Risk Spotlight Integrations (Controlled Availability)

About Risk Spotlight

Risk Spotlight is based on Runtime Insights, a new technology developed by Sysdig that combines the observed runtime behavior of a particular container image with vulnerabilities detected in its software packages. This combination is used to determine which packages are effectively loaded during execution and thus, are a more direct security threat for your infrastructure.

Prioritizing the vulnerabilities which represent an actual risk to the organization is one of the most critical aspects of a successful vulnerability management program. Images often contain hundreds of vulnerabilities. Multiplying this by the number of workloads running for any non-trivial infrastructure deployment, it is easy to see that the total number of potential vulnerabilities to fix is actually very large.

There are many prioritization criteria that are commonly used and accepted to start filtering the list (such as Severity and CVSS scoring, Exploitability metrics, Runtime scope and other environment considerations). Risk Spotlight is a new criterion, completely supported by observed runtime behavior, to add to the vulnerability management tool belt that can considerably reduce the working set of vulnerabilities that need to be addressed as a priority.

Terminology

• EVE: Effective Vulnerability Exposure now called Runtime Insights. The installation settings may still refer to the eveConnector and eveEnablement.
• Runtime Insights: The technology powering Risk Spotlight.
• Risk Spotlight: Runtime Insights applied to vulnerability prioritization and the In-Use feature.

Enable Risk Spotlight

Prerequisites

Risk spotlight requires the new Vulnerability Management engine enabled in Sysdig Secure SaaS.

Supported Package Formats/Package Managers

• Debian (except Distroless) (deb)
• Alpine (apk)
• RHEL (rpm)
• Ubuntu (deb)
• Amazon Linux
• Java (Maven)
• Python (PyPi)
• NPM (JS)
• Golang (built with Go 1.13+)

Package Types Currently NOT Supported

• Composer (PHP)
• Cargo (Rust)
• Ruby Gems
• NuGet

Currently supported Kubernetes container runtimes:

• Docker daemon
• ContainerD

Integrate with External Platforms

There are two integration models: in-cluster (for Snyk) and API-based (all others). The installation instructions for each are different.

• For Snyk: All instructions are included in the Snyk page. For now, the token mechanism does not apply to the Snyk integration process.

• For all others: Use the following steps:

Enable Profiling

Enable Profiling using the steps on the Profiling page.

Generate a Token for the Integration

1. Select Integrations > 3rd Party|Risk Spotlight Integration. The Spotlight Integration page appears with a list of existing tokens and their expiry dates.

2. Click +Add Token.

   

3. Fill in the attributes and click Create Token.

   • Name: Choose a name that indicates the integration with which the token is associated
   • Expiration: Select an expiration date (1/3/6 months; 1 year)

4. Copy the new token as it is displayed in the list.

   Store the token in a safe place; it will not be visible or recoverable again.

To Renew a token at any time, click the Renew button, reset the expiry, and confirm.

To Delete a token, click the X beside the token name and confirm. This action will sever the integration between Sysdig and the 3rd-party tool.

Follow the Platform-Specific Integration Steps

Current integrations include:

Docker Scout

• Check the prerequisites.
• Follow the third-party integration guide provided, adding the Sysdig token as prompted.
• Verify the integration in the third-party UI.

Technology Details

The Sysdig Agent components deployed for every instrumented node (host) continuously observe the behaviour of runtime workloads. Some of the information collected includes:

• Image runtime behavior profile: accessed files, processes in execution, system calls, etc. See Profiling for details.
• The Bill of Materials associated with container images used by runtime containers, including used packages and versions and the vulnerabilities matched by those.

By correlating these two pieces of information, Sysdig can differentiate between packages merely installed in the image vs the ones that are loaded at execution time. This information is then propagated to vulnerability information.