TOP 10 USE CASES

for Securing Cloud and

Containers with Sysdig Secure

When migrating apps to the cloud or developing in modern threats, and manage cloud configurations, permissions,
cloud-native environments, organizations struggle to put and compliance.
together a security plan and get the visibility required
to manage security risk, continuously meet and validate From containers and Kubernetes to cloud services, with
compliance, as well as implement real-time protection Sysdig, you get a single view of risk from source to run,
across cloud and containers. with no blind spots, no guesswork, and no black boxes.

With Sysdig, security, DevOps, and developer teams Below are the top 10 security use cases supported by
can find and prioritize software vulnerabilities pre- Sysdig Secure for organizations to securely run apps in the
deployment and in production, detect and respond to cloud.

Secure
Secure Containers,
Containers, Kubernetes
Kubernetes and Cloud
and Cloud Services Services

CODE BUILD RUN RESPOND

Configuration
Infrastructure as Vulnerability Threat Incident
and Permission
Code Validation Management Detection Response
Management

• Block risky configs • Scan in CI/CD and • Detect cloud • Use Falco to detect • Capture detailed
• Auto-remediate at registries misconfigurations threats, drift, config record for forensics
the source • Block risky images • Enforce least changes, and • Remediate config
• Prioritize vulns using privilege access runtime vulns issues
security context • Use OPA to apply • Implement K8s • Block malicious
consistent policies native activity
microsegmentation

Compliance (PCI, NIST, SOC 2 and others)

Sysdig Secure

TOP 10 USE CASES

1
for Securing Cloud and Containers with Sysdig Secure
01 Cloud Security Posture
Management (CSPM)

Misconfigurations of cloud resources, like S3 buckets, both transitioning and operating in the cloud. A well-
are the most prevalent security vulnerability in the implemented cloud environment must include a solution
cloud, leaving organizations exposed to the risk of data to detect and prevent misconfigurations.
breaches, resource compromise, malicious insider, external
threats, etc. The chances of errors, policy mistakes, Sysdig Secure provides cloud security that enables
misunderstanding of shared responsibility, and undetected organizations to both monitor and validate security and
malicious actors increase with the complexity and growth compliance configuration controls, gaining consistent
of the assets and configuration controls. Managing cloud visibility of cloud risk by flagging misconfigurations and
configurations is critical to an organization’s success in detecting threats.

With Sysdig • Get visibility into multi-cloud compliance and variety of frameworks: CIS, PCI, NIST
Secure, security posture (AWS, Google Cloud, Azure) 800-53, SOC2, GDPR, HIPAA, ISO-27001-
you can: in minutes. Discover cloud assets, identify 2013, etc.
misconfigurations, and detect drift.
• Get coverage fast with out-of-the-box
• Navigate through environments filtering customizable policies and community-
events using rich cloud context, and across sourced rules for comprehensive
time periods. configuration checks and compliance
violations, as well as threat detection
• Meet and track security posture progress unveiling malicious activities in
with detailed reports and alerts for a broad the cloud.

TOP 10 USE CASES

2
for Securing Cloud and Containers with Sysdig Secure
02 Cloud Infrastructure Entitlements
Management (CIEM)

Overprivileged entitlement of human and non-human permissions are mostly granted in excess, exposing the
(Kubernetes clusters, services, containers, etc.) identities organization to unnecessary risk.
is a top cause of data breaches, and it is also the cause
of breaches with massive impact. A defensible cloud Sysdig Secure enables organizations to easily implement
environment requires cloud configuration to adhere to key and enforce least-privilege policies by discovering and
security principles such as least-privilege. CIEM refers to mitigating excessive permissions in less than a couple
controls that must be in place to protect access to cloud of minutes. Sysdig Secure auto-suggested policies make
resources and workloads. The growing number of cloud entitlement grants with only permissions that are actually
identities, and the increasing volume and granularity used and needed, closing a critical security gap certainly
of permissions, leave engineers without an easy way exploited by attackers to extract the maximum from the
to assign just the permissions needed. As a result, initial breach.

