As more companies move their operations from on-prem to the cloud, they are turning to Sysdig which provides tools to secure containers, Kubernetes, and cloud services. The Sysdig Threat Research Team, which now numbers close to 20 threat research engineers, includes computer security and machine learning experts from around the world. Informed by continuously evolving threat intelligence from hundreds of indicators of compromise (IoCs) pulled from a variety of sources, the team writes, tunes, and pushes rules out to customers via  Sysdig’s platform for cloud detection and response. Where rules have blind spots, the Threat Research Team uses machine learning and anomaly detection to plug gaps and take action against new, malicious behavior. The team also creates threat reports, articles, and blogs to share their threat intelligence with the broader security community. 

In this webinar, Michael Clark, Director of Threat Research at Sysdig, describes the needs his team had as they continued to scale their threat research capabilities, why they selected the ThreatQ Platform, their key uses cases for ThreatQ, and plans to extend their use of ThreatQ in the future. Michael also shared some compelling findings from the 2022 Sysdig Cloud-Native Threat Report. Below are three key takeaways from the session. For all the details, watch this 30-minute webinar on demand. 

• Why the switch from a database to a platform to manage threat intelligence
  Storing indicator data in a normal database is workable on a small scale, when using one or two intelligence sources. But in order to expand operations, Sysdig needed a solution that would help them aggregate, manage, and store multiple, different sources of intelligence, including OSINT, feeds from premium vendors like Proofpoint, and threat intelligence developed by Sysdig, for example via their network of honeypots.  

Sysdig was also looking for a more efficient and effective way to provide more context with each rule, so analysts don’t waste time trying to figure out why an indicator is bad. Instead of the Sysdig team having to gather information from different sites and tools, they wanted one place to go for the context they need to enrich a rule and enable faster analysis and deeper understanding.  

• Key considerations in the “Build vs Buy” decision
  Mike explained that since Sysdig is a security technology vendor, naturally the discussion of build vs buy came up in their search for a solution. Although Mike is a programmer at heart and others on his team are programmers too, they all aren’t software engineers, and Mike didn’t want to make that a requirement for the team. 

Additionally, Mike pointed out that going down that path isn’t just about building something that works. Once you build a solution you also have to maintain it. Mike knew maintenance would be complex and time consuming, particularly when he looked at Sysdig’s list of criteria for a solution which included: support for different feeds, expiration of indicators, prioritization of indicators so customers receive only what matters to them, API-based to integrate with data collection infrastructure, ease of exporting from the platform to the open-source Falco project for rule generation, and flexibility to adapt to cloud architecture and different kinds of data. The ThreatQ Platform was built with these requirements in mind, so it already checked all the boxes.

• Top use cases that drive value for Sysdig and its customers
  Sysdig took a use-case driven approach to the evaluation process which aligned with how they would measure value.

• Exports: Mike showed how the ThreatQ exporting language makes it easy to generate Falco lists and automate rule creation without having to use Python or any other outside languages.
• Containers: The ability to store container data in the ThreatQ Platform, along with context to understand why an indicator is malicious, allows them to create their own enriched feed that is continuously and automatically updated. Visualizations through custom dashboards also improve reporting.
• Honeynet: When a Sysdig honeypot is compromised, the team creates a new incident and uses ThreatQ as the repository of that knowledge which enables them to quickly determine if they have seen an indicator before or not. If the indicator is new, Mike showed how they record the data and share it as a rule with customers, taking care to first eliminate any noise via whitelisting. Storage of this data is also useful for threat intelligence research and internal and public reporting.

For more information on how Sysdig is using ThreatQ to provide better detections and response for customers, while saving time and improving their research and reporting, watch the webinar.