Container Security with Sysdig Secure

Security and compliance embedded
into DevOps


Get K8s Security Checklist


LIVE WEBINAR: 5 Prometheus Exporter Best Practices - Oct 20 10am PDT/1pm EDT  REGISTER

Close the container security and visibility gap

Image Scanning

Image
Scanning

Automate scanning locally in your CI/CD tools and flag new vulnerabilities at runtime

Compliance

Continuous
Compliance

Validate compliance against standards like PCI, NIST, and SOC2 across the lifecycle of containers and Kubernetes

Runtime Security

Runtime
Security

Detect threats across containers, Kubernetes, and AWS infrastructure with out-of-the-box Falco rules based on syscalls, K8s audit logs, and AWS CloudTrail

Incident Response and Forensics

Incident Response and Forensics

Conduct investigations with low level syscall data, even after the container is gone

Get the latest security insights from our 2020 container security snapshot. Read Now

Container Security with Sysdig Secure

Sysdig Secure embeds security and compliance across every stage of the container lifecycle.

Image Scanning

Since software today is assembled and not built from scratch, your developers pull open-source base images and third-party libraries to build and scale containerized applications. Dig deeper into 12 image scanning best practices you can adopt in production.

Sysdig Secure prevents known vulnerabilities early by integrating scanning into the CI/CD pipelines and registries. It also flags newly identified vulnerabilities at runtime, maps them back to specific applications, and identifies the team that needs to fix them. Use Sysdig’s out-of-the-box Docker security scanning rules that save time by finding high severity OS and non-OS vulnerabilities, misconfigurations, and security bad practices.

Container Security Image Scanning
Container Security Runtime Security

Runtime Security

Another critical container security requirement is the ability to detect and alert on malicious activity at runtime, including:

  • Exploits of unpatched or new zero-day vulnerabilities
  • Insecure configurations
  • Leaked or weak credentials
  • Insider threats

With open source Falco, you can create flexible detection rules to define unexpected behavior inside containers. These rules can be enriched via context from the cloud provider and Kubernetes environments. Your teams can leverage rich community-sourced detections instead of creating policies from scratch. Then, you can alert by plugging Falco into your current security response workflows and processes.

Sysdig Secure extends the open-source Falco engine, and saves time creating and maintaining runtime detection policies. It uses machine learning to automatically profile container images so you can avoid writing rules from scratch.

Continuous Compliance

Container compliance is a key requirement to check off before deploying to production. The most common challenges we hear from DevOps teams in validating container compliance are:

  • Unable to map compliance standards to specific controls in cloud environments
  • Don’t understand their compliance progress or whether they would pass an audit
  • Don’t know which teams are responsible for which compliance controls
  • No ability to show proof of compliance within the container environments

All of these compliance tasks take up time and resources, and ultimately slow down application deployment. Sysdig Secure maps compliance standards (e.g., PCI, NIST, SOC2) to specific controls for container and Kubernetes environments. On-demand assessments, dashboards, and reports make it easier to pass third-party audits. Learn more about how to continuously validate container compliance against standards like PCI, NIST, and SOC2 across the lifecycle of containers and Kubernetes.

Container Security Compliance
Container Security Incident Response

Incident Response

When conducting incident response, answering the “why” questions is particularly tricky because of the distributed and dynamic nature of container and Kubernetes environments. Your teams need to strike a balance between defining precise runtime policies and not drowning in a sea of alerts.

Recognizing the root cause of a malicious event inside a container requires your container security tool to provide detailed evidence. Sysdig provides comprehensive forensics data by tapping into linux syscalls that are essential for a full post-mortem analysis, even after the container is gone. This low-level data allows you to answer the tough questions around what files were touched, commands run, connections made, and more. Learn how to record a snapshot of pre- and post-attack activity inside containers, and conduct deep incident response and forensics.

Integrated into your DevOps Workflow

Sysdig is an open-source based, SaaS-first platform that automatically integrates within your existing DevOps stack.

Build

Vulnerabilities
Configuration

CI/CD Tools

Sysdig Secure image scanning integrates directly into your CI/CD pipeline and prevents images with vulnerabilities or misconfigurations from being shipped.

Registry

Sysdig Secure container image scanning supports all Docker v2 compatible registries. It ensures an up to date risk posture and identifies images that need to be rebuilt if new vulnerabilities are introduced.

Run

Metrics
Events
Security Policies

Applications

Sysdig provides runtime security, infrastructure and application monitoring to help you ship cloud applications faster to production.

