Sysdig meets the SOC 2 standards for security and availability

Sysdig announced it has achieved Service Organization Control (SOC) 2 Type II compliance for the Sysdig Secure DevOps Platform. The audit, conducted by Coalfire, found that Sysdig meets the SOC 2 standards for security and availability. The SOC 2 reports demonstrate the company’s ability to implement critical security policies and prove compliance over extended periods of time. “As a SaaS-first company that delivers a security and visibility platform for many of the largest organizations, Sysdig … More

The post Sysdig meets the SOC 2 standards for security and availability appeared first on Help Net Security.

Sysdig Secure integrates with IBM Cloud to provide end-to-end monitoring and security capabilities

Sysdig announced the global availability of Sysdig Secure embedded within IBM Cloud. IBM Cloud Monitoring with Sysdig, which uses Sysdig Monitor, is already the default monitoring solution used by IBM and offered to IBM Cloud customers when onboarding.

With this addition of Sysdig Secure, the Sysdig Secure DevOps Platform is tightly integrated with IBM Cloud to provide customers end-to-end monitoring and security capabilities.

The expansion of Sysdig Secure in IBM Cloud builds on the container, Kubernetes, and cloud monitoring capabilities of IBM Cloud Monitoring with Sysdig. Sysdig Secure adds image scanning, runtime security, compliance, incident response, and forensics.

Now, when operating in IBM Cloud, DevOps, cloud, and security teams can secure the build pipeline, detect and respond to runtime threats, and validate compliance using Sysdig Secure.

The Sysdig Secure DevOps Platform, which includes Sysdig Secure and Sysdig Monitor, closes the security and visibility gap for containers and Kubernetes.

With Sysdig, cloud teams can embed security, validate compliance, and scale monitoring to manage security risk and improve application availability. Granular data enriched with cloud and Kubernetes context gives teams the visibility they need to confidently run applications in production.

“Since announcing the IBM Cloud Monitoring with Sysdig initiative in 2018, we have gone through extensive testing with IBM and proved our ability to deliver security, compliance, and monitoring at scale,” said Knox Anderson, vice president of product at Sysdig.

“We deliver IBM Cloud Monitoring in six regions globally and adding Sysdig Secure to those regions will enable our joint customers to embed security, compliance, and performance into their DevOps workflow in just a few clicks.”

New capabilities added to IBM Cloud Monitoring with Sysdig

  • Image scanning: Automate scanning within CI/CD pipelines and registries and implement registry scanning inline. Block vulnerabilities pre-production and monitor for new CVEs at runtime. Map a critical vulnerability back to an application and development team.
  • Runtime security: Protects containers, Kubernetes, hosts, and IBM infrastructure with out-of-the-box policies based on open source Falco. Automatically trigger response actions and notify the right teams immediately.
  • Compliance: Ensure regulatory compliance standards are met, such as PCI-DSS, GDPR, NIST 800-190, with compliance checks and file integrity monitoring (FIM). Continuously validate cloud compliance for environments built on containers and Kubernetes across the entire application lifecycle.
  • Incident response and forensics: Conduct forensics and incident response for containers and Kubernetes to understand security breaches, meet compliance requirements, and recover quickly. Sysdig provides a single source of truth for all activity in the container ecosystem before, during, and after an incident.

The challenge of securing containers and Kubernetes

Containers are black boxes that hide their internal activity, making it difficult to gain the visibility required to manage security risk. They are normally deployed using microservices, numbering in the tens of thousands, which dynamically connect to form applications.

Managing this complex environment requires visibility into container activity, context to understand how the microservices interact, and a detailed audit record for investigating incidents and alerts.

The Sysdig platform provides granular visibility enriched with Kubernetes and cloud context, along with a detailed audit trail, that allows teams to confidently run applications in production.

Sysdig launches zero trust network security for Kubernetes to cut miscrosegmentation time

Sysdig announced the launch of zero trust network security for Kubernetes. This launch expands Sysdig’s runtime security to add network visibility and segmentation. With total network visibility and automated rule creation, Sysdig reduces the time to implement network security from weeks to hours.

Sysdig also announced the expansion of IBM Cloud Monitoring with Sysdig to include Sysdig Secure.

