Cloud Native Visibility and Security Chris Kranz Sysdig Secure - - PowerPoint PPT Presentation

Cloud Native Visibility and Security

Chris Kranz

| Sysdig Inc. Proprietary Information 2

Sysdig Secure DevOps for Cloud Native

• Founded by Wireshark

co-creator

• Contributed Falco to CNCF
• Supported open-source

sysdig (10M+ downloads)

• Customer expansion mirrors

cloud-native adoption

• Trusted by the largest

enterprises

• Cloud-native security

and monitoring

• Provides visibility and

control for secure operations

Open by design Strong momentum Ecosystem integration

| Sysdig Inc. Proprietary Information 3

Scaling Production Expands DevOps Role

• Monitor availability

and performance

• Manage capacity

and cost

• Troubleshoot issues
• Scan for vulnerabilities
• Apply runtime policies
• Triage security alerts
• Speed up incident

response and forensics

Secure DevOps

Maximize application availability

Observability functions Security and compliance functions

Secure DevOps converges security and observability functions

| Sysdig Inc. Proprietary Information 4

We want report on all vulnerabilities and compliance violations in running containers in specific Kubernetes namespaces for audit purposes.

Japanese ISP

Secure DevOps Examples

We need to improve our signals into SOC for detection, audit and hunting workflows for containers.

Large US Bank

We want to ensure images are free

• f vulnerabilities and meet best

practices before pushing to production.

Global Travel company

As containers come and go, we need to discover in real time which service- to-service connections are anomalies.

Major financial institution

Secure DevOps

| Sysdig Inc. Proprietary Information 5

Cloud native leaves you blind Security and operations fail without context Containers disappear and leave no trail

You can’t secure what you cannot see

| Sysdig Inc. Proprietary Information 6

• Not container native
• No Kubernetes context
• Not built for DevOps
• Invasive instrumentation
• Limited Kubernetes context
• Lack scale and data depth

Legacy tools Point solutions

Legacy and Point Solutions Do Not Work

Cloud native requires specific tools Purpose-built

| Sysdig Inc. Proprietary Information 7

Embed Security Maximize availability Validate compliance

Sysdig Secure DevOps Platform

Converging visibility and security for production deployments

| Sysdig Inc. Proprietary Information 8

Sysdig Secure DevOps Platform

Respond Run Build

Unified Workflow Across the Cloud-Native Lifecycle

CI/CD Security Registry Security Apps Context Infrastructure

master node node

Alerts Event Forwarding/Audit/IR

SIEM Security Policies Configuration Vulnerabilities Metrics Events Audit logs Alerts Syscall captures Events

SaaS Self-hosted

| Sysdig Inc. Proprietary Information 9

Microservice-Oriented Instrumentation

Host Host

eBPF Program Container 1 Docker Container 2 Containerd Container 3 CRI-O Sysdig Agent Docker Host + Network Metrics Prom + Statsd Metrics Security Events Data Collection Security Enforcement

| Sysdig Inc. Proprietary Information 10

Why did it happen? What was the problem? Where did it occur?

Application context: Violation

• ccurred in a PCI namespace

Application context: Spike occurred in a container within java-app namespace

Use the Same Data to Monitor and Secure

Incident: Privileged container is launched in Kubernetes that violates PCI article 10.2.5

Macro Micro

Incident: CPU spike noticed in several nodes in K8s infrastructure Dig down with low-level syscall data (commands, file activity, network connections correlated with Kubernetes activity)

Example: Investigate compliance violation Example: Troubleshoot performance issue

| Sysdig Inc. Proprietary Information 11

Sysdig Secure DevOps Platform

• Detect vulnerabilities and

misconfigurations with a single workflow

• Block threats without

impacting performance

• Conduct forensics even

after the container is gone

• Verify CIS compliance

during build

• Use runtime policies to confirm

compliance (NIST, PCI)

• Accelerate audit by correlating

all cloud-native activity

• Prevent issues by monitoring

performance and capacity

• Accelerate troubleshooting

with a single source of truth

• Scale Prometheus monitoring

across clusters and clouds

Embed security Validate compliance Maximize availability

| Sysdig Inc. Proprietary Information 12

DevOps

Secure DevOps Across Cloud-Native Lifecycle

• Incident Response
• Forensics
• Audit
• Runtime Security
• Vulnerability Reporting
• Troubleshooting
• Infrastructure Monitoring
• Application Monitoring
• Image Scanning

Continuous Compliance (PCI, NIST, CIS, etc.)

