“What’s New in Sysdig” is back with the November 2023 edition! My name is Dimitris Vassilopoulos, based in London, United Kingdom, and I’m excited to share our latest feature releases with you!
Building on the positive momentum generated by the array of features unveiled in October as part of our industry-leading Cloud-Native Application Protection Platform (CNAPP), Sysdig released the 5/5/5 Benchmark for Cloud Detection and Response at SANS CyberFest 2023, a new framework that outlines how quickly organizations should detect, triage, and respond to attacks in the cloud.
Operating securely in the cloud requires a mindset shift in regard to time, and with that, cloud security programs need to hold themselves to a modernized benchmark:
- Five seconds to detect
- Five minutes to correlate insights and understand what’s happening
- Five additional minutes to respond
Download the 5/5/5 Benchmark for Cloud Detection and Response.
Stay tuned for more updates from Sysdig, and let’s get started!
Sysdig Secure
Improved Home Page
Sysdig is pleased to announce a new and improved Home page! The Home page offers a clean, visual representation of the most important issues in your environment and a curated list of the top tasks required. The default tab Home encompasses the Dashboards, and the other tab contains Recommendations.
For the Home page dashboards to display data, you must have completed basic onboarding and at least one data source must be connected. Otherwise, the page will provide prompts for completing those setup tasks.
What is displayed in Dashboards is dependent on what has been installed. To learn more, read the docs.
Star Favorite Compliance Views
You can now select specific Policy + Zone combinations you want to see tracked on the Home page. Details are in the Compliance documentation.
Supported Web Browsers
Sysdig supports, tests, and verifies the latest versions of Chrome and Firefox. Other browsers may also work but are not tested in the same way.
Sysdig Monitor
Supported Web Browsers
The latest versions of Chrome and Firefox are tested, verified, and supported for Sysdig Monitor as well as Secure. However, note that other browsers may also work but are not tested with the same rigor.
Sysdig Serverless Agent
4.3.0 Hotfix Nov. 08, 2023
This hotfix updated the CloudFormation template, orchestrator-agent.yaml, to include default values for autoscaling. When autoscaling is disabled, the autoscaling parameters now default to 0.
For Installation and Upgrade steps, see AWS Fargate Serverless Agents.
SDK, CLI, and Tools
Sysdig CLI
v0.8.2 is still the current release. The instructions on how to use the tool and the release notes from previous versions are available at the following link:
https://sysdiglabs.github.io/sysdig-platform-cli/
Python SDK
The Python SDK remains at v0.17.1.
Terraform Provider
We have just released the 1.18.0 version of Terraform provider. This release includes the following features:
- Pass provider alias to cloud account creation call
- Remove quotes for boolean values
- Implement cloud account creation for Azure
- Enable acceptance test for Secure cloud account
https://docs.sysdig.com/en/docs/developer-tools/terraform-provider
Terraform Modules
- AWS Sysdig Secure for Cloud remains unchanged at v10.0.9
- GCP Sysdig Secure for Cloud remains unchanged at v0.9.10
- Azure Sysdig Secure for Cloud remains unchanged at v0.9.7
Falco VSCode Extension
v0.1.0 is still the latest release.
https://github.com/sysdiglabs/vscode-falco/releases/tag/v0.1.0
Sysdig Cloud Connector
New Cloud Connector changes to (v0.16.55) under helm chart 0.8.6.
Admission Controller
New Admission Controller release (3.9.35) under helm chart 0.14.14.
Sysdig CLI Scanner
Sysdig CLI Scanner latest version is v1.6.1.
https://docs.sysdig.com/en/docs/sysdig-secure/vulnerabilities/pipeline/
Sysdig Secure Inline Scan Action
The latest release is v3.6.0.
https://github.com/marketplace/actions/sysdig-secure-inline-scan
Sysdig Secure Jenkins Plugin
The Sysdig Secure Jenkins Plugin remains at version v2.3.0.
https://plugins.jenkins.io/sysdig-secure/
Prometheus Integrations
Prometheus Integrations has been updated to v1.23.2:
- Change: Replace HelpIcon with QuestionMarkCircleHelpIcon
- Fix: OpenShift/rancher integration labels
Sysdig On-Premises
Sysdig On-Premises has been updated to 6.6.0 with the following changes.
Upgrade process
Supported upgrades from: 5.0.x, 5.1.x, 6.x
For the full supportability matrix, see the On-Premises Install Documentation. This repository also includes the on-premises Installation documentation.
Sysdig Secure
Nexus and Google Support for Container Registry Scanning
The Image Registry Scanning functionality in the Sysdig Vulnerability Management engine has been updated to support scanning for the Nexus Repository and the Google Artifact Registry (GAR).
For more information on running the scanner, see the Registry Scanner documentation.
Reporting for Image Pipeline Vulnerability Scanning
The Vulnerability Management engine now supports Reporting for Image Pipeline Scanning. The engine now has reporting for all scanning functionality (Runtime, Registry, Host, and Pipeline). Pipeline reporting mirrors the Runtime and Registry reports, with just a change in the scoping context.
What?
- This feature enables the easy collection and reporting on Pipeline scans over a given time period.
Why?
- With this addition, we have completed normalizing the data output functions across the VM scanning set.
Exception UI improvements for threat detection rules
Sysdig is introducing a new, user-friendly exception builder. The new exception UI, built in to the Rules Editor, helps users create, update, modify, and delete exceptions for threat detection rules.
For more information, see Manage Threat Detection Rules.
