Risks
This feature is in Technical Preview status.
Overview
The information Sysdig gathers falls into various product areas, but these don’t exist in silos. The Risks page highlights Sysdig’s ability to correlate these findings and bring them together to help you understand and prioritize the greatest risks in your environment. You can leverage these insights to make well-informed and strategic security decisions within the ever-changing landscape of the cloud environment.
Supported Data Sources
The Risks module presents findings from the following connected data sources:
- Kubernetes
- AWS Cloud Accounts
Permissions
By default, Sysdig SaaS users with the following roles are granted READ access to the Risks page:
- Standard User, Advanced User, Team Manager, Service Manager.
If you have custom user roles that should be given READ access, or if you want to define a group of users who should not have access to the page, you must enable/disable the Risks option for Custom Roles.
See also: Custom Roles.
Finding Category
Finding Categories refer to the different types of security issues that contribute to a risk. Current categories include:
- Vulnerability: A vulnerability was detected in a package or image.
- Detection: A high-confidence event was detected from a Sysdig Threat Intelligence or Threat Detection policy. These are managed by the Sysdig Threat Research team, contain only high-severity rules, and have a low level of false positives.
- Insecure Configuration: A Posture control failed in a Compliance check.
- Insecure Identity: Identity and Access (CIEM) findings and permissions irregularities were detected.
Risk Policies
Out of the box, Sysdig delivers a range of finding combinations called “policies”. These policies generate different Risks. Each policy is built of necessary findings that must be matched and optional findings that add to the Risk. Each unique combination of findings (necessary or optional) generates a different Risk.
| Policy | Description | Necessary Finding Types | Affected Resource Type | Optional Findings |
|---|---|---|---|---|
| Publicly Exposed Workload with Critical Vulnerability | This workload is publicly exposed and was found to be vulnerable to CVEs of Critical severity. | * Publicly Exposed * Critical Vulnerability | Workload | * In Use * Has Exploit * High Confidence Event * Privilege Control Failure |
| Publicly Exposed EC2 with Critical Vulnerability | This EC2 is publicly exposed and was found to be vulnerable to CVEs of Critical severity. | * Publicly Exposed * Critical Vulnerability | AWS EC2 | * Has Exploit * High Confidence Event |
| Publicly Exposed S3 | This S3 Bucket is publicly exposed. | * Publicly Exposed | AWS S3 | * High Confidence Event * S3 Accepts HTTP * S3 Versioning Disabled * Accessed by Suspicious IP |
| Publicly Exposed EC2 with Access to S3 | This publicly exposed EC2 instance has access to S3 Bucket(s) through an attached IAM Role or S3 Bucket policy. This poses a Data Exfiltration risk. | * Publicly Exposed * EC2 Has Access to S3 via IAM Role or attached bucket policy | AWS EC2 | * Critical Vulnerability * High Confidence Event * Accessed by Suspicious IP. |
Policies assess data coming from CSPM, KSPM, Cloud Log Ingestion, CIEM, Vulnerability Management, and Agent-Based Threat Detection. Risk policies require some or all of these components to be deployed to be evaluated. For example:
| Type of Resource/Finding | Sysdig Feature | Installation Info |
|---|---|---|
| Kubernetes clusters | KSPM (Compliance) | KSPM |
| AWS cloud resources | CSPM (Cloud compliance) | Agentless or Agent-based |
| AWS high-confidence event detection | CSPM + CDR (Cloud compliance + Cloud threat detection) | Agent-based |
| Insecure identity findings | CSPM + CIEM (Cloud compliance + Identity and Access) | Agent-based |
| Packages in runtime with vulnerabilities | Compliance + In Use | In Use |
Access Risks
Log in to Sysdig Secure and click Risks.
Open a detected Risk and analyze the Affected Resource.
Selected the affected resource to open the detail drawer and take further action.
Filter Risks
Use the filters at the top of the page to sort through the detected Risks.
Zone
The Risk page is filtered to reflect your Team Scopes, including zones. Filter by detected zones using the drop-down. For setup details, see Zones.
Finding Category
The different types of security issues that contribute to a risk. Current categories include:
- Vulnerability (in package, image)
- Detection (High-confidence event found)
- Insecure Config (Posture Control Failed)
- Insecure Identity (CIEM Findings + Permissions)
- Publicly exposed
Resource Category
Resource Categories currently include:
- Compute: This includes workloads and EC2 instances.
- Storage: This includes S3 buckets.
Last Change
This tracks a specific risk on an affected resource over time.
Options include:
Risk Increased
The affected resource moved up to a more severe Related Risk (more findings or the same number of findings, but the severity increased).
Risk Decreased
The affected resource moved down to a less severe Related Risk (fewer findings or the same number of findings but the severity decreased).
Resource Moved
The affected resource moved to another Related Risk (same number of findings, same severity)
New Resource
This affected resource showed up in the Risk within the past week.
NOTE: If the resource’s risk increases, decreases, or is moved at any point, the Last Change would reflect that and it would no longer say New on the affected resource row.
