Welcome to our December edition of the “What’s New in Sysdig” blog series. We decided to do a year in review for this monthly recap as we wanted to focus on a few key highlights the company went through the past 12 months. As we look at the past year, the landscape of cloud security has seen its challenges and evolution. More and more enterprises are becoming more cloud-mature and taking advantage of more cloud-native services, which in turn puts a strain on different lines of business to manage, maintain and secure the entire cloud environment. Not only have enterprises leveraged more cloud-native functions, so have attackers. Attacks in the cloud are different and what many realized in 2023 is that traditional security tools aren’t enough to harden/prevent and detect/respond. As we dive into the year in review for Sysdig and cloud security, we will focus on some pivotal moments like:
- Key insights made by our threat research team about the speed of attacks in the cloud
- A new cloud security benchmark that highlights the need for immediate security in the cloud
- The importance Cloud Detection and Response can play in bridging the gap between security and dev
- Combining the ability to prevent and harden in the cloud with real-time detection and response
In the Cloud, you have 10 Minutes from Recon to Attack
In August, the Sysdig Threat Research Team released the 2023 Global Cloud Threat Report which sheds light on an alarming truth: Attacks in the cloud are lightning-fast, with minutes determining the line between detection and severe damage. It’s clear that cloud attackers are taking advantage of the same things that lure companies to the cloud. While defenders need to protect their entire software lifecycle, attackers only have to be right one time, and automation is making it even easier for them.
- Cloud automation weaponized. Cloud attacks happen fast. Recon and discovery are even faster. Automating these techniques allows an attacker to act immediately upon finding a gap in the target system. A recon alert is the first indication that something is awry; a discovery alert means that the blue team is too late.
- 10 minutes to pain. Cloud attackers are quick and opportunistic, spending only 10 minutes to initiate an attack. According to Mandiant, the median dwell time on premise is 16 days, underlining the speed of the cloud.
- A 90% safe supply chain isn’t safe enough. 10% of advanced supply chain threats are invisible to standard tools. Evasive techniques enable attackers to hide malicious code until the image is deployed. Identifying this type of malware requires runtime analysis.
- 65% of cloud attacks target telcos and fintech. Telecommunication and finance companies are ripe with valuable information and offer an opportunity to make quick money. Both industries are attractive targets for fraud schemes.
Sysdig Debuts New Benchmark for Cloud Detection and Response
The 5/5/5 Benchmark for Cloud Detection and Response is a new framework that outlines how quickly organizations should detect, triage, and respond to attacks in the cloud. Operating securely in the cloud requires a mindset shift in regard to time, and with that, cloud security programs need to hold themselves to a modernized benchmark: five seconds to detect, five minutes to correlate insights and understand what’s happening, and five additional minutes to respond.
Cloud attacks are swift and sophisticated, requiring robust threat detection and response programs that move at the speed of the cloud. On-premise attacks take 16 days on average and antiquated frameworks challenge security teams to respond to a breach within 60 minutes, which is simply insufficient for the cloud. Bad actors are exploiting the automation and scale of the cloud, along with new techniques, to accelerate all stages of an attack and inflict damage within minutes. The 5/5/5 Benchmark guides organizations to detect and respond to cloud attacks faster than adversaries can complete them.
- Detect threats within five seconds. Organizations should be able to gather detection signals from their cloud security tools in real time to ensure visibility into ephemeral assets.
- Correlate and triage within five minutes. Teams should be able to gather full context for all correlated signals within five minutes of receiving the first relevant alert.
- Initiate a response within five minutes. Organizations should be able to initiate a tactical response within five minutes of confirming that an attack is in progress.
There’s No CNAPP, Without CDR
In June, Sysdig became the first vendor to deliver the consolidation of Cloud Detection and Response (CDR) and Cloud-Native Application Protection Platform (CNAPP). This approach enables Sysdig to detect threats instantly anywhere in the cloud with 360-degree visibility and correlation across workloads, identities, cloud services, and third-party applications.
As we tee’d up the challenges enterprises faced in 2023, it’s no surprise that as organizations build out their cloud environments, they face sprawl, with hundreds of unchecked and potentially vulnerable applications, services, and identities. Most cloud security tools are slow to identify suspicious behavior, and once alerted organizations can spend hours, if not days, combing through snapshots trying to piecemeal together what happened. It is a best-case scenario for bad actors, giving them hours or even days to inflict maximum damage – and the organization might never know what happened. Below are key features that were released in June to help embed CDR in our overall CNAPP offering.
