The team behind Sysdig Secure has released version 2.4 of the container security product, sprinkling runtime profiling and a new policy editor into the mix.
To find out what is happening inside a container runtime, the new profiling feature takes a look at the running processes, the ports an application communicates on, the read and written files, and the system calls executed. After a default duration of 24 hours, the system has automatically created a profile which can be seen as a baseline for normal system behaviour and used to create policies for better system protection. The profile also becomes part of a library, that also contains all sorts of different rules that can be mixed and matched for policies and customised if necessary.
While profiling indeed is a useful feature to have, Sysdig isn’t exactly the only company in the cloud native space that is looking into that. Sysdig’s approach however differs in aspects such as transparency and level of customisation, as director of technical marketing Jorge Salamero Sanz pointed out in a quick chat.
“Rather than offering profiling as a checkbox feature, we give you a lot of insight and control on how this feature works under the hood. For that we have introduced confidence levels,” he explained.
During the profiling process, Sysdig Secure analyses a variety of container activity, such as the network traffic. But just because a container hasn’t communicated a lot, it doesn’t have to mean this behaviour is normal, which is what confidence levels should reflect.
“If we have only recorded very little information and don’t know much, we have a low confidence level” Sanz said. “If we have recorded a lot of information, we give you a high confidence level and then we iterate rules people can actually see and inspect. Rather than letting it completely open and coming up with a feature that would generate a lot of false positives, and not being very practical, this gives you all of the control.”
The automatically generated profiles can be combined with manually defined rules later on. If an image is for example used with different applications, but the available profile only reflects one use case, this might be very well needed. Users can then take the infrastructure metadata Sysdig has access to into account and specify policies for different Kubernetes namespaces or regions a cloud provider may offer.
Sysdig Secure makes use of open source project Falco to define rules. However, the project’s syntax can be tricky to learn, as Sanz admits. A new Falco Rule Builder UI was added to v2.4 to help with that. Users can now build their rules in a more visual way and even customise policies found in the product’s library. “You don’t have to be a hacker, everything can be done within the Sysdig UI”.
Another UI based functionality included in this release is Sysdig Vulnerability Reporting, offering customers an easier way of checking a system for vulnerabilities. It also comes with filtering options, which is useful when only certain namespaces or levels of severity are of interest. An advanced alert configuration was added to give teams the option to configure a medium of choice (Slack or e-mail for example) for alerts triggered by events such as a new image being pushed or the CVE information of an image changing.
All new features are available to customers of Sysdis Secure and Sysdig Platform.
Moving forward, Salamero-Sanz sees Sysdig working on additional ways to help enterprises with an interest in moving to containers or cloud native infrastructure to get there and manage day 2 operations such as monitoring, security, and incident response.