vectorfusionart - stock.adobe.co
Sysdig adds cloud security to container observability mix
Some IT experts believe Sysdig could appeal to enterprises by combining cloud and application security data in one interface, within a broader DevOps observability tool set.
Sysdig has expanded its DevOps platform to ingest cloud security data and correlate it with container security issues in the vendor's latest move beyond its initial focus on observability.
Sysdig was among the earliest DevOps monitoring vendors -- now often described as observability vendors -- to expand into container security when it released Sysdig Secure in October 2017. It's a trend that has since caught on among competitors such as Dynatrace, Datadog and Cisco's AppDynamics, which each added security monitoring over the last year.
As of this week, the Sysdig tool now ingests AWS logs via the open source Cloud Custodian tool and Google Cloud Platform (GCP) audit logs. It then correlates that data with the security information that it already collects on container workloads.
"The advantage that Sysdig has here with their existing customer base ... as [it] moves into the security realm, [is that] it starts to create a holistic IT operations and security operations offering," said Sandy Carielli, analyst at Forrester Research. "It makes sense to be able to bring that together with cloud infrastructure."
Anticipating a cloud lateral movement threat
Sysdig Secure DevOps now displays cloud security data through a new set of features that include a cloud security posture management (CSPM) tool for AWS and GCP; threat detection and security policy management for AWS and GCP based on Sysdig's open source Falco project; and Cloud Risk Insights, a dashboard and alerting mechanism that correlates container security issues with cloud infrastructure components in AWS and GCP. Future releases will add support for more public cloud vendors, including Azure, Sysdig officials said.
Sysdig's product expansion was prompted, in part, by security research at Sysdig that found a growing risk of lateral movement attacks, in which an attacker gains access to a container and then uses that to pivot into the broader cloud infrastructure, said Omer Azaria, the company's VP of engineering.
"We anticipate [this method] will be used more as more valuable data is moved to the cloud," he said. "We've seen it happen in our honeypots, as well as in several well-publicized attacks in recent years."
These include a 2019 Capital One data breach in which attackers were able to move from a misconfigured web application firewall (WAF) to other internal AWS resources, Azaria said.
However, lateral movement attacks are still more prevalent in traditional networks, according to other security researchers.
Misconfiguration by cloud users can expose parts of their infrastructure to attackers, but generally, webscale public cloud infrastructure isn't as easy for attackers to access as on-premises data center networks, said Adrian Sanabria, senior research engineer at CyberRisk Alliance in Knoxville, Tenn.
"The bigger concern for people I talk to is the trustworthiness of the code running in the container and other systems," Sanabria said. "People aren't quite as aware as they should be how easy it is to compromise any number of commonly used open source libraries."
At the same time, there's no need to wait until attackers get to lateral movement attacks in public clouds, Sanabria added.
Sysdig stokes competition with cloud security specialists
CSPM, like much of the rest of the cybersecurity market, is undergoing explosive growth, with new startups emerging with fresh tools, and container security vendors such as Aqua Security expanding data collection coverage to include cloud hosts and CSPM in recent years.
Such specialist products often use real-time data collection methods that may be faster than the poll-based logging services offered by public cloud services, which Sysdig's cloud security tools incorporate in some cases.
For example, Cloud Custodian, which underpins Sysdig CSPM, integrates with AWS CloudWatch logs, which are collected with a minimum five-minute delay at the basic level and one minute for detailed monitoring. However, Sysdig's Falco provides real-time threat detection data for AWS and GCP with this release. Sysdig CSPM also adds missing data to CloudWatch logs such as user and IP address information.
Moreover, Cloud Custodian has transparency advantages over proprietary tools, according to Sysdig's Azaria.
"Our offering is based on an open source foundation [and customers] can understand exactly how the rules operate," he said. "By offering a combined CSPM and [cloud workload protection platform product], we provide a balance between data completeness, speed and ease of use."
Adrian SanabriaSenior research engineer, CyberRisk Alliance
Public clouds offer built-in security features that don't necessarily require a third-party tool like Sysdig's to operate, but it may take advanced skills for IT teams to use those built-in features most effectively, Sanabria said. Sysdig's tool could offer a shortcut by managing multiple clouds and shortening that learning curve.
"Nobody's using cloud to have a long deep think -- they're all in the cloud to move as fast as possible," Sanabria said. "A lot of cloud security vendors do get traction with folks that want to move as fast as possible and want help to do it safely."
Another potential advantage for Sysdig may lie in its Falco security policy project, which includes compliance and configuration enforcement features in addition to cloud security monitoring data. Open source Falco has caught on among some large enterprise early adopters of Kubernetes, including Shopify.
Sysdig Secure DevOps Platform adds to Falco with enriched context around events, and builds in a set of curated Falco policies for PCI DSS, HIPAA and the Mitre ATT&CK framework, with support for other compliance and security workflow frameworks to follow, Sysdig CMO Janet Matsuda said.
"Bringing these things together is becoming an important challenge for customers when they need to piece together a timeline of alerts from multiple tools," Matsuda said.