IBM and Sysdig team up to extend security governance with IBM Cloud Pak for Multicloud Management
Co-author: Álvaro José Iradier
Sysdig, an industry leader for monitoring and securing cloud-native workloads, and IBM have joined forces to bring a fully integrated, powerful platform that delivers the security and performance that enterprises need in today’s multi-cloud world.
Sysdig Secure and the IBM Cloud Pak for Multicloud Management can help you accelerate Kubernetes and cloud adoption by addressing security and regulatory compliance, from the start, on enterprise hybrid cloud environments. As more organizations transition to multi-cloud, standardizing the management (security and monitoring of workloads) wherever they may run, helps to smooth operations.
What’s the benefit of being together?
IBM Cloud Pak for Multicloud Management centralizes the visibility of governance and automation for containerized workloads across clusters and clouds onto a dashboard. One of the key capabilities of IBM Cloud Pak for Multicloud Management is the centralization of security findings. This centralized view help cloud teams’ administrators understand, prioritize, manage and resolve security issues that are related to their cloud applications and workloads. The integration of Sysdig Secure with IBM Multicloud Management extends the depth of security intelligence available to IBM Cloud Pak for Multicloud Management users with tasks:
- Managing container image vulnerability and configuring validation.
- Creating runtime security with prevention, threat detection and mitigation.
- Responding to incidents and enabling forensics.
- Ensuring compliance is met and audits are complete.
Sysdig Secure strengthens IBM Cloud Pak for Multicloud Management compliance capabilities to help meet regulatory requirements like NIST, PCI, GDPR or HIPAA. When users deploy Sysdig Secure with IBM Cloud Pak for Multicloud Management, they can extend container security to prevent vulnerabilities, stop threats, accelerate incident response and enable forensics.
Sysdig Secure: Cloud native security
Sysdig Secure, which is part of the Sysdig Secure DevOps Platform, is a Kubernetes security and compliance solution for securing cloud-native workloads. It embeds security intelligence into the build to run and respond to the stages of the container lifecycle.
Let’s review the Sysdig Secure features:
- Hybrid cloud capabilities beyond Kubernetes. Sysdig Secure supports public and private OpenShift and other providers, including managed Kubernetes service from different cloud providers.
- Detect, prevent and report vulnerabilities with image scanning.
- Detect runtime security events with Falco engine rules, machine learning based profiling, and extensive out-of-the-box detection patterns.
- Remediation actions for threat blocking by pausing or killing containers, forwarding events to SIEM, or executing your own security playbook.
- Security enforcement through Kubernetes native controls like Pod Security Policies (PSPs).
- Incident response and container forensics with Activity Audit and Sysdig captures.
- Compliance and regulatory audits with CIS benchmarking, PCI and NIST controls, MITRE ATT&CK framework, etc.
IBM Cloud Pak for Multicloud Management: Hybrid cloud Kubernetes governance
IBM Cloud Pak for Multicloud Management enables you to oversee multiple Kubernetes and OpenShift clusters regardless of where they run. IBM Cloud Pak for Multicloud Management provides a single dashboard for viewing and managing your clusters across both public and private clouds. It can be deployed on IBM Cloud, IBM Cloud Private or OpenShift as a CloudPak.
With IBM Multicloud Manager, you have control of your Kubernetes clusters from a single point. It provides user visibility, application-centric management (policy, deployments, health, operations), and policy-based compliance, including several out-of-the-box policy templates for various security controls, such as CIS, across cloud providers and clusters. This helps you ensure that your clusters are secure, operating efficiently and delivering the service levels that applications expect.
The IBM Multicloud Manager architecture consists of the following components: a hub cluster and a set of managed clusters. A hub cluster is used for management. A klusterlet agent runs in every managed cluster to communicate with the hub to provide feedback and apply required commands on the managed clusters. View the diagram of the IBM Cloud Pak for Multicloud Management architecture:
IBM Cloud Pak for Multicloud Management allows you to trigger actions targeting any of the managed clusters. For instance, you can create resources from a YAML definition, like an Open Policy Agent (OPA) configmap or a PSP. OPAs can be integrated with IBM Multicloud Manager. For more information, see the related blog. You can also quickly deploy applications to multiple clusters at once by selecting Helm charts from the Catalog from the IBM Cloud Pak for Multicloud Management, the API, or CLI tool.