Respond Run Build Unified platform for security and DevOps use cases

Secure DevOps

• Configuration Validation

| Sysdig Inc. Proprietary Information 13

Top 5

Software Company

1,000+ K8s context; open-core; unique forensics and auditing capabilities, scale

Japanese ISP

10K+ K8s context; runtime detection; single platform; scale

Respond Run Build

Enterprise Companies Are Choosing Sysdig

Top 5

Public Cloud

1,000+ K8s-native; Prometheus integration, scale Top 5

Investment Bank

100K+ Automated context; data depth, MITRE runtime rules, scale Top 10

US Bank

5,000+ Automated context; data depth; MITRE runtime rules, audit, open-core; scale Nodes

| Sysdig Inc. Proprietary Information 14

Platform Built on an Open Foundation

Image scanning

Vulnerability feeds

Monitoring

Infrastructure and application metrics

Runtime security

Detection policies and alerts

Forensics/Troubleshooting

Deep visibility into container activity

Sysdig Secure DevOps Platform

Adds scale, workflow, K8s, and cloud context Respond Run Build

| Sysdig Inc. Proprietary Information 16

Sysdig Monitor: Kubernetes Monitoring

• Scale Prometheus monitoring

across clusters and clouds

• Analyze real time and

historical application behavior

• Automatically discover Cloud

Native integrations

• Isolate problems with

dynamic service topology

• Resolve issues faster by

correlating metrics and events

• Accelerate troubleshooting

with a single source of truth

• Prevent issues by optimizing

performance and capacity

• Isolate monitoring data,

dashboards, alerts by roles

• Auto detect incidents using

Kubernetes events knowledge to avoid downtime

Scale for production Speed up troubleshooting Maximize availability

| Sysdig Inc. Proprietary Information 22

Sysdig Secure: Security for Kubernetes

• Single workflow for detecting

vulnerabilities and miscon- figurations in containers

• Save time by flagging

vulnerabilities and identifying owner

• Validate PCI and NIST

compliance pre-deployment

• Automatically remediate by

triggering response actions and downstream notifications

• Conduct forensics after the

container is gone

• Accelerate audit by correlating

all cloud-native activity

• Prevent threats without

impacting performance using K8s native controls

• Strengthen security using

automated policies

• Extend Falco to save time

creating and maintaining runtime policies

Deploy securely Validate compliance Block threats at runtime

| Sysdig Inc. Proprietary Information 23

Sysdig Secure 3.0

• Save time by automatically

generating Kubernetes policies

• Enforce least privilege with

Kubernetes Pod Security Policies

• Stop threats at runtime

using K8s controls without impacting performance

• Reconstruct system activities

including commands and network connections to speed incident response

• Uncover malicious and miscon-

figuration issues by mapping activity to users or services

• Comply with any SOC2, PCI,

NIST audit

• Validate policies prior to

deployment to avoid breaking applications

• Generate fewer false positives

by tuning Falco runtime policies

Prevent Respond Optimize

| Sysdig Inc. Proprietary Information 24

Prevent: K8s Policy Advisor

Auto-generate policy from pod configuration:

• Automate policy creation to save

time

• Enforce least privilege using

Pod Security Policies Leverage K8s controls to handle enforcement:

• Strengthen security using

PSP enforcement

• Enable prevention without

relying on security agents Validate policy prior to deployment:

• Avoid breaking applications
• Tune policies to reduce false

positives

Generate Prevent Validate

| Sysdig Inc. Proprietary Information 25

Respond: Activity Audit

• Capture system activity and make it

searchable and indexable against Kubectl activity

• Easily filter through any user
• r service interaction across the

K8s stack

• Comply with SOC2, PCI, ISO,

HIPAA, etc. audit

| Sysdig Inc. Proprietary Information 26

Enriched activity Example queries

Activity

• User commands
• Network connections
• Kubectl activity

Context

• K8s context (labels/metadata)
• Container and cloud context
• 1. Show all outbound connections from my billing

namespace to an unknown IP address

• 2. Trace a “kubectl exec” user interaction and list

all the command and network activity that happened inside the pod

• 3. Show every tcpdump command execution that

has happened in a host or K8s deployment

Activity Audit Examples

| Sysdig Inc. Proprietary Information 29

Sysdig Secure DevOps Platform

Embed security Validate compliance Maximize availability Converge visibility and security to run cloud native in production

| Sysdig Inc. Proprietary Information 30

Dig deeper