Cloud

Sysdig secures and monitors containers on multiple cloud platforms.

Sysdig ServiceVision enriches container data with the metadata from the cloud providers.

Orchestrator

Sysdig supports any orchestrator, multiple Kubernetes distributions, as well as managed platforms.

Sysdig ServiceVision enriches container data with the metadata from Kubernetes/orchestrators. Sysdig uses the native facilities of Kubernetes for policy enforcement and threat prevention.

Infrastructure

Sysdig ContainerVision provides deep visibility into all container activity via a lightweight instrumentation model that collects low level system call data.

Respond

Alerts
Audit
Logs
Events
Syscall
Captures

Alerts

Configure flexible alerts on image scanning failures, runtime anomalous activity, troubleshooting issues etc through channels you already use (e.g., Slack, PagerDuty, SNS, etc.).

SIEM and SOAR Integrations

Sysdig automatically forwards events to your SIEM tool giving SOC analysts deep visibility into container and Kubernetes incidents. It also integrates with SOAR platforms (Demisto, Phantom) as part of automated security playbooks.

SaaS

Self-hosted

Sysdig Secure DevOps Platform

Confidently run cloud-native workloads in production using the Sysdig Secure DevOps Platform. With Sysdig, you can embed security, validate compliance and maximize performance and availability. The Sysdig platform is open by design, with the scale, performance and usability enterprises demand.

Start Free Trial

Sign-Up for a Sysdig Platform, Sysdig Secure or Sysdig Monitor free 30-day trial,
no credit card required.

Frequently Asked Questions

Q: What is container security?

A: Container security is the process of implementing security and compliance across all stages of the container lifecycle. This includes scanning container images in the CI/CD pipelines and registries, as well as ensuring runtime security for containers and hosts. Incident response with full forensics data that captures all activity inside the container is a key requirement as well. Compliance controls should allow teams to pass an audit at any time.

Q: How do I secure Kubernetes?

A: Protecting workloads in Kubernetes involves securing multiple components of the cluster. Vulnerabilities in your base OS or non-OS packages that developers use to build applications can be exploited. This requires image scanning and integrating via admission controllers to prevent risky image deployments. Another component to secure is your Kubernetes control plane (i.e., controller manager, etcd), which can be accessed via the Kubernetes API, and requires security monitoring and auditing of all activity happening at the API server level. To learn additional details about securing Kubernetes, download our Kubernetes security checklist.

Q: How do I secure the host?

A: Even when you run containers, you want to make sure your host configuration is secure (restricted and authenticated access, encrypted communication, etc.). We recommend using the Docker bench audit tool to check configuration best practices. You should also keep your base system updated and use minimal, container-centric host systems to reduce your attack surface. Read more here: 7 Docker Security Vulnerabilities

Q: How do I implement container security on AWS (ECS, EKS, Fargate)?

A: AWS container security requires implementation of security across all stages of the container lifecycle. This includes automating image scanning at the registry level with Amazon ECR, but also for CI/CD pipelines with tools such AWS CodeBuild and CodePipeline. Runtime security in production with EKS, ECS detects and blocks zero-day vulnerabilities and threats such as privilege escalation attempts. Implementing threat detection using AWS CloudTrail and Falco helps to alert on suspicious changes in AWS user permissions, S3 buckets, access keys, etc. Compliance checks across your AWS infrastructure and application lifecycle are key to meeting regulatory compliance standards. And finally, recording container activity at a detailed level will help you understand events and conduct forensics even after containers are gone.

Q: How do I implement container security on RedHat OpenShift?

A: OpenShift provides a secure, enterprise-class container platform. Sysdig augments OpenShift’s built-in container security controls with extended image scanning, runtime security and container forensics to reduce risk for mission-critical container deployments at scale.

Q: How do I implement container security on Google Cloud?

A: Securing containers on Google Cloud running on solutions like GKE and Cloud Run require protection across all stages of the container lifecycle. This includes automating image scanning at the registry level with GCR, but also for CI/CD pipelines with tools such as Google Cloud Build. Runtime security in production with GKE and Cloud Run detects and blocks zero-day vulnerabilities and threats such as privilege escalation attempts. Compliance checks across your Google Cloud infrastructure and application lifecycle are key to meeting regulatory compliance standards. And finally, recording container activity at a detailed level will help you understand events and conduct forensics even after containers are gone.

“We have a small team and a true DevOps model where we wear multiple hats. With Sysdig, it has been really easy because there hasn’t been a tradeoff between speed or security.”

VP of Engineering at Stella Connect