The latest release by cloud native security company Sysdig is an effort to wrangle the complexity of modern distributed software architecture.
Version 2.4 of Sysdig Secure — part of the company’s Visibility and Security Platform (VSP) — includes runtime profiling and anomaly detection, which builds on previous updates to VSP announced earlier this year that provided visibility improvements based on the “context-rich and deep performance and security data from hosts, containers, orchestrators, network, process, and files” provided by its use of the enhanced Berkeley Packet Filter (eBPF). Similarly, the machine learning and anomaly detection added with this release were built using that same data.
Sysdig calls VSP “the first and only unified view of the risk, health, and performance of Kubernetes environments.”
With containerized applications using microservices, which can consist of thousands of continuously changing pieces, errors in human-made configuration can become “inevitable,” the company writes in a statement.
“We audit all spawned and running processes, file system, network activity, and every single system call. When it comes to file systems, we audit every read and write activity, including files and directories, along with other Linux things like pipes. For network activity, we are auditing TCP/UDP ports and both incoming and outcoming connections. It ends up being an abundance of data that is then used to analyze runtime behavior and create a profile that whitelists expected activity,” explained Knox Anderson, director of product management at Sysdig, in an email interview. “Using auto-generated profiles, users can easily create a policy of what’s a safe and expected behavior of every container. If the container follows a different pattern, Sysdig will identify that as an anomalous activity.”
Sysdig now uses machine learning to profile runtimes and “create a policy set that can be applied to container images automatically, providing a scalable runtime defense for large-scale environments,” according to a company statement. Alongside these policies, Sysdig also auto-generates confidence levels that it says provides “transparency and assurance into the container behavior opposed to blindly applying black box auto-generated profiles.”
In addition to these machine learning features, Sysdig also released this week the Falco Rule Builder, a new user interface that expands upon the Falco Container Runtime Monitor, which the company donated to the Cloud Native Computing Foundation last year. The Falco Rule Builder simplifies the creation of rules by allowing users to “visually interact with the Falco engine to create new customized policies that can be applied to both hosts and containers based on their security and governance requirements without having to have deep technical knowledge of Falco expressions and filtering commands,” according to the statement.
Not only does the Falco Rule Builder attempt to simplify rule creation, but Sysdig wants to make it easier for users to find and adopt rules by enabling them to share rules with each other by hosting the Falco Rule Library. Anderson writes that new rules will be made with every new Sysdig version, including rules curated and supported by both the Sysdig team and rules from the Falco community itself.
As for what’s next with Sysdig, Anderson says they plan to continue building on these current features, with an eye on Kubernetes for the fall.
“The rules library is something that we’ll expand with every release as new detections are contributed to the open source Sysdig project. On the profiling side, we’ll make it easier to extend profiling to Kubernetes services and not just container images,” wrote Anderson. “As everyone knows Kubecon is coming up in November, so look forward to some new Kubernetes features at the conference.”
The Cloud Native Computing Foundation and KubeCon+CloudNativeCon are sponsors of The New Stack.