With Sysdig • Get instant visibility into cloud permissions • Narrow down to the minimum set of granular
Secure, to enforce least-privilege policies on cloud permissions for required actions without
you can: resources, accounts, users, and services, any effort. Just copy and paste the set of
including serverless functions. permissions suggested, which is already
formatted to be applied to cloud assets.
• Identify cases of excessive permission by
automatically analyzing entitlements granted • Validate compliance with detailed audit trails
versus what is the actual activity of cloud of cloud permission changes.
users and identities.
• Regularly perform access reviews to evaluate
active and inactive user permissions.

TOP 10 USE CASES

3
for Securing Cloud and Containers with Sysdig Secure
03 Compliance and Audit

From internal security practices to industry regulations Sysdig Secure provides automated compliance and
and even laws, all organizations are subject to some kind governance to continuously meet regulatory compliance
of cybersecurity or regulatory compliance obligations. standards for containers and cloud. From asset and
Meeting compliance is a must-have for organizations configuration inventory to mapping controls, policy
moving to the cloud, but cloud environments’ enforcement, and validation, it is all provided for a
configuration flexibility and dynamic nature make it hard comprehensive regulatory and corporate compliance
to meet compliance and pass audits. coverage within your organization.

With Sysdig • Automate compliance and governance by • Identify teams responsible for each
Secure, consistently applying OPA-based policies compliance control.
you can: across multiple IaC and Kubernetes
environments. • Pass audits by showing proof of cloud,
Kubernetes, and container compliance
• Validate cloud posture for security controls using cloud and Kubernetes audit logs and
using out-of-the-box checks to meet container forensics data.
regulatory standards (e.g., CIS benchmarks,
NIST 800-53, SOC2, PCI-DSS, etc.) for • Provide on-demand reports, dashboards, and
containers, Kubernetes, and cloud. assessments for internal and external auditors.

• Implement File Integrity Monitoring (FIM) for • Track pass/fail percentages to measure
containers and hosts. compliance progress.

TOP 10 USE CASES

4
for Securing Cloud and Containers with Sysdig Secure
04 Multi-Cloud Threat Detection

Cloud threats are becoming increasingly elaborate and Sysdig Secure offers multi-cloud threat protection by
complex. Detecting anomalous activities in real time that detecting suspicious activity across accounts and services
could be a sign of an attack or breach is critical. Activities in real time. It also applies stream detection to cloud
like configuration changes that elevate permissions and activity logs to catch suspicious activities as they happen,
weaken requirements for secure access should not be like access to a private S3 using exposed credentials, users
left unchecked. They could be a step in an attack plan. without MFA logged on that opens SSH to the public on
Adversaries leave a trail of their actions in cloud audit an internal server, among others. Sysdig Secure is based
logs, so monitoring those logs is critical to early detect on Falco, the open source standard for cloud native threat
their presence. detection, providing a flexible and intuitive rule engine
that empowers security teams to define detection rules
for any type of threat scenario in the cloud.

With Sysdig, • Investigate suspicious activity using cloud • Securely process sensitive data, configuration
you can: activity logs (e.g., AWS CloudTrail, Google metadata, and log events within your cloud
Cloud Audit Logs, Azure platform logs). account by only sending detection results to
Sysdig.
• Detect cloud threats in real time using
Falco’s granular rules and stream detection • Also, save money on SIEM costs by only
to alert on risky actions and behavior across sending Sysdig’s detected events to the SIEM
accounts, users, and cloud services. instead of all activity log data.

TOP 10 USE CASES

5
for Securing Cloud and Containers with Sysdig Secure
05 Infrastructure as Code (IaC)
Security

Configuration of cloud infrastructure that violates Sysdig Secure enables organizations to centrally and
security and compliance policies are common. They are consistently secure IaC of cloud and Kubernetes
also frequently the cause of incidents and audit issues. workloads. It prevents security and compliance violations
As organizations implement programmatic deployment before deployment, identifies drift in production
of cloud and Kubernetes infrastructure using IaC environments, and automates remediation of the
templates, like Terraform, Helm, and YAML, these templates at the source repository. Sysdig Secure prevents
configuration violations can happen on a much faster users from inadvertently misconfiguring templates
and larger scale. exposing the organization to security and compliance
risks, or malicious insiders from intentionally doing it.