Blank
There has been no change. This column is blank if this affected resource does not match any of the other options.
Severity
Sysdig has established three tiers to gauge the Severity of identified issues.
Tier 1: Severity Levels
In Tier 1, risks are categorized based on their severity levels. A risk’s severity matches the highest tier of one of its findings:
- Critical: is assigned when findings include a high-confidence detection or a critical vulnerability from an In Use package.
- High: is assigned when a critical vulnerability has an exploit.
- Medium: is assigned when Compute has access to storage, critical unused permissions exist, or an insecure storage configuration accepts HTTP.
- Low: is assigned if none of the above conditions are met.
Tier 2: Prioritizing between Risks of the Same Severity
In Tier 2, risks tagged Live (meaning they have an affected resource with a high-confidence event that occurred within the past three hours) are prioritized higher. The number of findings also plays a crucial role in prioritization. More “+” symbols in the findings indicate a higher priority.
Tier 3: Prioritizing between Risks of Same Severity and Finding Count
In Tier 3, risks are prioritized by the number of affected resources. The higher the number of impacted resources, the higher the priority for mitigation efforts.
In Use
The In Use designation highlights packages that are being executed at runtime that contain vulnerabilities.
If your environment has not already enabled the In Use feature for Vulnerabilities, you must enable it in Profiling.
Has Exploit
Has Exploit designates any vulnerabilities detected that have a known method of exploitation to carry out malicious actions.
Live
A high-confidence event (an event detected from a Sysdig Threat Intelligence or Threat Detection policy) was detected within the last 3 hours.
New
A Risk is tagged as New if previously we had no affected resources match this risk, and now at least one does. A Risk is considered “New” for 7 days
Review the Affected Resource
Open a Risk to review the affected resource.
Review the findings for critical issues.
Hover over zone findings to:
Get a list of the affected zones for that resource.
Use arrow links to the zone pages.
Copy zone information, for example, to paste in the Inventory filter bar.
Click an affected resource to open the detail drawer, including the Attack Path visualization and the Findings tab.
Review the Attack Path
Select an affected resource to open its detail drawer.
The Overview tab of the drawer includes the top-level Risk summary and date, then the Attack Path, Risk Details, and Resource Details sections.
Enlarge the Attack Path pane (using the + or Full-Screen icons) to explore it fully.
Click on each icon for details and relevant mitigation steps.
Example
For example, in the image above, you can see:
Public Exposure: The resource is exposed to the internet and details on the Load Balancer icon explain why.
Workload: The workload has a large number of findings, organized by Insecure Configurations, Vulnerabilities, and Events.
Select an Insecure Configuration icon to see the explanation, and click View More to manage the Control as you would in the Compliance module. You can accept risks, apply code to update the control, create a pull request, and other posture-related actions.
Select a Vulnerability icon to see the explanation, and click View More to review the full package and CVE details and to manage as you would in the Vulnerabilities module.
Select an Event icon to see the explanation and click View More to review the full details and manage as you would in the Runtime Events module.
Review the Findings
The Findings tab helps you understand all the resources involved in a specific Risk and the findings on them. Sysdig highlights the highest-impact findings and suggests fixes to reduce the most risk with the least effort.
Select an affected resource to open its detail drawer and select the Findings tab.
Review All Resources in the Risk Path.
Review Findings by Resource Type.
This provides a comprehensive list of all the findings associated with this Risk on all the resources in the Risk path, divided by Resource Types.
Select any row here to open a drawer showing remediation details.
Review Suggested Fixes to Reduce Risk.
These are the most impactful fixes suggested by Sysdig.
Risks Terminology
| Term | Definition |
|---|---|
| Finding | A resource + its condition/behavior, such as a resource and its misconfiguration or vulnerability/detection. |
| Finding Categories | The different types of security issues that contribute to a risk. Current categories include: * Vulnerability (in package, image) * Detection (High-confidence event found) * Insecure Config (Posture Control Failed) * Insecure Identity (CIEM Findings + Permissions) * Publicly exposed |
| Finding Type | An instance of a finding category. For example: Finding Category = Insecure Config Finding Types = Failed control “S3 bucket accepts HTTP”, failed control “EC2 is permissive” Finding Category = Insecure Identity Finding Types = Role with unused critical permissions, User without MFA |
| High-Confidence Event | An event detected from a Sysdig Threat Intelligence or Threat Detection policy. These are managed by the Sysdig Threat Research team, contain only high-severity rules, and have a low level of false positives. |
| Live | A high-confidence event was detected within the last 3 hours. |
| Risk Policy | A policy is composed of the required finding types and optional finding types found on a specific resource type. A “risk policy” is the basic rule from which Risks and their affected resources are created. NOTE: These are delivered from Sysdig and are not accessed or edited by users, unlike other types of Sysdig Policies. |
| Severity | Significance of a risk, expressed in terms of the combination of consequences to the business and the likelihood of those consequences. |
| Zones | A business group of resources, defined by a collection of scopes of various resource types (for example: “Dev” - all my development resources). |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.