Sysdig

BlaBlaCar Security Team of Four Empowers Developers to Manage Security Risk With Sysdig

200
Developers empowered to own applications throughout the lifecycle
Overhead
Efficient, secure DevOps model reduces overhead

Business Impact

  • Enables rapid identification of suspicious activity and misconfigurations
  • Secure DevOps model reduces overhead and empowers security team of 4 to operate more efficiently
  • Enables security team of 4 to operate more efficiently
  • Achieve workload security to minimize risk
“Having a technology as complex as Falco packaged together with professional support and a SaaS infrastructure allows us to focus on the integration instead of spending time on setup and maintenance.”
Jeremy Courtial Security Engineer, BlaBlaCar

Company Overview

BlaBlaCar is the world’s leading community-based travel network enabling over 100 million members to share a ride across 22 markets. BlaBlaCar leverages technology to fill empty seats on the road, connecting members looking to carpool or to travel by bus, and making travel more affordable, sociable, and convenient. BlaBlaCar’s environmentally and human-friendly mobility network saves 1.6M tons of CO2 and enables 80M human connections every year.

Business Need

  • Reduce risk by detecting suspicious activity and misconfigurations
  • Automate alerts and streamline incident response
  • Secure containers without adding operations management overhead
  • Flexibility to fine-tune security to its needs

Infrastructure: Google Cloud Platform (GCP), Yandex Managed Service for Kubernetes

Orchestration: Google Kubernetes Engine (GKE), Yandex.Cloud

Solution: Sysdig Secure

Challenges

After deciding to add more than 120 nodes to Google Cloud Platform (GCP) and Google Kubernetes Engine (GKE), the BlaBlaCar security team of four were looking for a security solution. Supporting a development team of more than 200, the security team needed a way to empower developers to build and run applications in production, and to ensure security throughout the container lifecycle.

According to Jeremy Courtial, Security Engineer at BlaBlaCar, “We run what many would consider ‘DevOps’. The developers are responsible for everything, including security. It’s not just an Ops team that gets the application, then deploys and monitors it in production. It’s also the developers that are doing all of the work from beginning to end. The Ops team is mainly there to set up the infrastructure and provide the right tool for the developer to monitor and deploy the applications. The security team is there to empower them.”

When working through the selection of possible tools to use, the security team narrowed their consideration to five solutions to be tested against specific criteria. According to Courtial, “Some of the things we compared included the ability to detect misconfigurations in the Kubernetes workload and suspicious activity. For example, would it detect if someone downloaded a binary, started it, and then it started a connection to something else on the internet? We also had some image scanning benchmarks, like how many vulnerabilities were detected? We wanted to see how they are displayed in the solution, including the level of detail or lack thereof.”

“One of the most important tests for us was the ability to detect both suspicious activity and misconfigurations, and Sysdig did so the best. We also wanted to avoid having a whole platform deployed inside our production, so we preferred a SaaS solution.”
Jeremy Courtial Security Engineer, BlaBlaCar

Solutions

Why BlaBlaCar Chose Sysdig

After comparing the five solutions, BlaBlaCar selected Sysdig. As Courtial explains it, “One of the most important tests for us was the ability to detect both suspicious activity and misconfigurations, and Sysdig did so the best. We also wanted to avoid having a whole platform deployed inside our production, so we preferred a SaaS solution. Lastly, we were also looking for something that we could really fine tune, not only the rules, but also the way we receive these alerts and the ability to export them. Sysdig’s forensics capabilities were really impressive. Price played a role as well.”

Knowing the solution they picked would run on GKE also factored into the decision making. According to Courtial, “Sysdig’s eBPF instrumentation and the work the Falco community and Sysdig has done with Google gave us confidence that Sysdig would run on GKE – we saw that first hand during the evaluation stages. There was one tool in particular that we evaluated that had issues with GKE.”

Evaluating Sysdig and Falco

Sysdig is built on Falco, along with several other open source tools, including open source Sysdig, Sysdig Inspect, Prometheus, Anchore Engine, and Cloud Custodian. Falco, a cloud-native runtime security project created by Sysdig and contributed to the CNCF, is considered the de facto Kubernetes threat detection engine. Sysdig and Falco were evaluated separately during the POV process.