Advanced users can apply Tuning suggestions
To simplify identifying and applying exceptions, we are enabling the ability for Advanced Users and Team Managers to see and apply Tuning suggestions from Insights and Event detail pages.
To enable:
- Log into Sysdig Secure as Admin and go to Settings.
- Toggle Advanced User Tuner Enablement on.
Sysdig Monitor
Metrics Usage Enhanced with Dashboards and Alerts Usage Metadata
Metrics Usage now displays which Dashboards and Alerts are using a given metric, enabling you to better understand the value a given metric provides to teams.
UX Improvements for PromQL Query Explorer
The PromQL Query Explorer editor has been updated with quality of life improvements for a better user experience while running queries:
- Only relevant labels to the query metrics are now displayed in the autocomplete prompt.
- Labels are automatically selected and displayed in the query results table.
Notification snapshot for Metric Alert notifications
Metric Alert notifications forwarded to Slack or email include a snapshot of the triggering time series data. For the Slack Notification channels, you can toggle the snapshot within the notification channel settings. When the channel is configured to Notify when Resolved, a snapshot of the time series data that resolves the alert is also provided in the notification.
Platform
Settings page refresh
Settings page in Sysdig Secure and Monitor has been enhanced to provide you a superior user experience:
- Improved color scheme for the dark mode.
- Unified layout and components to establish consistency between Sysdig products.
- Better navigation through the new header component.
Defect fixes
- Fixed an issue in the Explore module where promlegacy_* metrics could prevent metric counts from loading.
Falco Threat Detection Rules Changelog
Several versions of the rules have been released in the last months. Below are the release notes for the most recent rules changes.
https://docs.sysdig.com/en/docs/release-notes/falco-rules-changelog/
Rule Changes
- Reduced false positives for the following rules:
- Modification of pam.d detected
- Possible Backdoor using BPF
- Packet socket created in container
- Dump memory for credentials
- Launch Remote File Copy Tools in Container
- Suspicious cron modification
- Base64-encoded Shell Script Execution
- Fileless Malware Detected (memfd)
- eBPF program loaded into Kernel
- Launch Ingress Remote File Copy Tools in Container
- Write below etc.
- Escape to host via command injection in process
- eBPF program loaded into kernel
- Non sudo setuid
- Mount launched in Privileged Container
- Change thread namespace
- Set Setuid or Setgid bit
- Launch Sensitive Mount Container
- Launch Root User Container
- Write below root
- Packet socket created in container
- Launch privileged container
- Diamorphine Rootkit Activity
- Read Environment Variable from /proc files in Container
- Search Private Keys or Passwords
- SSH keys added to authorized_keys
- Change memory swap options
- Kernel startup modules changed
- Added the following rules:
- Container image built on host
- Leave Organization
- EC2 Add User Data
- SSM Get Parameter
- EC2 Get User Data
- Shutdown or Reboot detected
- Get Federation Token with Admin Policy
- Full Visibility on Federated Sessions
- GCP CloudRun Service Started
- Create Key Pair
- Stop EC2 Instances
- Get Lambda Function
- Attach IAM Policy to Group
- Escape to host via command injection in process
- Improved the following conditions
- System procs network activity
- Potential UAC bypass using Registry manipulation
- Dump memory for credentials
- Execution of binary using ld-linux rule
- Improved the output for the following rules
- Github Webhook Connected rule
- Okta ruleset
- Shutdown or Reboot detected rule
- Updated the IoCs Ruleset with new findings
- Updated description for the Malicious C2 IPs or domains exploiting log4j rule
- Updated theSysdig AWS Notable Events policy
- Improved the Windowssuspicious_network_binaries list
- Improve tags for the AWS RDS Master Password Update
- Improved MITRE tags
Default Policy Changes
- Added the following files:
- Shutdown or Reboot detected
- Get Federation Token with Admin Policy
- Full Visibility on Federated Sessions
- GCP CloudRun Service Started
- Create Key Pair
- Stop EC2 Instances
- Get Lambda Function
- Attach IAM Policy to Group
- Escape to host via command injection in process
- Updated the Remove MFA from user in Okta policy.
- Updated the policy for rules:
- Change memory swap options
- EC2 Instance Connect/SSH Public Key Uploaded
- SSM Get Parameter
Open Source
Falco
Falco 0.36.2 is the latest stable release.
https://github.com/falcosecurity/falco/releases/tag/0.36.2
New Website Resources
Press Releases
Sysdig Debuts New Benchmark for Cloud Detection and Response
Blogs
Securing Servers in the Cloud Requires a Cloud Centric Approach
Why Traditional EDRs Fail at Server D&R in the Cloud
Is Traditional EDR a Risk to Your Cloud Estate?
Webinars
Fix What Matters First: Bridging Code and Cloud Security
Generate This: Bring AI to Cloud Security
Events
AWS re:Invent 2023 – Cloud Security Powered by Runtime Insights
Sysdig Education
Sysdig. Secure Every Second: https://www.youtube.com/watch?v=c7mqQOwQv3U
Unparalleled Cloud Visibility in Action with Sysdig’s Enhanced Searchable Inventory: https://www.youtube.com/watch?v=D6lnQhU0xD0
Rethinking Cloud Security with Sysdig’s CNAPP: https://www.youtube.com/watch?v=19QjEmXbvqY
Strengthening Your Security with Agentless Vulnerability Management: https://www.youtube.com/watch?v=M0YpW-1WqqU
Sysdig Attack Path in action: https://www.youtube.com/watch?v=Exiw48ClOYE