a topology map of the cluster. Here we can see every node in the cluster, the cpu usage of the node, and then all ingress and egress connections to other nodes we’re monitoring or external services.

From here we can drill down even further inside the host and see all the containers, their network connections, and then go another layer deeper by drilling down to the process level or even syscall of what’s running inside the container. This provides huge value into understanding the performance of Alibaba Container Service, most monitoring tools only provide container metrics via the docker stats API so you know “hey, my container is running at 98% CPU” but you don’t know why, or what’s running inside that container.

How to create dynamic topology maps for Alibaba Container Service Click to tweet

Monitoring Applications running on Alibaba Container Service

Next let’s move to the application layer. In the previous gif we had looked at a host and noticed that there was a MySQL process running inside the wordpress container. Sysdig Monitor comes with hundreds of out of the box integrations with popular applications and services. We’ll automatically recognize the process or protocol and then start pulling metrics from that application and tag them with the metadata from your cloud provider and orchestrator. Such as this example of nginx errors segmented by the kubernetes namespace that they’re coming from.

The same applies to any custom metric from statsd, jmx or prometheus. Just install the agent as a container on the node and we’ll discover everything whether it’s running inside a container or on the node. Let’s check out the gif below to see what this looks like for our containerized MySQL application.

Exploring our Container Service Environment

Next let’s flip over to the explore page of Sysdig Monitor to slice and dice our infrastructure to dynamically troubleshoot and visualize services. The explore page works like an interactive top or pivot table so you can set up and hierarchy and change it on the fly depending on what questions you want to answer about services, hosts, or containers. Here we can look at hosts first, and then switch our grouping up to get the performance of images and the containers that are sharing that image regardless of what physical infrastructure they’re running on.

Conclusion

A couple of slices of pizza and some free credits to learn about monitoring Alibaba Container Service were more than enough to keep me entertained while futzing with different applications on this service.

On the Sysdig Monitor side we’ve still barely touched the surface of the insights you can get into Alibaba Container Service. Check out some of these posts to learn more about how we do alerting, kubernetes monitoring, or more about our custom metrics integrations.

If you’re already running on Alibaba Container Service or any other cloud platform then kick off a 15 node free trial of Sysdig Monitor and let us know what you think!

The post Monitoring Alibaba Container Service appeared first on Sysdig.