Stop Breaches Instantly with End-to-End Threat Detection
- Agentless cloud detection based on Falco: Created by Sysdig, Falco is a widely adopted open source solution for cloud threat detection, now under the stewardship of the Cloud Native Computing Foundation. Previously, to leverage the power of Falco within Sysdig, organizations had to deploy Falco on their infrastructure. With this release, customers can access an agentless deployment of Falco when processing cloud logs, which are used to detect threats across cloud, identity, and the software supply chain, along with other sources.
- Identity threat detection: With new Sysdig Okta detections, security teams can protect against identity attacks, such as multi factor authentication fatigue caused by spamming and account takeover. Sysdig details the entire attack from user to impact by stitching Okta events with real-time cloud and container activity.
- Software supply chain detection: Extend threat detection into the software supply chain with new Sysdig GitHub detections. Developers and security teams can be alerted in real time of critical events, such as when a secret is pushed into a repository.
- Enhanced Drift Control: Prevent common runtime attacks by dynamically blocking executables that were not in the original container.
Accelerate Cloud Investigations and Incident Response in Real Time
- Live mapping: Sysdig brings an endpoint detection and response (EDR)-like approach of assembling all relevant real-time events into one view when a breach occurs. With Kubernetes Live, teams can dynamically see their live infrastructure and workloads, as well as the relationships between them, to speed incident response.
- Attack lineage with context: Sysdig Process Tree enables the rapid identification and eradication of threats by unveiling the attack journey from user to process, including process lineage, container and host information, malicious user details, and impact.
- Curated threat dashboards: Dashboards provide a centralized view of critical security issues, spotlighting events across clouds, containers, Kubernetes, and hosts to enable threat prioritization in real time. Sysdig also provides dynamic mapping against the MITRE framework for cloud-native environments, so security teams know exactly what is happening at any given moment.
Sysdig Adds Real-Time Cloud Attack Graph
In September, Sysdig launched a new Cloud Attack Graph which provides real-time attack path analysis and live risk prioritization. In the cloud, every second counts. Environments have grown more complex, and attacks happen at warp speed. Whereas on-premise attacks are measured in weeks, cloud attacks can happen in mere minutes. Attackers exploit the complexity and automation of the cloud to move laterally, elevate privileges, and maximize blast radiuses. Knowing what’s happening in the moment, customers can make better-informed decisions from prevention to defense. Some of the key features that allow organizations to combine hardening and prevention with detection and response are:
New Capabilities Focused on What Matters Now
Cloud Attack Graph functions as the neural center of the Sysdig CNAPP, applying multidomain correlation across assets, users, activity, and risk to identify threats in real time. By layering on instant detections, in-use vulnerabilities, and in-use permissions, Sysdig connects the dots across environments so customers can diffuse threats before they escalate.
Risk Prioritization is a stack-ranked list of risks to help prioritize the order in which they should be addressed across an entire cloud-native environment. The list is uniquely generated from runtime insights, layered with real-time detection of events, vulnerabilities tied to in-use packages, and in-use permissions to draw attention to the most imminent attacks happening at any given moment.
Attack Path Analysis is a visual representation of the exploitable dependencies across resources, which can help reveal potential attack paths. Unlike other solutions, Sysdig layers on real-time detections to reveal active attack behavior such as lateral movement, helping stop attackers in their tracks.
Inventory, powered by runtime insights, is a complete, searchable list of all of the resources in a cloud environment across users, workloads, hosts, and infrastructure-as-code. Dynamic filtering provides immediate access to the most relevant information across cloud environments for use in various ways.
Complete Agentless Scanning rounds out Sysdig’s agent and agentless solution. Sysdig has expanded agentless capabilities to include host scanning, extending its existing agentless scanning for misconfigurations and threat detection.
Farewell to 2023
As we close out the year and look back at the journey, it’s evident that the past year has been a pivotal chapter in the ongoing journey that is cloud security. From grappling with the increase in cloud maturity and the use of more cloud native services to the global shift toward remote work to organizations leaning in on innovation first and foremost and to the increase of sophistication of cloud attacks, the evolution of cloud security has been steady. As we step into next year, that pace will only quicken and it’s important to remember that in the cloud, every second counts.