Sysdig - IT Press Tour #48 Jan. 2023

Transcript

1. Welcome to Sysdig

2. Sysdig, Inc. proprietary information | 2 Agenda Agenda Item Time

   Introduction to Sysdig 3:15 - 3:30 (15 minutes) Threat detection and response • Open source roots • Threat research • Cryptojacking detection • Multilayered detection Demo 3:30 - 4:10 (40 minutes) Leveraging “In-use Exposure” to Prioritize Risk 4:10 - 4:35 (25 minutes) Sysdig 2023 Cloud-Native Security and Usage Report 4:35 - 4:50 (15 minutes) Wrap Up 4:50 - 5:00 (10 minutes) San Francisco themed happy hour 5:00 - 6:00 (1 hour)

3. Sysdig, Inc. Proprietary Information Who is Sysdig Suresh Vasudevan, CEO

4. Our Mission: To Accelerate & Secure Cloud Innovation OSS standard

   for Cloud Detection and Response Software Vulnerabilities Configuration Risks Runtime Threats Compliance Gaps Cloud and Container Security From Source To Run Open Source Deep container forensics and troubleshooting The open source standard for cloud-native threat detection 4

5. Strong Growth Momentum Our Mission: To Accelerate & Secure Cloud

   Innovation • 120% growth in customers in 2022 • 50 Million Falco downloads • Operations in 20+ countries; R&D in 7 countries • $750M in Funding A Top Innovation Player Global Container Security Industry SYSDIG 5

6. Who has access to what resources, and what permissions are

   actually used? How to inventory cloud resources and ensure that configurations are secure and compliant? The Challenges of Security at Cloud Scale Vulnerability Management Configuration Management Identity and Access Management What data and context is key to detect and respond to anomalies and incidents in the cloud? Threat Detection and Response *IBM 2022 cost of a breach report How to shrink vulnerability backlog and manage risk without overwhelming developers?

7. Sysdig Customers Information on this slide is confidential • AWS,

   GCP Clouds • Use-cases: ◦ Kubernetes runtime security ◦ Real-time anomaly and threat detection based on user / cloud activity logs • 40,000+ nodes K8s • Use-cases: ◦ Vulnerability management across CI/CD pipeline and runtime environments ◦ Detect and prevent drift and track compliance • 140,000+ nodes, 1000s of apps • Use-cases: ◦ EDR for Linux VMs / Containers ◦ Extract critical runtime data to feed threat detection / security analytics • 3K+ Fargate tasks, EC2 hosts • Use-cases: ◦ Pipeline and runtime Image scanning ◦ Threat detection and response for Fargate based applications Global payment processor 7

8. Configuration Management Infrastructure as Code Validation Vulnerability Management Threat Detection

   Incident Response • CI/CD pipelines, registries, and hosts • Prioritization based on in use vulns • Capture detailed record for forensics • Block malicious containers / processes • CSPM / cloud misconfigurations • Cloud inventory CODE BUILD RUN RESPOND Supply Chain Security Compliance • Cloud threat detection • Workload runtime security • Drift prevention • Block risky configs Securing VMs, Hosts, Kubernetes and Cloud Services Identity and Access Management • CIEM / least privilege • Prioritization based on in use permissions 8

9. Runtime Insights Enhance Shift-Left Security Permissions Vulnerabilities Kubernetes Cloud Prioritize

   With In-use Exposure Remediate at Source 9

10. Sysdig, Inc. Proprietary Information Threat Detection & Response Loris Degioanni,

    CTO and Founder Knox Anderson, VP of Product Management Omer Azaria, VP of Engineering Michael Clark, Director of Threat Research

11. Sysdig, Inc. Proprietary Information The Strength of Open Source Loris

    Degioanni USA/Italy Edd Wilder- James USA Gerald Combs USA Mark Stemm USA Aizhamal Nurmamat kyzy USA Michele Zuccala Italy Leonardo Grasso Italy Thomas Labarussias France Luca Guerra Italy Jason Dellaluce Italy Pablo Musa Amsterdam Lorenzo Susini Spain Vicente Jimenez Miras Germany Jacque Salinas USA Andrea Terzolo Italy Jennifer Pospishek USA

12. Falco Architecture > Input Decision Output 12

13. Falco: the Standard for Workload Detection & Response Monitoring system

    events coming from the Kernel. Supports hosts, containers, fargate 13

14. Workload Security Products Built on Falco Monitoring system events coming

    from the Kernel. Supports hosts, containers, fargate 14

15. Falco’s Evolution to Support Cloud Services Monitoring Cloud events (or

    any sort of event) Standard API definitions for adding new sources & event data enrichment • Agentless • Low costs (no storage fees) • Enterprise ready customizations • Powered by threat research and threat intel • Standardized detection cross cloud and workload 15

16. What Is Cloud Detection & Response (CDR)? Workload D&R Cloud

    Service D&R Identity D&R Environment VMs, Containers, Kubernetes Cloud Services & Control Plane IDP (IAM, Okta, etc) Data Sources eBPF, K8s Audit, System Logs, Network Logs Cloudtrail, GCP Audit Logs, Azure Activity Logs, S3/Data logs, Flow logs IAM Logs Okta Logs Detection Examples Reverse Shell Crypto Miner Started Sensitive File Read Console Login without MFA Account Takeover Command Executed in Unused Region Okta Employee Impersonated Account Deactivate MFA Personas SOC, CSIRT, DART, Detection Engineering, SecOps 16

