Sysdig Adds Unified Threat Detection Across Containers and Cloud to Combat Lateral Movement Attacks
- Sysdig introduces continuous CSPM to the Sysdig Secure DevOps Platform, multi-cloud threat detection for AWS and GCP, and a new free-forever cloud security tier.
- With 70% of cyberattack breaches utilizing lateral movement, Sysdig uniquely detects and responds to threats across cloud and containers.
- The Sysdig Threat Research Team finds that unifying threat detection saves hundreds of hours.
Sysdig, Inc., the secure DevOps leader, announced the addition of unified cloud and container security with the launch of continuous cloud security posture management (CSPM). Threat research conducted by Sysdig shows that having a single view across cloud, workloads, and containers speeds the time to both detect and respond to lateral movement attacks, a common technique used in the majority of cybersecurity breaches. By pairing the Sysdig cloud security capabilities announced today with its container security features, teams can identify the entire attack chain and respond to threats faster. Introduced as a free tier, Sysdig CSPM capabilities are indefinitely free for one cloud account.
Attackers Have an Easy Path from Containers to Cloud
Identified in the MITRE framework, lateral movement is estimated to be involved in 70 percent of cyberattacks. This attack pattern occurs when a bad actor pivots through multiple systems and accounts to gain access to the objective target. Attackers involved in the 2019 Capital One breach utilized a similar movement pattern.
Recommended AI News: AMD Global Telemedicine Announces Integration with PointClickCare Technologies
Illustrative of a typical lateral movement attack, the Sysdig Threat Research Team found that by exploiting an Apache vulnerability in a container, an attacker can secretly move into the cloud environment, expanding the attack surface. In this instance, the attacker can then execute arbitrary code in the machine and open a reverse shell within the system. After escalating privileges, they use pod access to find exposed cloud credentials and eventually gain access to the broader cloud environment. At this point, they have access to steal sensitive data.
The Power of Combined Cloud and Container Security
Using different cloud and container security tools requires a manual correlation of logs to catch the breach and uncover the systems impacted. By unifying the incident timeline and adding risk-based insights, Sysdig reduces the time to detect threats across clouds and containers from weeks to hours. Cloud development teams can see exactly where the attacker started and each step they took as they moved through the environment. Read “Cloud lateral movement: Breaking in through a vulnerable container” for more on the steps involved in this type of lateral cloud movement attack.
Cloud Security Posture Management for AWS Based on Cloud Custodian: Sysdig adds cloud asset discovery, cloud services posture assessment, and compliance validation. Cloud security teams can manage their security posture by automatically discovering all cloud services, as well as flagging misconfigurations and violations of compliance and regulatory requirements. These new features are based on Cloud Custodian, an open source tool for securing cloud infrastructure.
Recommended AI News: Reversing the Move to Cities Explained by IDTechEx
Multi-Cloud Threat Detection for AWS and GCP Based on Falco: Sysdig adds support for cloud threat detection via GCP audit logs, in addition to the AWS CloudTrail integration last year. Security teams can continuously detect suspicious activity or configuration changes across their infrastructure without relying on a periodic configuration check. Sophisticated attackers can take advantage of exposed configurations to access the cloud, then revert it immediately once inside. A static check could miss these changes, leaving openings for attackers, and also overlook indicators that an attacker has breached the environment.
Sysdig uses open source Falco, the Cloud Native Computing Foundation de facto runtime security project, and alerts based on continuously inspecting cloud audit logs. It performs the analysis within the user’s cloud account, which protects sensitive data and eliminates costs tied to exporting logs. Currently, there are more than 200 out-of-the-box CloudTrail rules, and the database continues to grow as Sysdig and the community contribute at a rate of 20-50 new rules per month.
All Sysdig events, including CSPM, compliance, container runtime, and AWS CloudTrail events can be sent to AWS Security Hub to allow security teams to respond to threats faster.
Cloud Risk Insights: Sysdig provides new visual insights across interconnected cloud and container security incidents, prioritized by risk levels. Sysdig reduces alert noise and provides instant visibility to see the entire cloud attack chain, from a hacker exploiting a container vulnerability and accessing the cloud, to elevating privileges and performing catastrophic actions, such as cryptomining on a Kubernetes cluster. Classifying incidents based on severity levels allows teams to prioritize what to investigate and respond to first. Teams can then investigate all suspicious activity performed by a user to see the breadth of impact and quickly begin incident response activities.
Recommended AI News: AdTech Leader TripleLift Announces Majority Investment from Vista Equity Partners