Incident response and container forensics for Kubernetes
Conduct forensics and incident response for containers and Kubernetes to understand security breaches, meet compliance requirements and recover quickly. Sysdig Secure is your source of truth for all activity in the container ecosystem before, during and after an incident.
Understand and contain the impact of any security breach
Leverage the Sysdig Secure depth of data within a detailed forensics report to quickly answer the questions of “when”, “what”, “who” and “why” for your incidents.
Respond faster to incidents and recover with a tailored workflow
Streamline incident response and quickly determine what happened with a detailed activity record. Fine-grained policies leverage the Falco rules library to analyze and audit runtime policy violations.
Conduct post mortem analysis on a container outside production
Analyze forensic captures and recreate all system activity, even for long-gone containers.
Understand and Contain the Impact of Any Security Breach
Answering the “why” questions with container and Kubernetes incident response is particularly tricky in distributed, dynamic environments, especially with the ephemeral nature of containers. Sysdig Secure lets you define highly granular rules (leveraging Falco) to check for unexpected activities. You can use a flexible syntax to identify what happened (e.g., cryptojacking, sensitive information leak) and recognize root cause information (e.g., user compromise, vulnerability).
Respond Faster to Security Incidents and Recover with a Tailored Workflow
Sysdig Secure lets you filter by any field to view the real-time stream of user and system activities. These activities are correlated with metrics across the stack to identify the root cause faster (Kubernetes, container, host, network, and files). Sysdig Secure gives you the ability to trace a kube-exec through to user and network activity.
Go deep and see what the malicious actor did. This example shows they executed bash, then curl commands, to download a file from the Internet, decompress and shred the bash history.
Conduct a Post Mortem Analysis of the Container
Containers terminate long before container incident response and forensics begin, so Sysdig Secure saves forensics data while containers are still active. Via a scap file, container forensic captures provide the ability to investigate, analyze and recreate activity associated with security events before, during and after the incident.
“Because we’re immediately notified whenever an unauthorized access incident occurs, we can take swift action to address the problem. And because developer operation logs are recorded and presented in a user-friendly way, we can easily check what happened should an incident occur, which is very reassuring.”Hiroki Suezawa, Security Engineering Team, Mercari