17. Demo

18. Sysdig, Inc. Proprietary Information Sysdig’s Threat Research and ML Experts

    Michael Clark Director of TRT + Former Gartner analyst USA Crystal Morin Threat Intel USA Matthew McCorvey Threat Research USA Giuseppe Cocomazzi Vuln Research France Stefano Chierici TR Manager Italy Emanuele Fasce Machine Learning Italy Alessandro Brucato Threat Research Italy Biagio Dipalma Threat Research Italy Anna Belak Thought Leadership, Former Gartner analyst Alberto Pellitteri Threat Research Italy Nick Lang Threat Research USA Francesco Lacriola Machine Learning Italy Jamie Butler Runtime Protection and Response USA Francesca Murabito Machine Learning Italy Flavio Mutti ML Manager Italy Jason Avery Threat Research USA Jason Andress Threat Research USA

19. Cyber Attacks in the Cloud Era - Freejacking / PURPLEURCHIN

    19 Think of this as the cloud equivalent of a coupon fraud scam on a massively automated scale; the free computing power is the coupon, and cryptocurrency is the item up for purchase. “ ”

20. How Did We Find Them (and others)? 20 Multi-Cloud, Container

    Native Honeypot network Public Repositories Active Scanning • All major cloud vendors • Dozens of regions • Hundreds of exposed applications • Automated forensics • Big data analysis • Container Images Registries • Sandbox technology powered by Falco • Github • Dark Web

21. Vulnerability Research 21 • Continuous research into cloud-native technologies •

    Responsible disclosure • Example: CVE-2023-0210 in Linux kernel

22. Protecting our Users 22 Suspicious behavior identified → Out-of-the-box detection

    rules

23. Machine Learning 23 Best for addressing domain specific detections. E.g.

    bitcoin miners

24. Bitcoin Miner Detection Using ML Using machine learning to early

    detect cryptominers with 99% precision Sysdig’s process-activity telemetry provides the level of granularity required for accurate detection of malicious behavior. 24

25. Threat Research - Multi Layer Approach 25 5 ML based

    detections 3 Vulnerability research 1 Custom + Premium Threat Intelligence 4 Behavior based detections 2 Public repos active scanning

26. Sysdig, Inc. Proprietary Information The Power of In Use Risk

    Exposure Knox Anderson, VP of Product Management

27. Prioritize What Matters with In-Use Risk Exposure Permissions Vulnerabilities Kubernetes

    Cloud In-Use Vulnerabilities In-Use Permissions Only 15% of vulnerabilities are in-use at runtime 27

28. In-Use Risk Exposure to Prioritize What Matters Platform CI/CD/Production Vulnerabilities

    1000 Configuration 50 Permissions 100 K8s Network Connections 5000 In-Use Risk Exposure Filter 50 25 2 50 In-Use Packages In-Use Config In-Use Permissions In-Use Network Connections Top Risks ToDo Effective Prioritization REST APIs “I’m saving an hour and a half per vulnerability by not having to investigate when the package is not in use.” 28

29. Risk Spotlight Solves Vulnerability Overload Risk Spotlight eliminates noise by

    identifying the few vulnerabilities that pose actual risk, which are the ones tied to active packages at runtime. 29

30. Reduce Vulnerability Noise by up to 95% 30

31. & The Only Solution to Bridge Devs, Sec, & Ops

    Protect against runtime threats Build secure from the start Snyk Container Ops/Sec get faster fixes to production: ~4 days vs 200 days average #BetterTogether Vulnerability details and fixes Packages running in production

32. The Only Solution to Bridge Devs, Sec, & Ops Eliminate

    container vulnerability noise #BetterTogether

33. Strategies - Least Permissive By Policy • Suggestions are generated

    by looking at the activity of all users and roles attached to this policy Select Remediate from a specific Policy Row to see the Policy Suggestion • Customers can easily reduce the scope of a policy’s permissions to only what was actually used Copy • Policy is already in JSON format and can be copy/pasted directly into the IAM console 33

34. Strategies - Least Permissive By Role • Suggestions are generated

    by looking at all of the activity of this specific role • The idea is to create one role-specific policy that covers everything, rather than attaching many policies to a role • Achieving Least Permissive through Roles is a great strategy for companies with federated identity providers like Okta Role Select a specific role to drill into CIEM for more details 34

35. Sysdig, Inc. Proprietary Information Sysdig 2023 Cloud-Native Security and Usage

    Report Pawan Shankar Under embargo: Wednesday, February 1

36. Based on data from Sysdig customers for billions of containers,

    thousands of cloud accounts, and thousands of applications over the course of the last year Sysdig, Inc. proprietary information | 36

37. Organizations Struggle to Manage the Software Supply Chain Sysdig, Inc.

    proprietary information | 37 Container vulnerabilities are exploding • Vulnerabilities propagate every time a base image is reused • Supply chains create a massive attack surface

38. 15% of High & Critical Vulns are In Use at

    Runtime Sysdig, Inc. proprietary information | 38 Fix What Matters Prioritize vulnerabilities based on what’s in use Reducing the number to 15% provides a more actionable workflow for modern vulnerability management

39. Zero Trust: Lot’s of Talk, Little Action 39 • Excessive

    permissions are rampant in the cloud • Access management is not just about users, but also non-human roles (e.x. Lambda) • Need to apply least- privilege access based on in-use permissions

40. Millions Wasted in Cloud Costs Sysdig, Inc. proprietary information |

    40 Customers running 1000+ nodes could save more than $10M dollars per year on average

41. Six Key Trends in 2023 41

42. Thank you!