Sysdig announced automated inline image scanning
for AWS Fargate containers, directly in Amazon Elastic Container
Registry (ECR). Sysdig is the first container and Kubernetes security
platform to offer inline scanning for Fargate, which doesn't require
customers to share images or registry credentials outside of their
Amazon Web Services (AWS) environment. Sysdig also announced the
addition of threat detection using AWS CloudTrail with Falco,
the runtime security tool created by Sysdig, and now a CNCF project.
The announcement today focuses on closing the visibility and security
gap for organizations running on AWS, including in serverless
environments like Fargate. The Sysdig Secure DevOps Platform is
based on open source technologies. By marrying rich data with context,
Sysdig provides deep visibility to organizations looking to embed
security, validate compliance, and maximize availability across their
entire infrastructure. The Fargate and CloudTrail integrations are
available to current and new Sysdig customers today.
The challenge of securing AWS workloads
The
ultimate goal of moving to the cloud is to innovate faster. Fargate is a
managed container environment from AWS that helps run serverless
containers at scale. Today, AWS customers launch tens of millions of containers on Fargate each week.
It enables organizations to run applications in Amazon Elastic
Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS)
without having to spend time managing the underlying infrastructure;
however, security and visibility are a challenge.
A
best practice in AWS container and Kubernetes-based environments is to
scan images directly within registries and CI/CD pipelines. Image
scanning manages risk by detecting vulnerabilities and misconfigurations
during both development and production. Most third-party security
solutions are unable to scan inside the AWS environment and require
sharing image and registry credentials outside of AWS, increasing the
risk.
Another
challenge in cloud-based, containerized environments is that data
collected across infrastructure and managed services is often viewed in
different tools. Providing correlation and a consistent view and
reporting experience improves efficiency. This provides insights that
ultimately enhance security and performance. Cloud and operations teams
need to be able to implement a secure DevOps approach that allows them
to efficiently gain insights and take actions to reduce risk and ensure
compliance, performance, and availability.
Closing the visibility and security gap
- The first Fargate inline scanning increases visibility and reduces risk
By
extending the Amazon ECR integration to listen for Fargate tasks,
Sysdig triggers automated scans directly within Amazon ECR. With this
unique inline scanning approach, registry credentials and image contents
are not shared outside of the AWS environment. This enables DevOps
teams to stay in control over images since they are not sent to a
backend or exposed to a staging repository, rather only the scanning
results are sent to the Sysdig backend.
- Automated and faster CloudTrail threat detection with Falco
CloudTrail
provides event history of AWS account activity, including actions taken
through the AWS Management Console, AWS SDKs, command line tools, and
other AWS services. This data can be helpful in understanding unusual
activity in AWS Cloud environments, including security events.
Inspection of CloudTrail logs, however, has been a manual process up to
this point, forcing cloud teams to monitor the AWS console to identify
issues.
With this announcement, Sysdig introduces integration
with AWS CloudTrail by extending the Falco engine to ingest CloudTrail
logs. Users can now detect threats across containers, hosts, Kubernetes,
and AWS services using a single-policy interface. As an open source
project, Falco brings a community-driven mindset and a flexible and
unique approach to setting policies for securing AWS environments.
With
more than 50 out-of-the-box Falco rules being added over the next
month, it is easy for organizations to implement best practices with
policies that automatically detect unusual access rights with changes to
IAM policies, publicly exposed accounts and services, unauthorized
access, and other anomalies. Providing a commercial interface for Falco
is unique to Sysdig, which provides enterprise-grade threat detection
support based on open source standards and community-driven Falco rules.
Being able to manage threat detection rules as policy as code is also a
benefit to Sysdig customers.
- Fargate and Lambda monitoring
In
addition to providing security for AWS Fargate, Sysdig also adds
monitoring for core AWS services, such as Fargate and AWS Lambda, in
addition to already offered ECS and EKS monitoring. With native support
for Prometheus from Sysdig, DevOps teams can monitor AWS cloud services
and serverless entities, along with their Kubernetes environments.
Having access to correlated data on performance, health, and
availability issues saves teams time and arms teams to make
better-informed decisions.
Sysdig can then show information about
workloads running in Fargate and functions running in Lambda alongside
container, Kubernetes, and services metrics. Curated Prometheus
exporters, dashboards templates, and documentation for Fargate and
Lambda can be found on PromCat.io, an open source repository of Prometheus integrations maintained by Sysdig as a community resource.
"When
using the public cloud, there is a shared security responsibility
model, where the customer is responsible for securing its data. Our goal
is to close the visibility and security gap as cloud teams move
critical applications to production," said Suresh Vasudevan, chief
executive officer at Sysdig. "Adding inline Fargate scanning and
automated CloudTrail support is the latest step in our vision of
providing a single platform to support a secure DevOps workflow, as they
accelerate application delivery."
A SaaS-first approach to secure DevOps
The
Sysdig Secure DevOps Platform provides organizations a SaaS-first
platform to address the most critical security, compliance, and
monitoring functions, allowing teams to ship cloud applications faster.
The Sysdig platform delivers image scanning, Kubernetes and container
monitoring, application and cloud service monitoring, runtime security,
compliance, threat detection and prevention, incident response, and
forensics at scale.
With
ContainerVision, Sysdig collects and correlates granular data from
infrastructure, services, and applications. Sysdig then contextualizes
that with Kubernetes and AWS service data, using Sysdig ServiceVision,
to provide a consistent, single view of the entire infrastructure.
Without a macro view of the environment, it is difficult to anticipate
issues with microservices that have cross-platform dependencies. With
the information, ImageVision then identifies and prevents images with
vulnerabilities or misconfigurations from being shipped. In the event of
an issue, having system-wide visibility can facilitate quicker
resolutions.
Sysdig
continues to collaborate with AWS on providing the deepest visibility
and security within AWS environments. Earlier this month, Sysdig
announced that it was a launch partner for AWS Outposts,
a fully managed service that extends AWS infrastructure, AWS services,
APIs, and tools to virtually any datacenter, co-location space, or
on-premises facility for a consistent hybrid experience. With early access to Fargate 1.19, the Sysdig team worked on a series of Falco optimizations that were released in April.