With Sysdig • Manage IaC security and compliance risk by • Enforce policies via a Kubernetes
Secure, applying shift left security in the cloud. Scan admission controller using granular,
you can: IaC templates (Terraform, Helm, Kustomize, context-based OPA policies making them
YAML, etc.) before deploying in production specific to each application environment as
to identify configurations that are risky or needed.
violate compliance policies.
• Detect and auto-remediate drift between
• Centrally manage and automate compliance configurations as defined in the source IaC
and governance across multiple IaC template and what is actually applied in
frameworks and tools in cloud and production. Use DevOps out-of-the-box
Kubernetes environments. Use policy as code playbooks to seamlessly remediate security
(PaC) based on the open source standard and compliance violations via Git Pull
Open Policy Agent (OPA) to consistently apply Request (PR).
and enforce policies from code to runtime.

TOP 10 USE CASES

6
for Securing Cloud and Containers with Sysdig Secure
06 Vulnerability Management

One of the greatest challenges in cloud environments with common tooling used in CI/CD pipelines
today is to keep rapid development cycles while and runtime. With Sysdig Secure, Developers can
reducing risk. Integrating vulnerability management into resolve security issues before builds are completed
developers and DevOps processes is core to address the or containers are deployed, and SecOps teams can
large number of vulnerabilities found on OS and non- prevent untrusted containers from being deployed
OS packages in containers and hosts. Enterprises who in production via K8s admission controllers. SecOps
are most successful in the cloud close the gap between can also monitor vulnerabilities in registries as
developers, operations, and security teams to ensure well as containers and hosts in production in a
identification and remediation of vulnerabilities found single workflow, identifying the full impact of new
while building container images and throughout the vulnerabilities to running apps and prioritizing
container production life. remediation. Risk mitigation efforts are more
efficiently and effectively implemented with an
Sysdig enables teams to implement robust overall view of security and compliance that includes
vulnerability management through native integrations build pipeline, registries, and production.

TOP 10 USE CASES

7
for Securing Cloud and Containers with Sysdig Secure
With Sysdig • Shift security left by integrating container • Monitor vulnerabilities in production
Secure, image scanning into DevOps CI/CD pipeline without rescanning images. Get runtime
you can: tools, repos, and registries. alerts if unscanned images are deployed
into production, a new vulnerability is
• Catch operating system (OS) and discovered in a package in production,
non-OS packages vulnerabilities, or the scan status of one of your running
misconfigurations, credential exposures, images changes.
and risky practices.
• Scan hosts at runtime for vulnerabilities as
• Use out-of-the-box checks for Dockerfile well as risky configurations and compliance
security best practices and security violations, unifying containers and host
controls to meet regulatory requirements scanning in a single workflow that optimizes
for container compliance like NIST SP- mitigation of security and compliance
800-190, PCI DSS, and HIPAA. issues.

• Apply secure inline scanning to avoid • Assess the risk impact of new vulnerabilities
sending images outside. (CVEs) in seconds.

• Create policies to enforce controls in the • Reduce MTTR by assessing risk with
build pipeline, registries, and production ownership and context data. Map the
environment. vulnerabilities back to specific applications
and identify the team that needs to fix
• Scan serverless workloads by automatically them.
scanning AWS Fargate tasks and Google
Cloud Run containers. • Stay updated with vulnerability and
package data from OS vendors, package
• Prevent deployment of unscanned or repositories, and the National Vulnerability
vulnerable images into production. Use a database.
Kubernetes admission controller to block
images that don’t pass security policies from • Schedule reports to track progress in
being deployed. reducing risk exposure.

