Sysdig Adds Unified Threat Detection Across Containers and Cloud to Combat Lateral Movement Attacks
March 30, 2021Sysdig, Inc. announced the addition of unified cloud and container security with the launch of continuous cloud security posture management (CSPM). Threat research conducted by Sysdig shows that having a single view across cloud, workloads, and containers speeds the time to both detect and respond to lateral movement attacks, a common technique used in the majority of cybersecurity breaches. By pairing the Sysdig cloud security capabilities announced today with its container security features, teams can identify the entire attack chain and respond to threats faster. Introduced as a free tier, Sysdig CSPM capabilities are indefinitely free for one cloud account.
Attackers Have an Easy Path from Containers to Cloud
Identified in the MITRE framework, lateral movement is estimated to be involved in 70 percent of cyberattacks. This attack pattern occurs when a bad actor pivots through multiple systems and accounts to gain access to the objective target. Attackers involved in the 2019 Capital One breach utilized a similar movement pattern.
Illustrative of a typical lateral movement attack, the Sysdig Threat Research Team found that by exploiting an Apache vulnerability in a container, an attacker can secretly move into the cloud environment, expanding the attack surface. In this instance, the attacker can then execute arbitrary code in the machine and open a reverse shell within the system. After escalating privileges, they use pod access to find exposed cloud credentials and eventually gain access to the broader cloud environment. At this point, they have access to steal sensitive data.
The Power of Combined Cloud and Container Security
Using different cloud and container security tools requires a manual correlation of logs to catch the breach and uncover the systems impacted. By unifying the incident timeline and adding risk-based insights, Sysdig reduces the time to detect threats across clouds and containers from weeks to hours. Cloud development teams can see exactly where the attacker started and each step they took as they moved through the environment. Read “Cloud lateral movement: Breaking in through a vulnerable container” for more on the steps involved in this type of lateral cloud movement attack.
New Continuous CSPM From Sysdig
- Cloud Security Posture Management for AWS Based on Cloud Custodian: Sysdig adds cloud asset discovery, cloud services posture assessment, and compliance validation. Cloud security teams can manage their security posture by automatically discovering all cloud services, as well as flagging misconfigurations and violations of compliance and regulatory requirements. These new features are based on Cloud Custodian, an open source tool for securing cloud infrastructure.
- Multi-Cloud Threat Detection for AWS and GCP Based on Falco: Sysdig adds support for cloud threat detection via GCP audit logs, in addition to the AWS CloudTrail integration last year. Security teams can continuously detect suspicious activity or configuration changes across their infrastructure without relying on a periodic configuration check. Sophisticated attackers can take advantage of exposed configurations to access the cloud, then revert it immediately once inside. A static check could miss these changes, leaving openings for attackers, and also overlook indicators that an attacker has breached the environment.
Sysdig uses open source Falco, the Cloud Native Computing Foundation de facto runtime security project, and alerts based on continuously inspecting cloud audit logs. It performs the analysis within the user’s cloud account, which protects sensitive data and eliminates costs tied to exporting logs. Currently, there are more than 200 out-of-the-box CloudTrail rules, and the database continues to grow as Sysdig and the community contribute at a rate of 20-50 new rules per month.
All Sysdig events, including CSPM, compliance, container runtime, and AWS CloudTrail events can be sent to AWS Security Hub to allow security teams to respond to threats faster. - Cloud Risk Insights: Sysdig provides new visual insights across interconnected cloud and container security incidents, prioritized by risk levels. Sysdig reduces alert noise and provides instant visibility to see the entire cloud attack chain, from a hacker exploiting a container vulnerability and accessing the cloud, to elevating privileges and performing catastrophic actions, such as cryptomining on a Kubernetes cluster. Classifying incidents based on severity levels allows teams to prioritize what to investigate and respond to first. Teams can then investigate all suspicious activity performed by a user to see the breadth of impact and quickly begin incident response activities.
Free Tier for Cloud Security
Sysdig is offering continuous cloud security for free, forever, for a single account. With easy onboarding, developers can begin to manage cloud posture within minutes. The free tier includes a daily check against CIS benchmarks and continuous threat detection to ensure the cloud environments remains in a secure, compliant, and hardened state at all times. It also includes inline scanning for Fargate and ECR images, up to 250 images a month.
Open-Standards Approach to Cloud Security
Sysdig believes the future of security is open. Open source security delivers better security through faster innovation. Organizations can be confident they are adopting an accepted standard that will last. With this in mind, Sysdig chose to build its CSPM capabilities on top of Falco and Cloud Custodian. Sysdig selected the Cloud Custodian open source project because it has strong momentum in adoption, a rapidly growing database of rules, auto-remediation capabilities, and multi-cloud support.
Availability
Sysdig CSPM is available now, including the free tier. Sysdig is also launching a new game, Cloud Chaos, to introduce it.