Extending detection with Sysdig Secure findings and threat blocking
Centralized access to security events is critical for CISOs and SREs to understand and address incidents occurring across cloud deployments in real-time. The Governance and risk dashboard in IBM Cloud Pak for Multicloud Management provides a centralized view of policies, violations, and security findings to accelerate visibility into security threats. IBM Cloud Pak for Multicloud Management has out-of-the-box rules to simplify policy definition and displays any non-compliance status in the Policies section.
In the Security findings section, you get an aggregated and searchable view of occurrences that come from all managed clusters, as well as non-compliance items from the policy controllers running in the clusters. These findings are summarized by severity, categories or standards, and can be optionally grouped by cluster. View the diagram of the Security findings page:
The Security findings section of the dashboard receives data from the Security Findings API (similar to the Grafeas API). The SA API enables IBM Cloud Pak for Multicloud Management to incorporate additional finding sources, like those provided by Sysdig Secure. Security findings can generate audit logs that can be forwarded to SIEMs, such as IBM QRadar and Splunk, for visibility and to drive remediation for the security operations center (SOC).
Runtime threat detection in action
After you enable IBM Cloud Pak for Multicloud Management integration in Sysdig Secure, you will start receiving policy events in the Security findings user interface (UI). Policy events are generated by the policies and rules enabled on your Sysdig account. These items are not just available in the UI, but they are also stored in the findings database, which can be further integrated with SIEM tools used by enterprise SOC teams. You can also integrate governance, risk and compliance tools used by enterprise risk and compliance teams.
The combination of Sysdig generated security events with other findings within IBM Cloud Pak for Mulitcloud Management provides a more holistic view of your security posture. You can see some event examples in the following screenshot:
In the previous diagram, there is a table with columns that you can sort and multiple rows. Each row contains the most important event fields at a glance, like description, associated resource, severity, cluster name, standards, controls and categories, along with the event. In this view, we can see:
- A couple of “Policy that is not complaint” events coming from IBM Cloud Pak for Multicloud Management policies.
- An option to “Launch Suspicious Network Tool in Container” (exfiltration and discovery) and “Terminal shell in container” (Command-Line Interface execution) runtime events, included in MITRE ATT&CK knowledge base of adversary tactics and techniques and detected by Sysdig Secure’s Falco engine,
- Another couple of events from Sysdig Secure rules that watch the Kubernetes Audit Log, like an “Ingress Object Without TLS Cert” (PCI 4.1 — Strong cryptography for sensitive data) or a ”Configmap with Private Credentials” (NIST SP 800–190 3.3.2).
When you click on any of these items, a detailed view opens. There is a “terminal shell being spawned in a container” runtime event forwarded from Sysdig Secure. Notice that the security event occurred at the demo-kube-awscluster, and additional context information shows metadata like the Kubernetes namespace and container name. The long description field contains even more information like the username, process name and image.
For further incident response and forensics investigation, log in to the Sysdig Secure UI and explore the details of the event. For example, your Sysdig UI might resemble the following diagram:
Now you can dig deeper by checking the Activity Audit and perform a post-mortem analysis, which correlates all the activities from the same context in a timeline to find the Kubernetes user that launched the shell. You can also view the activity that happened inside that terminal session:
If the Runtime Policy that you created triggers a capture file, you can also analyze the detailed capture information directly from the UI. This lets you inspect metrics, commands that were ran, system calls, sockets and files, and even examine I/O streams to check the data that was transmitted, read or written during the incident:
Conclusions
The integration of the Sysdig Secure DevOps Platform with the IBM Cloud Pak for Multicloud Management provides enhanced security intelligence that extends threat prevention, detection and response with IBM Cloud Pak for Multicloud Management. The addition of in-depth cloud insights with Sysdig means CISOs, SREs and DevOps professionals are able to ensure comprehensive security governance to reduce business risk.
Sysdig and IBM are continuously working on improvements, so expect new features and posts in the near future.
To request a demo please contact the following:
Cheryl Parker, IBM/Sysdig Offering Manager, parkerlc@us.ibm.com
Brett Egloff, Sysdig Global Alliances IBM, brett.egloff@sysdig.com