The best strategy for network security is to use native controls, such as Kubernetes network policies, to enforce zero trust network segmentation. With this approach, DevOps teams have confidence that their policies are being implemented accurately. The modern software development stack is moving to open standards and security is no exception.

New zero trust network security with Sysdig

Quickly understand network communications with new topology maps: DevOps teams are often blind to how containerized apps are communicating. This understanding is critical in creating effective policies.

Sysdig adds dynamic network topology maps to visualize all communication into and out of a particular pod, service, and application. This detailed visibility allows DevOps teams to spot malicious attempts that take advantage of permissive network policies before it’s too late.

Save time with low-touch Kubernetes-native network segmentation: Kubernetes network policies are hard for teams to implement. A lot of time is wasted going back-and-forth between developers and DevOps teams to agree on the right network policy. With this announcement, Sysdig saves time by automating least privilege policies based on observed traffic enriched with application and Kubernetes metadata.

Teams can easily implement accurate network policies that are not too permissive, but also do not break application functionality. It also helps organizations meet compliance requirements, such as NIST and PCI, which require network segmentation.

Conduct thorough investigations with process-level visibility: Being able to investigate all connections, either accepted or failed, is critical to responding to below-the-radar attempts before it’s too late.

With Sysdig Audit Tap, DevOps teams can fingerprint every process connection, giving full process-level visibility into the entire environment, including every network connection attempt.

Teams can monitor every connection made by a process, even if a connection is unsuccessful. Teams can also plug into existing incident response workflows by forwarding events to SIEM tools like Splunk.

Simplify the path to zero trust network security

Zero trust is centered on the belief that organizations should never automatically trust anything inside or outside its perimeters and instead must verify before granting access.

As cloud and Kubernetes matures, so does interest in applying Zero Trust principles, but DevOps and security teams are inexperienced at applying a zero trust network security model to these new environments.

“There are several approaches to zero trust that forward-looking security teams can take advantage of. We believe using a Kubernetes-native approach that goes beyond traditional firewalling to enforce segmentation at the namespace and service level is the strongest approach,” said Omer Azaria, vice president of engineering, security at Sysdig.

“For developers and DevOps teams, we provide an easy button for implementing Kubernetes network policies. From the cloud security architect’s opinion, Kubernetes network policies provide guardrails that keep security and compliance in check as developers move quickly in the cloud.”

The Sysdig Secure DevOps Platform allows cloud teams to confidently secure containers, Kubernetes, and cloud services. With Sysdig, cloud teams secure the build pipeline, detect and respond to runtime threats, continuously validate compliance, and monitor and troubleshoot cloud infrastructure and services.

Sysdig Secure DevOps Platform offers onboarding, out-of-the-box dashboards and integrations

Sysdig announced a 5-minute setup for the Sysdig Secure DevOps Platform, a fast path to delivering container and Kubernetes security and visibility with a SaaS-first offering.

In the first five minutes, the Sysdig agent is installed, dashboards are ready to go, and visibility into vulnerability, threats, and compliance issues are available. In this time, cloud teams can activate the five essential workflows required to securely operate cloud-native workloads.

The workflows include image scanning, Kubernetes and container monitoring, application and cloud service monitoring, runtime security, and compliance. The latest release by Sysdig helps organizations of all sizes get results quickly and efficiently by giving customers guided onboarding as well as out-of-the-box dashboards and integrations. Sysdig also announced today a new Sysdig Essentials pricing tier, delivered as a SaaS solution, which packages these five core workflows for secure DevOps.

As cloud adoption matures, organizations are realizing that in order to ship applications faster, they need to incorporate image scanning, runtime security, and compliance, along with monitoring containers, applications, and services into their DevOps process. However, the reality is, organizations delay investments in security, compliance, and monitoring as they fear it slows application deployment.

As a result, teams are forced into a reactive mode when performance and availability issues impact applications in production. When customers or internal risk management teams require proof of security risk management, regulatory compliance, or worse, if a data breach occurs, organizations have to scramble.

