Can You Stop Cloud Breaches in Real Time?
Sysdig, the cloud native security company, is using open source Falco, as the foundation for its new end-to-end cloud detection and response service: Cloud Native Application Protection Platforms (CNAPP).
You’ve heard that phrase before. A CNAPP is a security and compliance service that teams can use to build, deploy, and run comprehensive cloud native security services. It combines “shift left” and “shield right” security concepts to provide a comprehensive and robust security strategy throughout the application lifecycle.
Merger of CDR and CNAPP
This latest move, Sysdig claims, marks the first merger of cloud detection and response (CDR) and CNAPP in one cohesive platform. The result? Sysdig states it’s the only CNAPP platform capable of instant threat detection across cloud environments, ensuring comprehensive visibility and correlation across workloads, identities, cloud services, and third-party applications. The key to this integration is Falco and its underlying eBPF Linux kernel dynamic programming.
Falco is an open source runtime security tool. Created by Sysdig, it’s now a Cloud Native Computing Foundation (CNCF) project. Falco uses system calls to secure and monitor a system by parsing Linux kernel system calls at runtime, asserting the system call stream against a powerful rules engine, and alerting users when a rule is violated.
Underneath Falco is eBPF. This revolutionary Linux programming tool can run sandboxed programs in a privileged context, such as the operating system kernel. It’s used to safely and efficiently extend the capabilities of the kernel without changing the kernel source code or loading kernel modules.
This software stack runs quickly because all its components run at such a low level. Therefore, Sysdig asserts that while conventional cloud security tools often lag in identifying suspicious behavior, CNAPP promises an immediate, in-depth understanding of potential problems across the entire cloud environment.
Key features of the new Sysdig CNAPP include:
- Agentless Falco cloud problem detection: This enables organizations to detect threats across the cloud, identity, and software supply chain efficiency by eliminating the need to install Falco on their infrastructure.
- Identity threat detection: Thanks to the new Sysdig Okta Security Assertion Markup Language (SAML) authentication functionality, it’s easier to guard against identity-based attacks such as multifactor authentication fatigue and account takeover.
- Software supply chain detection: Threat detection is extended into the software supply chain with Sysdig GitHub detections. These enable you to scan images in your GitHub Actions pipelines to detect and block container vulnerabilities in preproduction.
- Enhanced Drift Control: The dynamic blocking of unauthorized executables not included in the original container aids in preventing common runtime attacks.
Alongside these detection enhancements, Sysdig also improves incident response and cloud investigations through:
- Live mapping: Sysdig’s Kubernetes Live provides a real-time, comprehensive view of infrastructure and workloads, facilitating rapid response to incidents.
- Attack lineage with context: Sysdig Process Tree helps quickly identify and eradicate threats by revealing the entire attack journey, from user to process.
- Curated threat dashboards: These provide a centralized view of critical security issues and real-time threat prioritization, along with dynamic mapping against the MITRE framework for cloud native environments.
Like What You See?
Beta customers like what’ve they seen so far. Pierre Brunelle, Noteable CEO, said, “Sysdig is the best at cloud detection and response. They are the only vendor that provides a complete platform with multiple defense layers to detect abnormal activity in real-time and surface appropriate context.”
Echoing these sentiments, Karl Maire, Platform Tech Team Lead at Fuel50, added, “Sysdig enables us to quickly detect and respond to cloud attacks at cloud speed by knowing what is happening, the exact container or location in the cloud, and what is causing it.”