Sysdig adds detailed audit logs for runtime detection and response for AWS Fargate

Sysdig announced runtime detection and response to secure AWS Fargate, a serverless compute engine for containers from Amazon Web Services (AWS), an expansion of Sysdig’s cloud security capabilities.

AWS Fargate has continued to increase in popularity since launching, with more than 40 percent of new AWS container services customers in 2019 choosing AWS Fargate. With the announcement today, Sysdig launched the first runtime security detection and response solution for AWS Fargate that provides detailed audit logs to respond to incidents.

Sysdig also introduced the first file integrity monitoring (FIM) capability for AWS Fargate, a mandatory component to pass PCI compliance.

With Sysdig, organizations get a unified view across AWS Fargate cloud and compatible container services like Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS), including the ability to see misconfigurations, vulnerabilities, and runtime threats.

AWS Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

Sysdig’s runtime detection for AWS Fargate is based on open source Falco, the runtime security tool created by Sysdig and contributed to the Cloud Native Computing Foundation (CNCF).

The deep visibility is possible through Falco’s comprehensive access to system calls exported by the Linux kernel. Sysdig worked with AWS to provide comprehensive visibility into AWS Fargate containers.

“Once organizations feel confident that they have visibility for effective threat detection and response, adoption of serverless container services like AWS Fargate will take off.

“However, without threat detection and access to detailed audit trails for investigations, companies have no way of knowing what exactly is going on and who is accessing their data,” said Jacob Williams, Founder and President, Rendition InfoSec, and SAN Institute Instructor.

“Our team found it rewarding to tackle the technical challenge of not only bringing runtime detection and response to AWS Fargate, but also providing full granularity at high performance.

“Detection and response are relatively easy if you accept that they will either add a lot of overhead or be inaccurate. Our approach marries full granularity and high performance, which is very unique and hard,” said Loris Degioanni, Chief Technology Officer and Founder of Sysdig.

Flying blind in AWS Fargate serverless environments

The Gartner 2020 CIO’s Guide Serverless Computing predicts that “more than 50% of global enterprises will have deployed serverless function platform as a service (fPaaS) by 2025, up from less than 20% today.”

“However, security is the biggest barrier to adopting cloud services. Serverless environments introduce an abstraction layer that hides the underlying infrastructure from the end user.

“Without access to the host, visibility into workload activity can be limited in serverless environments. In order to reduce risk, organizations need visibility, alerts to know if there is a breach, and a record of exactly what happened so that they can take action.

New AWS Fargate security capabilities

  • Runtime detection for AWS Fargate on Amazon ECS based on Falco: Sysdig provides deep runtime visibility for AWS Fargate using syscall data. Security teams can use this data to detect threats, including suspicious file activity to address FIM requirements for customers that need to meet compliance frameworks, such as PCI. Sysdig also supports applications built using any language, including Go.
  • Audit trails, rapid response, and capture files for AWS Fargate workloads: Sysdig adds the first detailed audit and response capabilities for AWS Fargate. Incident response for AWS Fargate is dependent upon having detailed audit trails and forensics data. Sysdig captures and records all AWS Fargate activity — including commands, network connections, and file activity — and correlates the information with rich context from the cloud and Kubernetes. DevOps and security teams can interact with and filter through the capture files to understand what happened and take action. This can also serve as a proof of compliance for audit requirements.
  • Unified view across AWS Fargate security posture, vulnerabilities, and threats: Within minutes of an AWS Fargate task being created, Sysdig provides instant visibility to see the entire attack chain. For AWS Fargate workloads, Sysdig identifies potential image vulnerabilities, suspicious file activity, misconfigurations, and suspicious configuration changes, such as deleting CloudTrail logs or changing access rights to sensitive data. Classifying incidents based on severity levels allows teams to prioritize what to investigate and respond to first. Teams can also investigate all suspicious activity performed by a specific user to see the breadth of impact.

Sysdig is a SaaS platform that is simple to run in the customer’s cloud environment. It can be deployed within minutes.

A centralized AWS Fargate task manager or orchestrator agent manages all policy, connections, and events to and from the specific AWS Fargate tasks. Teams only have to interact with this single entity versus keeping track of each AWS Fargate workload.

How Sysdig collaborates with AWS

“As we continue to evolve AWS Fargate, giving customers different approaches to security has been important to us. Open source Falco has strong momentum and with its syscall approach, it’s designed to provide comprehensive AWS Fargate threat detection.

“We have worked with Sysdig on this integration with the ultimate goal of giving AWS Fargate users deeper visibility to manage risk,” said Fernando Zandona, General Manager, Serverless Containers, AWS.

With early access to AWS Fargate 1.19 last year, the Sysdig team worked on a series of Falco optimizations. The announcement builds on Sysdig’s existing image scanning and posture management capabilities for AWS Fargate.

The Sysdig Secure DevOps Platform

The Sysdig Secure DevOps Platform provides security and visibility to confidently run containers, Kubernetes, and cloud.

Customers rely on the Sysdig SaaS platform to secure the software build pipeline, detect and respond to runtime threats, monitor service health, and continuously validate cloud security posture and compliance.

Sysdig was founded as an open source company and the Sysdig Secure DevOps Platform was built on an open source foundation to address the security challenges of modern cloud applications. Open source sysdig and Falco are projects that were created by Sysdig to leverage deep visibility as a foundation for security.

Don't miss