TOP 10 USE CASES

8
for Securing Cloud and Containers with Sysdig Secure
07 Runtime Threat Detection

Runtime threat detection is all about detecting Sysdig Secure provides unified container, host,
anomalous and malicious behavior and threats in Kubernetes, and cloud runtime security. It uses system
production. Suspicious activities such as unauthorized calls and Kubernetes and cloud activity visibility to alert
processes, unexpected listening ports, unusual outgoing on malicious activity and vulnerability exploits. Sysdig
connections, anomalous file access, strange sequence of Secure enables security teams to detect the full range of
commands, among others, could be signs of an attack. today’s cyber threats using Falco’s flexible rules engine
Today’s attacks are stealthy and complex with multiple that can check for any type of behavior or activity. As
components making it hard to protect against them. Sysdig Secure detection is in real time and event records
Zero-day exploits and internal threats place additional are kept for investigations, unexpected suspicious
challenges to prevention and container ephemeral nature activities across containers, hosts, and Kubernetes are
makes it hard to investigate breaches. So, it is necessary captured even for short-lived containers in serverless
to implement runtime security with deep visibility that platforms.
cannot be evaded to detect malicious actors and assess
the impact of the compromise, providing granular records
for forensic analysis to determine if compliance violations
had occurred.

TOP 10 USE CASES

9
for Securing Cloud and Containers with Sysdig Secure
With Sysdig, • Get a unified view of threats across • Anomalous and suspicious Kubernetes
you can: Kubernetes, hosts, containers, and cloud with API and cloud activities to know who did
an intuitive and interactive GUI. what.

• Zoom in to specific clouds and Kubernetes • Use out-of-the-box rules mapped to

scope. all major frameworks, standards, and
regulations, such as MITRE ATT&CK, NIST,
• Get events in a unified timeline to surface PCI, HIPAA, SOC 2, etc.
attacks’ sequence.
• Understand how detection rules are defined
• Get full disclosure of detection conditions and customize them using rich context from
and context to quickly understand what, cloud and Kubernetes.
who, and why
• Save time with machine learning-based
• Secure production environments with image profiling instead of creating policies
policies based on open source Falco, alerting from scratch.
on:
• Automate response actions (pause, kill,
• Suspicious activity inside of containers, notify).
hosts, and serverless (AWS Fargate),
such as anomalous process, file, network, • Implement file integrity management (FIM)
system calls, and user activities. policies.

TOP 10 USE CASES

10
for Securing Cloud and Containers with Sysdig Secure
08 Kubernetes Network Security

By default, all pods within a Kubernetes cluster NetworkPolicies native mechanism to implement micro
can communicate with each other without any segmentation would provide better performance,
restrictions. In the case of a container compromise, reliability, and security.
the whole cluster is at risk of a threat moving laterally.
Segmenting network access by giving permission Sysdig Secure provides visualization and profiling of all
to only what’s needed is recommended to limit the network communication between pods, services, and
blast radius of a breach. But trying to do network applications inside Kubernetes, from which network
segmentation manually or using IP address static policies can be defined and enforced via Kubernetes
controls is error prone, could cause disruptions, and be NetworkPolicy resource. Time to implement container
ineffective in dynamic environments. Using Kubernetes network security is reduced from weeks to hours.

With Sysdig • Enforce zero-trust network segmentation • Audit every connection attempt to and from
Secure, between Pods and services by blocking a specific process.
you can: suspicious connections and stopping
lateral movement by using Kubernetes • Drill down into Kubernetes network traffic
NetworkPolicy resource. flow between a service, namespace, or Pod
over a particular timeframe to easily verify
• Automatically profile Kubernetes network anomalous container network behavior and
traffic and create ingress and egress least- investigate security events.
privilege policies. And visually confirm
topology before applying in production. • Meet and validate compliance (NIST)
that requires network visibility and
• Visualize and modify all network segmentation.
communication between apps and services
using a graphical interface without having to
manually change YAML files.