By adopting a secure DevOps approach and turnkey tooling, organizations can address visibility, security, and compliance requirements without slowing down the release process. A best practice is using image scanning that integrates directly into registries and the CI/CD pipeline to efficiently manage risk. An analysis by Sysdig in June 2020 found that more than half of the common vulnerabilities and exposures (CVE) found in non-OS packages contain a CVE rating of “high” to “critical.” Images running as root is another risk that image scanning can identify. The same analysis by Sysdig found that 58 percent of images scanned run as root, indicating configuration issues that increase risk.

“Organizations benefiting from migrating IT operations to public clouds need to thoroughly review their security operations before releasing any new code. Much of the microservices development is new. Code management skill gaps exist and blindly releasing new functional capabilities will likely introduce new vulnerabilities,” said Frank Dickson, program vice president, cybersecurity products, IDC.

A faster path to visibility, security, and compliance

Sysdig is focused on making it easier to get started using a secure DevOps workflow for container and Kubernetes environments. With the announcement today, Sysdig simplifies onboarding for the most critical security, compliance, and monitoring functions.

Sysdig adds guided onboarding, turnkey workflows, and pre-built integrations, policies, and dashboards that reduce the time it takes for DevOps teams to get insights. By helping shorten the time to value and setting a new bar for onboarding efficiency, enterprises can rapidly meet key security, compliance, and availability requirements across their various container and Kubernetes environments.

The five essential workflows for secure DevOps

Image scanning: Organizations can manage security risk by finding and fixing vulnerabilities and misconfigurations early in the DevOps process through image scanning. Sysdig continuously scans images both within registries and CI/CD pipelines and during production. This saves time by uniquely mapping vulnerabilities to Kubernetes-based applications.

Runtime security: Using Falco, Sysdig enables organizations to detect threats at runtime without impacting performance. Falco is the open source Kubernetes runtime security project created by Sysdig and now a Cloud Native Computing Foundation project.

Compliance: Passing compliance audits can be time consuming and failing is costly. Organizations can continuously validate using out-of-the-box rules mapped against common compliance frameworks including PCI, NIST, and CIS.

Kubernetes and container monitoring: With Sysdig, cloud teams receive automatic alerts and detailed health and performance information, including golden signals for clusters, deployments, namespaces, and workloads. Deep visibility into container activity enriched with cloud and Kubernetes context allows teams to manage the complexity that is a reality in a containerized ecosystem.

Application and cloud service monitoring with full Prometheus compatibility: By leveraging native support for PromQL and Prometheus metrics, DevOps teams can use the industry standard their developers prefer, without running into scaling challenges. Out-of-the-box dashboards display metrics from cloud services, databases, and other key components in their application environment.

Sysdig offers five additional workflows, which include advanced troubleshooting, machine learning-based anomaly detection, threat prevention, incident response and forensics, and extended compliance controls. The advanced enterprise workflows include specialized capabilities that yield greater efficiency for DevOps teams. Once a cloud team has implemented the basics, they can move to more advanced workflows that further strengthen security and resilience.

Single source of truth across development, DevOps, and security

The Sysdig Secure DevOps Platform is the only unified security and monitoring platform. With a single source of truth, Sysdig eliminates silos of information between development, DevOps, and security teams. With this approach, organizations can resolve issues quickly by analyzing granular system data automatically correlated to cloud and Kubernetes context.

In light of shifting global dynamics, platform tools that combine use cases have moved to the forefront of IT priorities in an effort to help organizations control costs and improve efficiency. Sysdig enables organizations to quickly address security, monitoring, and compliance with a single tool and simple set up and onboarding.

New Sysdig Essentials tier as part of the SaaS offering covers core workflows

In addition to the essential workflows introduced today, the latest Sysdig release includes the Sysdig Essentials pricing tier for organizations looking to start with the essential use cases. The Sysdig Essentials tier provides a simplified on-ramp to a secure DevOps approach.

The Sysdig Essentials tier is offered as SaaS only, whereas the enterprise tier of the Sysdig Secure DevOps Platform is offered on-prem and as a SaaS deployment. SaaS provides faster adoption, more efficient management, and offers organizations security, compliance, and monitoring at a lower cost. The new tier starts with a 14-day free trial. All Sysdig products and tiers are priced per host/month.

