Today, we are excited to announce the launch of Sysdig Secure 2.4! With this release, Sysdig adds runtime profiling to enhance anomaly detection and introduces brand new interfaces that improve runtime security policy creation and vulnerability reporting. These features are focused on upgrading the experience of creating your security policy to detect security threats and attacks to your infrastructure and apps. Back in April, we announced the industry’s first unified Cloud-Native Visibility and Security Platform, which provides both monitoring (via Sysdig Monitor) and security (via Sysdig Secure) at massive enterprise scale, across both multi and hybrid cloud environments. Alright, let’s dig deeper into Sysdig Secure 2.4, which focuses on runtime detection and vulnerability management!
Sysdig Secure 2.4 released! Focuses on #Kubernetes #security with runtime profiling + Falco library and rule builderClick to tweet
I. Runtime profilingSysdig’s approach to runtime defense in large-scale environments is to automatically model runtime behavior by analyzing the activity inside the containers. Analyzing syscalls, traversing the kernel leveraging eBPF technology and enriching them with various metadata including Kubernetes and Cloud provider labels, allows Sysdig to create a truly comprehensive container runtime profile. This reduces the effort required to manually create and update profiles. Sysdig uses its syscall-level understanding to gain deep insights into container runtime behavior such as:
- Spawned process – which process and binaries are running?
- Network traffic – what TCP/UDP ports does this application communicate on?
- File system activity – what files are being read? And written?
- System calls – what system calls are executed?
II. Falco Rule BuilderOur goal with this release is to** ease the burden on security teams to create their container security policy**. In addition to auto generating runtime profiles, creating, editing and managing your Kubernetes security policy is now much easier.
Create and customize advanced security policiesSysdig Secure also provides the simplicity and flexibility to create custom runtime rules based on open-source Falco. The new security policies contain a mix and match of runtime profiles, UI built rules and advanced Falco rules. Sysdig Secure has developed a new interface called *Falco Rule Builder *that lets you visually interact with the Falco engine under the hood and create powerful rules via a flexible UI. Runtime rules can be scoped and filtered to any aspect of your environment (such as a particular Kubernetes namespace, deployment, pod, etc.) and managed at scale across multiple clusters, cloud providers and data centers. Users can also create new policies without needing to know in-depth Falco expressions and filtering commands. Although Sysdig Secure focuses on containers, these custom rules can be applied to bare metal and virtual instance hosts as well.
Leveraging community and framework-driven policies via Rules LibraryTaking it a step further, users can easily leverage existing security compliance frameworks such as MITRE ATT&CK, and utilize container runtime security rules that adhere to eight key MITRE categories. Now, they can be easily implemented via the Rules Library to be part of the container security profile. Because of the open source contribution, a wide variety of community sourced rules are available to enhance the rules repository and allow other users to benefit from a community-driven security approach. For example, FIM rules can be easily leveraged via the Rules Library in the Sysdig Secure platform. Security ops teams can apply these community or framework driven policies from the Rules Library and have more assurance in their container runtime security posture. Read more about the new Sysdig Secure policy editor.
III. Sysdig Secure vulnerability reportingSysdig Secure now provides a unified console for easy vulnerability management including reporting and advanced querying. Sysdig connects the dots between your image scanning vulnerabilities database and what’s currently running on your platform so each person can focus on the relevant information for them and build complex queries to understand what was the status at any point in time. Let’s illustrate this with an example, imagine a query like: Show me all the vulnerabilities in prod namespace where the severity is greater than high, the CVE > 30 days old, and a fix is available. This question is now easily answered with Sysdig. With the new vulnerability reporting capabilities, DevOps and security teams can easily query across a catalog of images, packages, CVEs, as well as check for advanced conditions like CVE age, fix available, software version etc. Finally, these reports can be downloaded and shared (PDF/CSV) with vulnerability management teams, CISO’s, etc.
New advanced alert configurationWe also added a new advanced alert configuration to notify changes in images, policies or CVE exposures via Slack, PagerDuty, email, etc. This is important because your vulnerability management teams can be alerted if:
- A new image tag is pushed to a registry
- A specific policy change was triggered (pass or fail)
- A change in CVE information for a specific image (example nginx:latest)
Improved scan results UIThis feature** **provides the ability to view a summary of all policies an image was evaluated against, understand what exactly failed (and passed), any vulnerabilities including specific OS and non-OS package checks, and image contents. With the new scan results UI teams have:
- Interactive and sortable scan results, including filtering by CVE’s (critical, high, medium, etc).
- An understanding of how an image has performed against the different audit policies that have been put in place.