TOP 10 USE CASES

11
for Securing Cloud and Containers with Sysdig Secure
09 Host Security

In the cloud, hosts are Linux-based computing instances they can hijack resources, see all container apps running on
spun up from VM images. So, securing hosts is then about it, install an implant, download malware, move laterally to
protecting these VM instances, checking for vulnerabilities, other hosts in the internal network, escalate privileges at
fixing weak and risky configurations, monitoring compliance the cloud level, among other tactics. Leaving hosts exposed
controls, protecting sensitive files, and detecting malicious can lead to breaches with large blast radius.
insiders and threats. Hosts are great assets to adversaries.
They provide a shared kernel to all containers running on Sysdig Secure provides host scanning capability that
them, a large resource pool, as well as network access identifies vulnerabilities, risky configurations, and
and trust relationships to other systems. In an attack compliance violations. It also enables security teams to
scenario, attackers can use an OS vulnerability to escape a detect and respond to anomalous activities and threats
compromised container, gain root privileges, and take full using deep visibility into all Kernel syscalls that leaves no
control of the host. Once attackers have control of the host, place for attackers to hide.

With Sysdig • Unify vulnerability management workflow for • Get deep visibility into system calls, process,
Secure, hosts and containers. file, network, and user activity inside host
you can: VMs.
• Maximize compliance coverage for PCI,
NIST, SOC2, etc., by meeting both host and • Detect malicious and anomalous activities
container requirements. using out-of-the-box Falco community
created rules for runtime security.
• Get a single view of risk with immediate
understanding of vulnerability impact and • Reduce remediation time using rich
mitigation effectiveness. ownership and cloud/k8s context.

TOP 10 USE CASES

12
for Securing Cloud and Containers with Sysdig Secure
10 Incident Response and Forensics

Incidents don’t happen in a vacuum, so granular data Sysdig Secure provides a source of truth for all activity
must be made available to reconstruct the attack before before, during, and after an incident in containers,
and after the incident. But clouds’ virtual environments, clusters, and cloud, including Pods, K8s APIs, hosts, and
complexity and ephemerality leave security teams without serverless functions. Sysdig’s granular data of system
the required visibility to perform investigations into calls unveils every command executed, processes
hosts and container workloads. Containers terminate spun, files accessed or downloaded, data exfiltrated,
long before container incident response and forensics anything that happened in containers and hosts
begin; host VM instances could even be gone too, so high related to security events. To address the need for
fidelity records must be collected for future analysis. EDR local incident response and mitigation action in cloud-
solutions cannot solve today’s cloud challenges because native environments, Sysdig Secure enables responders
they don’t provide visibility into containers nor the to directly remote connect to a suspicious host or
necessary context to guide the investigation. Cloud-native container from the event stream to investigate and
security is required. recover quickly.

TOP 10 USE CASES

13
for Securing Cloud and Containers with Sysdig Secure
With Sysdig • Determine what happened with insights from • Perform real-time and interactive audit of
Secure, the kernel system calls, a source of truth that user and system activities correlated with full
you can: attackers cannot evade. stack metrics (Kubernetes, container, host,
network, and files) to identify root cause
• Conduct Kubernetes incident response using faster.
a security event timeline and full scope
metadata (cloud, Kubernetes, and container) • Unveil the full extent of the compromise
to quickly zoom and understand malicious and compliance implications of a malicious
events. actor’s actions, including commands
executed, files accessed, data exfiltrated,
• Get one-click direct access to a container files downloaded from the Internet, shred
or host via Rapid Response remote shell to the bash history, etc.
investigate and troubleshoot locally, and
mitigate threats fast. • Conduct post-mortem analysis with
granular system call captures to recreate
• Investigate incidents with a detailed activity all system activity in a time window that
record to reconstruct the attack and quickly shows what happened before and after the
respond to questions of “when,” “what,” incident event, even after the container is
“who,” and “why.” long gone.

Copyright © 2022 Sysdig, Inc. All rights reserved. TOPTEN-001 Rev. A 3/22