Container Forensics

Incident response and container forensics for Kubernetes

Start Free Trial

Conduct forensics and incident response for containers and Kubernetes to understand security breaches, meet compliance requirements and recover quickly. Sysdig Secure is your source of truth for all activity in the container ecosystem before, during and after an incident.

Sysdig Icon - Vulnerability Report

Understand and contain the impact of any security breach

Leverage the Sysdig Secure depth of data within a detailed forensics report to quickly answer the questions of “when”, “what”, “who” and “why” for your incidents.

Sysdig Icon - Security Policy

Respond faster to incidents and recover with a tailored workflow

Streamline incident response and quickly determine what happened with a detailed activity record. Fine-grained policies leverage the Falco rules library to analyze and audit runtime policy violations.

Sysdig Icon - Forensics

Conduct post mortem analysis on a container outside production

Analyze forensic captures and recreate all system activity, even for long-gone containers.

Understand and Contain the Impact of Any Security Breach

The granular data collection capabilities of Sysdig Secure based on capturing Syscalls are your source of truth for container forensics and incident response (IR). You gain deep insights into process, disk and network activity before, during and after an incident.

Sysdig Secure - Forensics
Sysdig Secure - Forensics

Conduct Kubernetes incident response using tight integration with Kubernetes and container orchestration tools. Sysdig Secure correlates syscall data with the container/cloud and Kubernetes metadata to help you quickly zoom into the malicious event.

Answering the “why” questions with container and Kubernetes incident response is particularly tricky in distributed, dynamic environments, especially with the ephemeral nature of containers. Sysdig Secure lets you define highly granular rules (leveraging Falco) to check for unexpected activities. You can use a flexible syntax to identify what happened (e.g., cryptojacking, sensitive information leak) and recognize root cause information (e.g., user compromise, vulnerability).

Sysdig Secure - Forensics

Respond Faster to Security Incidents and Recover with a Tailored Workflow

Sysdig Secure - Forensics

When unusual activity is detected, the out-of-the-box Sysdig policies, based on Falco or your custom runtime policies, can trigger a security event automatically. When you see an incident, you can immediately zoom in and isolate it to a specific part of the Kubernetes infrastructure.

Sysdig Secure lets you filter by any field to view the real-time stream of user and system activities. These activities are correlated with metrics across the stack to identify the root cause faster (Kubernetes, container, host, network, and files). Sysdig Secure gives you the ability to trace a kube-exec through to user and network activity.

Go deep and see what the malicious actor did. This example shows they executed bash, then curl commands, to download a file from the Internet, decompress and shred the bash history.

Sysdig Secure - Forensics

Conduct a Post Mortem Analysis of the Container

Sysdig Secure - Forensics

Containers terminate long before container incident response and forensics begin, so Sysdig Secure saves forensics data while containers are still active. Via a scap file, container forensic captures provide the ability to investigate, analyze and recreate activity associated with security events before, during and after the incident.

You can correlate system, user and container activity over time as part of a container forensics workflow. Sysdig Secure gives you an interactive timeline of events and actions even after the container is no longer in production.

Sysdig Secure - Forensics
Sysdig Secure - Forensics

Maintain a record for incident response. Sysdig Secure displays all activity (including commands, file activity, network connections, etc) pre and post event for a full forensics analysis. Recreate even the file contents in the event of a malicious incident.

“We used Sysdig Secure to improve our signals that go into the SOC and speed detection and audit workflows in containers.”

Large US Bank Sysdig Customer

Start Free Trial

Sign-Up for a Sysdig Platform, Sysdig Secure or Sysdig Monitor free 30-day trial, no credit card required.