Supercharge your investigation with Sysdig Sage™ for CDR

Synthetic intelligence has taken over nearly each side of our on a regular basis lives. In cybersecurity, generative AI fashions with pure language processing are generally getting used to foretell, detect, and reply to threats. However AI safety assistants, though an improve from conventional machine studying, solely present very primary queries and summarization, which is inadequate to totally comprehend fashionable cloud assaults. As a part of an ongoing effort to enhance the cloud detection and response (CDR) expertise, Sysdig has introduced Sysdig Sage™, which makes it simpler than ever to uncover energetic breach situations in actual time. 

Sysdig Sage for CDR combines AI with safety evaluation as a part of our ongoing mission to guard our prospects within the cloud. Sysdig Sage observes your cloud knowledge and generates responses that allow you to cease attackers. This revolutionary new AI assistant may also execute quite a lot of use instances, together with contextual evaluation of cloud and workload knowledge, summarized occasion overview, and prompt remediations to comprise an adversary.  

Listed below are only a few of the important thing new capabilities Sysdig Sage gives to counterpoint your CDR workflows:

  • Statistics on safety occasions: Streamline evaluation and proactively tackle breach situations by figuring out vital occasions that want fast consideration.
  • Rationalization of safety occasions: Bridge ability gaps inside safety operations with detailed explanations of runtime occasions.
  • Instructed subsequent steps: Cut back response timelines and enhance compliance with behavioral particulars of related occasions at a broader degree.
  • Contextual consciousness: Contextualize the information a person observes to reply questions extra exactly and transfer them throughout the platform to raised visualize threats.

Let’s check out how Sysdig Sage might help you with a couple of key use instances.

Use case 1: Elevate ability gaps throughout operations

With Sysdig Sage, cybersecurity turns into simpler for everybody. It refines your investigation journey as your workforce trawls by means of volumes of mundane duties and occasions each day. It additionally helps foster collaborative workflows and motivates the workforce to remain vigilant for threats.

To show this, let’s slim our scope and seek for Excessive severity logs from a selected cluster. Use the Search bar to sort the under question.

kubernetes.cluster.identify=risks-aws-eks-workloads-shieldCode language: Perl (perl)

Sysdig Safe applies this question throughout volumes of cloud knowledge and filters the occasions related to the chosen timeline and cluster identify. At a look, we’ve got over 300 unique occasions. Even for mature safety operations, this quantity of occasions may very well be overwhelming. Someplace, by some means, it’s doubtless {that a} vital blindspot will probably be missed. These missed particulars will negatively impression response methods and should depart a gap for an adversary to stroll proper in by means of the entrance door.

Determine: Occasions from the cluster

Sysdig Sage alleviates some main operational ache factors by enabling customers to ask questions in a pure language format, swiftly derive a fast abstract of the state of affairs, and deploy prescriptive response methods to throw a wrench within the adversary’s plans.

For instance, let’s launch Sysdig Sage and ask it to summarize our filtered outcomes.

Summarize occasions for this clusterCode language: Entry log (accesslog)
Sysdig Sage for CDR
Determine: Summarized occasions from Sysdig Sage

Sysdig Sage for CDR categorized the occasions beneath two distinct headers, specifically Drift Detection and Malicious Binary Detected. With none earlier context of what the problem is, we now perceive that the menace actor has managed to launch a malicious binary on a number of Kubernetes workloads, and we all know that the Drift Detection coverage (curated and maintained by our Sysdig Risk Analysis Group) prevented the listed workloads from being compromised. 

This info is sufficient to alert our safety groups to allow them to deploy their established response methods and mitigate the danger of a breach state of affairs. 

With Sysdig Sage, each person turns into a safety investigator. 

Use case 2: Leverage AI to energy your investigation

Sysdig Sage for CDR can reply to a number of queries in a row by correlating context from earlier responses. This helps your groups uncover extra particulars related to an assault.

Throughout a breach, you’ve little or no time to do the mandatory due diligence. We have to gather sufficient context at pace so the accountable groups can bounce in and stop the adversary from inflicting additional injury. 

For instance, let’s use Sysdig Sage for CDR to carry out an in depth evaluation of all of the occasions and generate an investigation report.

Generate detailed investigation reportCode language: Perl (perl)
Sysdig Sage for CDR
Determine: Evaluation and Investigation Report

From this report, we discover there’s an energetic miner (easyminer) operating inside the risk-10-aws-bedrock-java namespace. A fast on-line search reveals that the detected binary is a respectable open supply mining software program. Nevertheless, the presence of it inside the environment is suspicious. 