“Due to the current state of the world, developers are feeling extreme pressure to deliver applications quicker. To keep pace, there has been a dramatic shift in cloud migration timelines. However, operating a Kubernetes and container environment can be complex and time consuming, even for the most experienced DevOps teams. Sysdig has a SaaS-first option approach that enables customers to be operational within minutes so they can focus on developing revenue-producing features, not spending time onboarding tools. As environments grow, Sysdig provides the advanced workflows and scale they need,” said Suresh Vasudevan, CEO, Sysdig.

Sysdig expands data center options to additional hosting locations to satisfy growing demand

Sysdig announced new data center options in Frankfurt, Germany and on the west coast of the United States, in Oregon, to satisfy growing demand for the Sysdig Secure DevOps Platform.

The expansion of Sysdig services to additional hosting locations prepares Sysdig for the next stage of growth. The two data centers strengthen data protection standards by adding encryption at rest.

Organizations recognize the advantages that come with cloud native and are rapidly moving to containers and Kubernetes to accelerate innovation. In the current business environment, many companies are speeding cloud-native transitions, and look to Sysdig to address their security, visibility, and compliance requirements for containers.

The data centers in Germany and on the west coast of the United States are in addition to the company’s current data center on the east coast of the United States, in Virginia.

“We are adding hosting locations in response to our rapid expansion,” said Suresh Vasudevan, chief executive officer, Sysdig.

“The Sysdig Secure DevOps Platform scales to support the largest enterprise cloud deployments, while providing a fast ramp to productivity with our SaaS offering. We have several marquee customers in the EU and they prefer a local data center.”

Key customer benefits

  • Better EMEA user experience: The German data center enables Sysdig to service European companies with reduced latency.
  • Stringent data protection: The new data centers offer full encryption. Data is encrypted at rest in addition to the existing encryption for data in motion across public networks. Sysdig also pursues key independent third-party validations of its security, processes, and services. Sysdig has successfully completed a SOC 2 Type 1 audit and the company is currently going through the SOC 2 Type 2 certification. Sysdig undergoes third-party network penetration testing and source code reviews annually and external network penetration testing quarterly. Customers can use Sysdig knowing their data is being protected properly.
  • Green data centers: Sysdig selected data centers that are powered by renewable energy.

Customer experience

New customers have the option to select the data center of their choice. Existing customers can continue to use the Virginia data center or they can switch to one of the new locations. Current customers that choose to use a new data center should contact Sysdig for support. Sysdig has dedicated teammates that will help customers transition.

Sysdig provides cloud monitoring at scale with full Prometheus compatibility

Sysdig, the secure DevOps leader, announced cloud monitoring at scale with full Prometheus compatibility. Sysdig addresses the issues that hold teams back from the organization-wide adoption of Prometheus monitoring: scale, data retention, and enterprise access controls.

Sysdig also introduces support for creating dashboards, alerts, and metric analytics based on PromQL, the query language for Prometheus. Sysdig is the only enterprise monitoring solution to be fully compatible with Prometheus. This allows customers to retain their investment in existing Prometheus exporters, configurations, alerts, and dashboards.

With Sysdig, DevOps and cloud teams can scale their visibility, security, and troubleshooting capabilities with a supported platform that simplifies management.

In a separate release, the company announced PromCat.io, a free repository of curated Prometheus exporters, dashboards, and alerts to monitor any infrastructure, application, and service running in the cloud. Sysdig offers documentation and suggested configurations for PromCat integrations.

“As enterprises journey to the cloud, our focus is on helping them accelerate application development and deliver new, competitive capabilities. A core challenge in this is reducing the complexity in managing various workloads with technologies all over the world,” said Jason McGee, chief technology officer and vice president, IBM Cloud Platform.

“IBM Cloud is built on open technologies to address this issue and connect various IT and cloud environments. Since Prometheus is the key monitoring tool within many of IBM Cloud’s open projects, Sysdig cloud monitoring with Prometheus compatibility provides development teams with a more holistic view that can help them further simplify operations.”

Organizations are moving to the cloud and DevOps workflows to ship applications faster. However, meeting customer expectations requires complete visibility into infrastructure, services, and applications across multi and hybrid clouds and on-premises data centers.

