Cloud Native Visibility and Security Chris Kranz Sysdig Secure - PowerPoint PPT Presentation

Cloud Native Visibility and Security Chris Kranz

Sysdig Secure DevOps for Cloud Native Open by design Ecosystem integration Strong momentum • Founded by Wireshark • Cloud-native security • Customer expansion mirrors co-creator and monitoring cloud-native adoption • Contributed Falco to CNCF • Provides visibility and • Trusted by the largest control for secure operations enterprises • Supported open-source sysdig (10M+ downloads) 2 | Sysdig Inc. Proprietary Information

Scaling Production Expands DevOps Role Secure DevOps Security and Observability functions compliance functions • Monitor availability • Scan for vulnerabilities and performance • Apply runtime policies • Manage capacity Maximize application • Triage security alerts and cost availability • Speed up incident • Troubleshoot issues response and forensics Secure DevOps converges security and observability functions 3 | Sysdig Inc. Proprietary Information

Secure DevOps Examples We want to ensure images are free We want report on all vulnerabilities of vulnerabilities and meet best and compliance violations in practices before pushing to running containers in specific Secure production. Kubernetes namespaces for audit DevOps purposes. Global Travel company Japanese ISP As containers come and go, we We need to improve our need to discover in real time which signals into SOC for detection, service- to-service connections audit and hunting workflows are anomalies. for containers. Major financial institution Large US Bank 4 | Sysdig Inc. Proprietary Information

You Cloud native leaves you blind can’t secure what Security and operations fail without context you cannot see Containers disappear and leave no trail 5 | Sysdig Inc. Proprietary Information

Legacy and Point Solutions Do Not Work Point solutions Legacy tools • Not container native • Invasive instrumentation • No Kubernetes context • Limited Kubernetes context • Lack scale and data depth • Not built for DevOps Purpose-built Cloud native requires specific tools 6 | Sysdig Inc. Proprietary Information

Sysdig Secure DevOps Platform Embed Security Maximize availability Validate compliance Converging visibility and security for production deployments 7 | Sysdig Inc. Proprietary Information

Unified Workflow Across the Cloud-Native Lifecycle Build Run Respond CI/CD Security Apps Alerts Context Event Forwarding/Audit/IR Registry Security Infrastructure SIEM master node node Vulnerabilities Configuration Metrics Events Security Policies Alerts Audit logs Events Syscall captures Sysdig Secure DevOps Platform Self-hosted SaaS 8 | Sysdig Inc. Proprietary Information

Microservice-Oriented Instrumentation Data Container 1 Container 2 Container 3 Sysdig Collection Docker Containerd CRI-O Agent Docker Host + Network Prom + Statsd Security Security Metrics Metrics Events Enforcement Host eBPF Program Host 9 | Sysdig Inc. Proprietary Information

Use the Same Data to Monitor and Secure Example: Example: Macro Investigate compliance violation Troubleshoot performance issue What was the Incident: Privileged container is launched in Incident: CPU spike noticed in several problem? Kubernetes that violates PCI article 10.2.5 nodes in K8s infrastructure Where did Application context: Violation Application context: Spike occurred in it occur? occurred in a PCI namespace a container within java-app namespace Why did it Dig down with low-level syscall data happen? (commands, file activity, network connections correlated with Kubernetes activity) Micro 10 | Sysdig Inc. Proprietary Information

Sysdig Secure DevOps Platform Embed security Maximize availability Validate compliance • Detect vulnerabilities and • Prevent issues by monitoring • Verify CIS compliance misconfigurations with a performance and capacity during build single workflow • Accelerate troubleshooting • Use runtime policies to confirm • Block threats without with a single source of truth compliance (NIST, PCI) impacting performance • Scale Prometheus monitoring • Accelerate audit by correlating • Conduct forensics even across clusters and clouds all cloud-native activity after the container is gone 11 | Sysdig Inc. Proprietary Information

Secure DevOps Across Cloud-Native Lifecycle Build Run Respond • Image Scanning • Runtime Security • Incident Response • Vulnerability Reporting • Forensics • Audit • Infrastructure Monitoring • Troubleshooting • Configuration Validation • Application Monitoring Secure DevOps DevOps Continuous Compliance (PCI, NIST, CIS, etc.) Unified platform for security and DevOps use cases 12 | Sysdig Inc. Proprietary Information