The report signifies that the adversary, after compromising the workload, downloaded and launched a cryptominer to serve its targets.

Let’s ask Sysdig Sage to assist us perceive the basis explanation for the detected occasion.

what was the basis trigger for the malicious binary detected on risk-10-aws-bedrock-java?Code language: Entry log (accesslog)
image9 23
Determine: Root trigger for occasions beneath specified namespace

Sysdig Sage for CDR understood our question in pure language and recognized that the basis trigger answerable for triggering the detection occasion was a shell script malicious-bin-e ./malicious-bin-event-gen.sh 

Inside seconds, we’ve got sufficient helpful context concerning the detected malicious binary. Sysdig Sage for CDR has helped us reply the “what” and “why” of the occasion and saved worthwhile investigation time. Nevertheless, our investigation is way from full. 

Our subsequent objective must be to know the adversary strategies used to breach the sides and entry our workloads. Let’s ask Sysdig Sage to enlist the techniques and methods utilized by the menace actor in response to the MITRE ATT&CK framework.

what MITRE ATT&CK techniques & methods have been used?Code language: Perl (perl)
image10 19
Determine: MITRE ATT&CK techniques and methods associated to the occasions

The outcomes present that the menace actor used MITRE ATT&CK techniques to execute the malicious binary, keep persistence, and evade defenses inside the cluster. 

At this stage, in case you are interested by what’s occurring beneath the hood, you possibly can at all times use the accessibility choices (high proper) to pop into the Occasions Feed. Right here,  you’ll discover filters are robotically utilized, and there’s a timeline of each malicious binary occasion detected inside our outlined cluster risk-10-aws-bedrock-java.

image1 102
Determine: Filters are robotically utilized as you question in Sysdig Sage

Now, to realize additional context on every MITRE ATT&CK tactic, let’s ask Sysdig Sage to checklist the assault path.

checklist the assault pathCode language: Perl (perl)
image7 34
Determine: Assault path aligned to MITRE framework

Inside seconds, Sysdig Sage for CDR expands the method tree to align every detected occasion beneath a selected MITRE ATT&CK class. This helps uncover all of the doable entry factors and the safety gaps that have been probably exploited by the menace actor. 

However now the true query is, how extreme is that this occasion? Let’s ask Sysdig Sage to supply us with a blast radius, itemizing all of the workloads that will have been impacted by the menace actor.

what number of workloads have been impacted?Code language: Perl (perl)
image4 57
Determine: Impacted workloads listed by Sysdig Sage

The outcomes point out that numerous workloads have been presumably impacted by the menace actor. After this, you need to actually be searching for the panic button and calling within the cavalry, aka your SecOps and DevSecOps groups.

Use case 3: Obtain the 555 Benchmark for Cloud Detection and Response 

We demonstrated within the earlier use instances how you may use Sysdig Sage for CDR as your safety assistant and collect the preliminary info essential for any safety investigation. Nevertheless, in case you are the one one holding the fort to your group, it’s good to apply non permanent fixes earlier than alerting the specialists. 

Let’s ask Sysdig Sage for prompt steps that will aid you to preempt any antagonistic occasions, like person credential compromise, SSH key exfiltration, course of masquerading, and lots of extra.

how do I repair this?Code language: Entry log (accesslog)
image8 23
Determine: Instructed remediations by Sysdig Sage

Sysdig Sage for CDR recommends a couple of greatest practices to mitigate potential dangers and stop additional compromise of your surroundings. Right here, isolating the affected useful resource looks as if a great way to cease the adversary of their tracks. 

However in case we didn’t know what to do in such a state of affairs, let’s ask Sysdig Sage to supply us with detailed steering.

give me detailed steering on isolating affected assetsCode language: Perl (perl)
image5 43
Determine: Guided response actions

Keep forward of threats with Sysdig Sage

Sysdig Sage for CDR is the helpful safety assistant that first, helps you keep calm throughout an incident, and second, guides you alongside every step to uncover all the mandatory particulars required for an intensive investigation. It makes a safety incident really feel like a easy DIY undertaking.

Sysdig Sage empowers safety groups to capitalize on the real-time nature of the Sysdig platform and the cutting-edge discoveries of the Sysdig Risk Analysis workforce. With Sysdig Sage at your facet, you possibly can speed up your response to threats with out leaving the platform.

Be a part of our upcoming seminar: AI-Powered CDR in Motion for a technical demonstration of how one can leverage Sysdig Sage to detect, examine, and reply to assaults in minutes.

Recent articles