The sixth annual
Sysdig 2023 Cloud-Native Security and Usage Report
Dig into this report to get real-world customer data and insights on cloud and container security and usage for environments. We looked at data from companies around the world, from a broad range of industries.
Based on data from billions of containers!
This year’s report has new data on cloud security, container vulnerabilities, and Kubernetes capacity planning. Read on to see how you stack up then download the full report for more insights!
Choose your interest:
container usage
Key findings:
Kubernetes Costs
Resource Usage
Container Lifespans
Kubernetes Costs
Resource Usage
Container Lifespans
CLOUD-NATIVE SECURITY
Key findings:
User permissions
Vulnerable images
Threat detection
User permissions
Vulnerable images
Threat detection
Container Usage
How much money are organizations wasting on Kubernetes? How many clusters are organizations operating? How much capacity does a cluster use?
We looked at a range of details about what organizations are doing with containers and Kubernetes. Here are three of the many details about container usage you can find in the report. Click the arrow to view the preview.
Kubernetes Spending
$10M
in wasted
spending
spending
Customers running over 1000 nodes could save over 10 million dollars per year on average.
MORE
CPU resources are the most costly part of a cloud instance. Organizations with around 150 Kubernetes nodes could be spending up to $980,000 per year more than they need to due to underutilized CPU resources. The biggest organizations with more than 1000 nodes could reduce their wasted spending up to $10,800,000 per year
Unused Resources
69%
unused CPU resources
On average, 69% of CPU cores in Kubernetes clusters were unused.
MORE
Of those clusters that had CPU limits defined, an average of 69% of CPU cores were unused. Without knowing the utilization of their clusters, organizations could be wasting money due to overallocation. Organizations need active utilization and cost monitoring in order to optimize Kubernetes costs.
Container Lifespan
72%
of containers live fewer than five minutes
Containers are increasingly short lived with 72% of them living fewer than five minutes.
MORE
The ephemeral nature of containers remains one of the technology’s unique advantages, in that things are designed to change as needed. However, it also presents issues to consider for monitoring, security, and compliance because many monitoring and security tools can’t report on entities that no longer exist.
Best Practices to Optimize Costs and Improve Reliability
Rightsize requests and focus on efficiency
1
Start utilizing robust cost monitoring tools that can identify cloud cost overruns automatically to avoid overspending and increase awareness across the organization.
2
Consider costs in relation to utilization in order to make confident rightsizing decisions that don’t impact performance.
3
Because containers are so short-lived, organizations should pay close attention to solving errors like crashloopbackoff that can affect both workload performance and resource utilization.
Cloud-Native Security
How many images are running with vulnerabilities? How many granted permissions are unused? What are organizations doing to detect security threats?
We looked at a range of details regarding cloud security risks. Here are three of the many details about cloud-native security you can find in the report. Click the arrow to view the preview.
Vulnerable images
87%
of images have a critical or high vulnerability
Organizations are struggling to prioritize and fix running vulnerabilities.
MORE
A shocking 87% of images running in production include a high or critical severity vulnerability, up from the 75% we reported last year, and 71% of image vulnerabilities have an unapplied fix. Over the past year, high-profile vulnerabilities and exploits and increased cybersecurity guidance from government organizations have caused many security teams to heighten their focus on application security testing. However, there is little evidence of real progress in addressing this risk.
User permissions
90%
of accounts have excessive permissions
Non-admin users only utilized 10% of granted permissions over a 90-day window.
MORE
Misconfigurations are still the biggest player in security incidents and should be a top concern in organizations. DevOps teams tend to grant more permissions than needed so functionality works as expected and security is in the background. Enforcing least privilege will help reduce attack opportunities.
Threat Detection
Organizations are proactively testing and assessing their security posture
Unpatched vulnerabilities and excess permissions reinforce the need for continuous threat detection and monitoring.
MORE
By analyzing Falco rules against the MITRE ATT&CK® Framework, we saw rules labeled for privilege escalation and defense evasion are most often triggered. We determined most events were attributed to customers using proactive threat analysis to implement security guardrails, rather than malicious attacks.
While our customers’ detection alerts indicate they are focused on defending against defense evasion and privilege escalation tactics, we also see poor security practices driving up alerts.
While our customers’ detection alerts indicate they are focused on defending against defense evasion and privilege escalation tactics, we also see poor security practices driving up alerts.
Best Practices to Focus on What Truly Matters
Reduce granted permissions and prioritize runtime vulnerabilities.
1
Minimize supply chain risk and save time by prioritizing the endless list of vulnerabilities. Put vulnerabilities that are in use at runtime at the top of your list, and also tackle image bloat.
2
Put in the extra effort to manage permissions. Only grant permissions that are needed and remove both permissions and users not being used to reduce an attacker’s options for initial access, credential access, and privilege escalation.
3
Privilege escalation, defense evasion, and persistence tactics are priorities for our customers. To stay ahead of the quickly evolving threat landscape, we suggest regularly tuning your detection rules based upon threat intelligence and your own actions that may cause false positive alerts.