Enterprise Companies Are Choosing Sysdig Build Run Respond Nodes Japanese ISP K8s context; runtime detection; single platform; scale 10K+ Top 5 Software Company 1,000+ K8s context; open-core; unique forensics and auditing capabilities, scale Top 5 K8s-native; Prometheus integration, scale Public Cloud 1,000+ Top 5 Automated context; data depth, MITRE runtime Investment Bank 100K+ rules, scale Top 10 US Bank Automated context; data depth; MITRE runtime rules, audit, open-core; scale 5,000+ 13 | Sysdig Inc. Proprietary Information

Platform Built on an Open Foundation Build Run Respond Sysdig Secure DevOps Platform Adds scale, workflow, K8s, and cloud context Image scanning Monitoring Runtime security Forensics/Troubleshooting Vulnerability feeds Infrastructure and Detection policies Deep visibility into application metrics and alerts container activity 14 | Sysdig Inc. Proprietary Information

Sysdig Monitor: Kubernetes Monitoring Scale for production Maximize availability Speed up troubleshooting • Scale Prometheus monitoring • Prevent issues by optimizing • Isolate problems with across clusters and clouds performance and capacity dynamic service topology • Analyze real time and • Isolate monitoring data, • Resolve issues faster by historical application behavior dashboards, alerts by roles correlating metrics and events • Automatically discover Cloud • Auto detect incidents using • Accelerate troubleshooting Native integrations Kubernetes events knowledge with a single source of truth to avoid downtime 16 | Sysdig Inc. Proprietary Information

Sysdig Secure: Security for Kubernetes Deploy securely Block threats at runtime Validate compliance • Single workflow for detecting • Prevent threats without • Automatically remediate by vulnerabilities and miscon- impacting performance triggering response actions figurations in containers using K8s native controls and downstream notifications • Save time by flagging • Strengthen security using • Conduct forensics after the vulnerabilities and automated policies container is gone identifying owner • Extend Falco to save time • Accelerate audit by correlating • Validate PCI and NIST creating and maintaining all cloud-native activity compliance pre-deployment runtime policies 22 | Sysdig Inc. Proprietary Information

Sysdig Secure 3.0 Prevent Optimize Respond • Save time by automatically • Validate policies prior to • Reconstruct system activities generating Kubernetes policies deployment to avoid breaking including commands and network applications connections to speed incident • Enforce least privilege with response Kubernetes Pod Security Policies • Generate fewer false positives by tuning Falco runtime policies • Uncover malicious and miscon- • Stop threats at runtime figuration issues by mapping using K8s controls without activity to users or services impacting performance • Comply with any SOC2, PCI, NIST audit 23 | Sysdig Inc. Proprietary Information

Prevent: K8s Policy Advisor Generate Validate Prevent Auto-generate policy from Validate policy prior to Leverage K8s controls to pod configuration: deployment: handle enforcement: • Automate policy creation to save • Avoid breaking applications • Strengthen security using time PSP enforcement • Tune policies to reduce false • Enforce least privilege using positives • Enable prevention without Pod Security Policies relying on security agents 24 | Sysdig Inc. Proprietary Information

Respond: Activity Audit • Capture system activity and make it searchable and indexable against Kubectl activity • Easily filter through any user or service interaction across the K8s stack • Comply with SOC2, PCI, ISO, HIPAA, etc. audit 25 | Sysdig Inc. Proprietary Information

Activity Audit Examples Enriched activity Example queries Activity 1. Show all outbound connections from my billing namespace to an unknown IP address • User commands 2. Trace a “kubectl exec” user interaction and list • Network connections all the command and network activity that • Kubectl activity happened inside the pod Context 3. Show every tcpdump command execution that has happened in a host or K8s deployment • K8s context (labels/metadata) • Container and cloud context 26 | Sysdig Inc. Proprietary Information

Sysdig Secure DevOps Platform Embed security Maximize availability Validate compliance Converge visibility and security to run cloud native in production 29 | Sysdig Inc. Proprietary Information

Dig deeper 30 | Sysdig Inc. Proprietary Information