Developers are rapidly adopting open source Prometheus to monitor the performance of their applications. With more than 13,500 code commits and 6,300 contributors, Prometheus adoption is accelerating. However, as organizations transition to full-scale production, they encounter scaling and workflow issues.

Additional requirements — including the need for centralized and scalable metric stores, a unified view across clusters and services, and out-of-the-box insights — are needed in order to reduce risk and maintain application availability.

Without a macro view of the environment, it is difficult to anticipate issues with microservices that have cross-platform dependencies.

Fully compatible Prometheus monitoring

As organizations scale cloud deployments, they want to retain the industry-standard monitoring approach their developers prefer. Sysdig is the only cloud-scale monitoring solution fully compatible with Prometheus and the PromQL query language.

This enables DevOps teams to retain their investment in existing Prometheus exporters, configurations, alerts, and dashboards. The Sysdig platform enhances its existing capabilities with greater scale, visibility, security, troubleshooting, and support.

Cloud scale

With microservices and Kubernetes, scaling is a major hurdle. With Kubernetes, there is an increase in the number of objects and labels to track. With microservices, there is a dramatic increase in instances to monitor and therefore, the number of metrics to collect.

Additionally, with Prometheus, companies are forced to monitor each Prometheus server on its own, making it difficult to view trends that would be visible from a unified view. Issues on microservices that have cross-platform dependencies may go unnoticed.

The Sysdig Secure DevOps Platform provides a scalable system that can handle more than 100 million metrics per second, and retain up to 13 months of data. Sysdig is the monitoring solution for IBM Cloud Platform, one of the largest Prometheus monitoring deployments today.

With Sysdig, teams can adopt Prometheus compatible monitoring using an enterprise-ready platform.

Other enhancements

  • Long-term datastore: With Sysdig data storage, Prometheus metrics are stored for 13 months, instead of just days or weeks. This gives DevOps teams access to long-term analysis to make better-informed capacity planning and resource usage decisions.
  • Out-of-the-box Kubernetes dashboards: Sysdig reduces complexity and time to production with out-of-the-box Kubernetes dashboards. By bringing together platform monitoring and workload monitoring, DevOps teams can resolve issues faster.

“Prometheus brings tremendous value to developers, which is why we standardized our monitoring approach on the open source project,” said Payal Chakravarty, vice president, product management at Sysdig.

“There are, however, scaling challenges for the enterprise. By extending Prometheus monitoring, we’re able to help enterprises to use the Prometheus monitoring approach they love, while also giving them the scale, workflows, controls, and insights they need to maximize performance and availability.”

The Sysdig approach

To date, Sysdig is the only security company to support a secure DevOps approach by integrating monitoring and security into a single platform. Cloud teams can embed security, maximize availability, and ensure compliance. By integrating security into the DevOps process, teams can realize the business goals in their transition to cloud native.

Sysdig is a strong advocate for open source technologies, including three open source technologies created by the company, sysdig, sysdig Inspect, and Falco, an open source cloud-native runtime security project. Currently, Falco is an incubation-level hosted project in the CNCF.

Sysdig’s Cloud-Native Security Hub is now available

Sysdig, the secure DevOps leader, has made the Cloud-Native Security Hub available in the open. The Cloud-Native Security Hub is a repository for discovering and sharing Kubernetes security best practices and configurations. The Sysdig open source team kicked off the project this summer, and the company will donate the project and supporting resources to the Falco open source community. Falco, the open source Kubernetes runtime security project, was originally started by Sysdig and since Oct. … More

The post Sysdig’s Cloud-Native Security Hub is now available appeared first on Help Net Security.

New infosec products of the week: November 15, 2019

Sysdig Secure 3.0 provides enterprises with threat prevention at runtime Sysdig Secure 3.0 includes an incident response and audit tool for Kubernetes, giving enterprises the ability to reconstruct historical system activity. Enabling these capabilities are three new features: Kubernetes Policy Advisor, Falco Tuning, and Activity Audit. Jamf unveils Jamf Protect, an enterprise Mac endpoint protection solution Jamf Protect leverages native Apple security tools and on-device analysis of macOS activity to create customized telemetry that gives … More

The post New infosec products of the week: November 15, 2019 appeared first on Help Net Security.