Sysdig Introduces Runtime Profiling and Anomaly Detection with Machine Learning to Secure Kubernetes Environments at Scale

New Sysdig Secure features provide a deeper understanding of container data and offer pinpointed anomaly detection

New Falco Rule Builder makes it easier for enterprises to utilize hardened open source rules

LAS VEGAS, Black Hat USA — August 6, 2019 — Sysdig, Inc., the cloud native visibility and security company, today announced new features for Sysdig Secure, including runtime profiling and anomaly detection with machine learning capabilities. The company also announced Falco Rule Builder, a new flexible user interface (UI) to create and customize runtime security policies within Sysdig Secure. Sysdig Secure is part of the Sysdig Cloud Native Visibility and Security Platform (VSP), the first and only unified view of the risk, health, and performance of Kubernetes environments. The new features give Sysdig customers the ability to define Kubernetes runtime security policies faster and with very little effort, making cloud environments more secure and enterprise scaling a reality.

Blog Post: Sysdig Secure 2.4 introduces runtime profiling for anomaly detection and new policy editor for enhanced security

The Global 2000 recognize the advantages that come with cloud native and are rapidly making the move to containers, Kubernetes, and microservices. Gartner Distinguished Vice President (VP) Analyst Arun Chandrasekaran predicts, “By 2022, more than 75% of global organizations will be running containerized applications in production, which is a significant increase from fewer than 30% today.” Yet, DevOps and security teams tasked with translating cloud-native architectures into operational reality struggle with ensuring reliable, secure, performant applications, especially at scale.

As enterprises move applications into production, the scale, complexity, and elasticity of these modern environments make it impossible to manually configure every security feature, especially in real time as containers and vulnerabilities change. Human error when configuring hundreds or thousands of containers is inevitable. According to Gartner Distinguished VP Analyst Neil MacDonald, “Most successful security breaches and operational outages have a root cause of misadministration, mismanagement, and mistakes.”

“With the latest enhancements to Sysdig Secure, we continue to make the transition to a Kubernetes environment as seamless, secure, and easy as possible for enterprise customers,” said Loris Degioanni, chief technology officer and founder of Sysdig. “Sysdig is the only platform that addresses key challenges associated with building and maintaining a robust security runtime policy at scale. With machine learning, Sysdig understands all of the container and environment data, can learn the behavior, and generate a runtime profile that can be adapted based on the container and environment, with the end result being detection and response to anomalies in real time.”

Runtime profiling with machine learning
The latest updates to Sysdig Secure uses Sysdig’s syscall-level integration to gain deep insights into container runtime activity. Within 24 hours of the container being profiled, enterprises have a learned container profile and insight into all process and file system activity, networking behavior, and system calls. After the model is built, DevOps and security teams can use the learned profile snapshot to create a policy set that can be applied to containers automatically, providing a scalable runtime defense for large-scale environments. Sysdig has given security and DevOps teams their time back by eliminating the time spent with other tools manually creating and managing multiple profiles, especially when containers change or are hacked, both of which could take a security professional hours, if not days to update affected policies. With machine learning-based profiling, environments are less susceptible to human error and enterprises are left with a more complete view of the environment.

Sysdig Secure now includes confidence levels – low, medium, and high – auto-generated from the runtime profiling, giving security teams transparency and assurance into the container behavior opposed to blindly applying black box auto-generated profiles. Enterprise teams are left with a better understanding of what has been learned, how it is being learned, and how accurate that baseline was.

Falco Rule Builder and the rules library = collaboration + flexibility
The Falco Rule Builder — a new flexible Falco UI within Sysdig Secure — enables enterprises to visually interact with the Falco engine in the Sysdig agent to create new customized policies. These policies can be applied to both hosts and containers based on their security and governance requirements without requiring users to have deep technical understanding of Falco expressions and filtering syntax. Runtime rules can be scoped and filtered to any aspect of the environment, such as Kubernetes namespaces, deployments, podd, or containers, and managed at scale.

The Falco rules library enables enterprises to adopt rules created by open source community members. As a Cloud Native Computing Foundation® Sandbox project, Falco has attracted a wide community that has created and compiled rules. Sysdig’s open source team regularly hardens community rules to ensure all rules meet enterprise-grade standards. With the Falco rules library, policies can be easily adopted by enterprises without having to spend time building the rules themselves.

Additional container vulnerability management features available today in Sysdig Secure:

  • Sysdig vulnerability reporter:
    • Ability to create custom vulnerability queries across all images, packages, and common vulnerability and exposures (CVE), as well as advanced conditions, including CVE age, fix, package version, and more from the Sysdig container image scanning inventory database.
    • Reporting in both PDF/CSV formats.
  • New alert mechanism to notify changes in images, policies or CVE exposures via Slack, PagerDuty, email, and more.
  • New scan results UI:
    • Interactive and sortable scan results, including sorting by vulnerability risk level.
    • Ability to view a summary of all policies an image was compared against, understand failures and vulnerabilities, including specific OS and non-OS package checks, and image contents.

Sysdig is the first step in evaluating Docker images for security, compliance, and reliability before deploying images to production. Sysdig Secure integrates with the CI/CD pipeline, including Jenkins, making it easier for organizations to adopt continuous delivery processes by enabling security teams to proactively address risk in applications before they are deployed in production, or even pushed into a registry. To learn more about the new features, visit the Sysdig blog.

Availability

The new Sysdig Secure features will be available later this month to all current Sysdig Secure and Sysdig Cloud Native Visibility and Security Platform customers.

See Sysdig Secure 2.4 in action 

Stop by Black Hat USA booth 2517 between now and August 9 to learn more about Sysdig.

About Sysdig

Sysdig is the cloud-native visibility and security company. Our data platform gives enterprises insight and control as they transition to dynamic modern architectures, allowing them to see the benefits of cloud-native faster, with less risk. Our open source technologies have attracted a community of millions of developers, administrators, and other IT professionals. The Sysdig Cloud-Native Visibility and Security Platform allows DevOps, security professionals, and service owners to get context-rich information to dig deeper into their containerized environments and reliably build, run, and respond to issues in millions of containers across hundreds of enterprises, including Fortune 500 companies, government agencies, and web-scale properties. Learn more at www.sysdig.com.