Walking through the decision of selecting Sysdig over Falco, Courtial said, “We considered Falco alone, but we went with Sysdig in the end because we are a small team. We have four security people and not everyone is working on the platform. Having a technology as complex as Falco packaged together with professional support and a SaaS infrastructure allows us to focus on the integration instead of spending time on setup and maintenance. We also wanted some container scanning features, which would have meant we needed to find, deploy, and maintain an additional tool. With Sysdig, we get an all-in-one package.”

Going into further detail, Courtial explained, “Sysdig customers benefit from community contributions, just as Falco users benefit from Sysdig’s contributions to Falco. The fact that Sysdig extends Falco was really enticing to us. With Sysdig, we knew we were getting the best tool integrated with Falco. Finally, because Sysdig uses Falco rules, we knew that if Sysdig didn’t fit our needs in the end, we could still migrate to Falco without having to start from scratch.”

Equipping Developers With Secure DevOps

Sysdig provides deep data insights and problem isolation across the entire cloud-native environment to help monitor and troubleshoot health and performance. This visibility and alerting empowers the hundreds of developers at BlaBlaCar to take control of their security risk.

Explaining how Sysdig is used at BlaBlaCar, Courtial said, “We use Sysdig to identify and alert us to suspicious activity and misconfigurations, and more generally, workloads that may cause security risk. We set up Sysdig to monitor specific rules. In the event that one is triggered, the developer gets an alert from Sysdig via PagerDuty that includes documentation for the specific alert, such as how to whitelist the behavior by adding a line to the Falco rule. Developers receive the alerts, evaluate them, and then come to us if they have questions. We want to empower them to investigate the alerts themselves.”

Expanding on the process, Courtial said, “The end goal is for it to be self-service for the developers. It is less efficient for the security team to do everything ourselves. Rather, we are here to support and help them if they get stuck, but we don’t fix issues or check every alert ourselves. Generally, we expect the developers to maintain the security of their workload as they do with any other metrics, such as performance or reliability.”

Easy To Deploy, Easy To Maintain, and a True Partner

Being a small group, BlaBlaCar’s security team needed an easy-to-maintain solution. According to Courtial, “Being a SaaS solution, Sysdig was very easy to set up and to maintain. We just deployed the agent. Sysdig did all of the hard work. The ease of use with the tool has been great, and since day one, the Sysdig support team has been very responsive. Several of the features requested were implemented in the product.”

Relationships are important to BlaBlaCar and a key reason it selected Google as its cloud provider. As Courtial explains, “We saw that we could have a good partnership with Google. They provided support that we didn’t feel we could get with the other cloud providers. Sysdig has been, similarly, just as responsive when we reach out.”

Advice for Peers Getting Started With Container Security

Asked what advice he has for companies moving to containers, Courtial recommended two things: “First, you need to work to get every stakeholder on board from the beginning. We worked with the Ops team so they knew what we were expecting. We had discussions from the very beginning. That helped both of our teams to understand the requirements, specificities, needs, and constraints.”

Courtial’s second piece of advice outlines how to make the developers and operations teams more efficient. “After you have buy-in, you need to consider some type of security monitoring and you should make sure the alerts are actionable. We used another security tool first and we didn’t do the same work to make the alerts actionable like we have with Sysdig, so when our developers and the operations teams received alerts, they didn’t really know what to do with them. The idea is for the developers and operations team to make sure they have all the information they need to understand an alert so they can take action. It’s really important to explain what is wrong and why, and what they can do to fix it rather than just saying something is wrong. DevOps has empowered our developers to be more efficient, but it’s up to the security team to put the right tools in place.”

Learn more about BlaBlaCar at blablacar.co.uk.

Sysdig Benefits

  • Deep visibility to detect suspicious activity and misconfigurations
  • An easy-to-deploy and maintain SaaS-first solution
  • The power of open source Falco with an enterprise experience
  • Forensics capabilities

Take the Next Step!

See how you can secure every second in the cloud.