Secure Google Cloud with Sysdig’s CNAPP Powered By Runtime Insights

By Eric Carter - JUNE 28, 2023


Google Cloud is helping businesses build and deploy apps faster than ever before, but at the same time, cloud teams must consider how to implement secure DevOps practices to avoid risk. We’re partnering with Google Cloud to provide security solutions to cloud teams to simplify safeguarding cloud and containers.

Securing Google Cloud Platform with Sysdig - watch video
Securing Google Cloud Platform with Sysdig

Back in September 2021, we announced our expanded collaboration with Google Cloud. In the last two years, we’ve introduced a number of new cloud security and compliance controls, as well as our software-as-as-service (SaaS) platform that runs on Google Cloud. This article will provide details on how you can take advantage of Sysdg capabilities to tackle the challenges of security for containers, Kubernetes, and cloud services on Google Cloud.

Cloud Security Powered By Runtime Insights

Sysdig provides real-time cloud-native security for Google Cloud Run, Google Cloud Build, GCR, GKE, Autopilot, Anthos and integrates with Google Chronicle and Security Command Center, to help customers modernize their workloads on Google Cloud. Powered by Runtime Insights, Sysdig’s Cloud Native Application Protection Platform(CNAPP) stops threats in real time, reduces vulnerabilities by up to 95%, and helps you prioritize and remediate security posture risks.

Preparing for cloud and container threats

Protecting your cloud infrastructure and workloads from mishaps and attacks ​​is not a one-size-fits-all proposition. There is a wide range of tactics and techniques employed today by threat actors. Beyond malicious activity, you can also face risk from the actions of well-meaning employees who simply don’t know to follow best practices.

Your best defence is to ensure you’ve buttoned down your detection and security practices from development through production. By working with Google Cloud, Sysdig is helping Security teams, Incident and Response teams, Compliance professionals and DevOps teams follow cloud security best practices to meet their organizational goals.

Unifying configuration management and threat detection for Google Cloud and containers

Threat detection for Google Cloud requires visibility into all of your cloud services, GKE, Anthos, containers and more. There is a lot to secure! App delivery requires a number of elements, including hosts, virtual machines, containers, clusters, stored information, and input/output data streams. How can you ensure you are properly securing it all?

The good news is that Google Cloud takes responsibility for the security and maintenance of its cloud services. This goes a long way to ensuring you can operate confidently in the cloud. However, the reality is that you, as a user, also must put the right protections in place.

By pairing the Sysdig cloud security capabilities announced today with our container security features, you’ll be able to more effectively follow security best practices for your Google Cloud accounts, apps, and services.

Cloud security posture management and compliance

To help you keep up with your use of Google Cloud services, Sysdig Secure allows you to perform static configuration analysis of your cloud infrastructure based on benchmarks like CIS. This helps you see where things are misconfigured. Plus, we provide guided remediation steps within the user interface to help you take action to achieve compliance.

CIS Critical Security Controls Checks

By checking the configuration of your environment, you will know if your IAM policies are secure, see what cloud storage buckets in your account are exposed to the public, and understand things like which VPCs allow ingress traffic, etc.

Cloud threat detection using Cloud Audit Logs

As your use of Google Cloud services grows, the amount of activity can reach a point where manual analysis isn’t manageable. Failure to react to a threat in a short time can have major consequences.

Cloud Audit Logs provide an always-on audit trail for Google Cloud that records both administrative events and user access to your cloud data. Sysdig performs threat detection for Google Cloud by analyzing this log data against a rich set of security rules based on open source Falco. This provides real-time analysis of activity so you can respond to threats faster.

Sysdig provides out-of-the-box rules to help you secure your environment. This includes, for example, the following detections:

  • Command Executed on Unused Region
  • Operation by a Non-Corporate Account
  • Invitation Sent to Non-Corporate Account
  • Super Admin Executing Command
  • Suspected Disable of OS Login in a VM Instance
  • Shield Disabled for a VM Instance
  • Create or Delete Bucket
  • Create Cloud Function Not Using Latest Runtime
  • Create or Patch DNS Zone without DNSSEC
  • Disable the Requirement for All Incoming Connections to Use SSL for a Cloud SQL Instance
  • Disable Automatic Backups for a Cloud SQL Instance
  • Disable Subnet Flow Logs
  • Update, Disable, or Delete Sink
  • Enable Project-wide SSH keys for a VM Instance
  • Enable Connecting to Serial Ports for a VM Instance
  • Monitoring Alert Deleted
Real-Time Google Cloud Activity

Enabling advanced threat hunting with Google Cloud’s Chronicle

Sysdig supports sending different types of security data to third-party SIEM platforms and logging tools. We’ve previously extended this capability to deliver events to Google Cloud’s security and risk management platform, Security Command Center. Now, you also can leverage this event forwarding capability to send Sysdig-detected security events directly to Google Cloud’s Chronicle security analytics platform.

The Chronicle cloud service enables you to privately retain, analyze, and search massive amounts of security and network telemetry data. Chronicle normalizes, indexes, correlates, and analyzes data to provide instant analysis and context on risky activity.

With this integration, you can extend Chronicle’s capabilities with the unique data available from Sysdig. This includes Kubernetes security, container, and process-level events. Incorporating this event information helps you perform advanced threat hunting and security analytics to reduce mean time to detect (MTTD) and accelerate response for your cloud-native workloads.

Sysdig event forwarding to Google Cloud's Chronicle

Sysdig SaaS on Google Cloud

To meet the demands of dynamic cloud-native environments, visibility and security solutions are increasingly moving to the cloud. Cloud-based software-as-a-service (SaaS) enables enterprises to break free from hardware dependency and instantiate services wherever required. Now that Sysdig SaaS is available on Google Cloud, customers who prefer Google Cloud can get started quickly and grow without worrying about backend data management.

Sysdig SaaS has many benefits:

  • Fast startup: Get up and running in minutes and plug into your DevOps tools (i.e., embed scanning in CI/CD pipelines).
  • Easy-to-scale: Monitor and secure a few images or cloud services, and scale up as your footprint grows without worrying about backend data management.
  • No infrastructure costs: Avoid paying for in-house hardware and software licenses with perpetual ownership to run security and monitoring.
  • Simple maintenance: Remove the overhead of maintenance and support. Sysdig handles rollouts of new SaaS feature updates and patches without disruption.

With this launch, the Sysdig Secure DevOps Platform is also now available on Google Cloud Marketplace. This means you can purchase and get started right from Google Cloud.

Free Trial for Google Cloud Security

There is a free Sysdig trial available for Google Cloud and you can use it to start managing your cloud security for free. You can get the free tier from the Google Cloud Marketplace, or click here to learn more and get started.


We’re excited to partner with Google Cloud in helping our joint users more effectively secure their cloud services and containers.

The new cloud security capabilities highlighted here build on our previous work to enable visibility, security, and compliance for Google Cloud container services. This includes image scanning, runtime security, compliance, and forensics for GKE, Anthos, Cloud Run, Cloud Build, Google Container Registry, and Artifact Registry.

Having a single view across cloud, workloads, and containers will help you speed the time it takes to detect and respond to attacks. For a deeper look at best practices for Google Cloud security, check out the blog GCP Security Best Practices to Adopt in Production.

Subscribe and get the latest updates