Image Profiles

The image profiling tool in Sysdig Secure takes advantage of the agent's ability to observe the behavior of an image during runtime. It learns what is common behavior for the container and then suggests a customized policy of Falco rules to match the observed behaviors.

This feature enhances and automates Sysdig Secure's ability to detect anomalies at enterprise scale.

Compared with manual creation of rules and policies, image profiles have the following advantages:

  • Actionable accuracy: Profiling provides deep visibility into the application behavior

  • Automation: Profiling uses machine learning and automated rule creation, allowing busy administrators to secure images quickly and easily

  • Security enhancement: Explicitly stating what is allowed provides better security than stating what is forbidden

image_profiles.png

How Image Profiles Work

Once the feature is enabled, the agents start sending "fingerprints" of what happened on the containers -- network activity, files and directories accessed, processes run, and system calls used -- and Sysdig Secure aggregates this information per image. Thus, for multiple containers based off of the same image, running on different nodes, the image profiler will collect and combine system activity into an image profile.

Internal algorithms determine two aspects of behavior:

  • Length of time observed: Related to the image being in a learning/done learning state

  • Consistency of behavior: Related to the confidence level of the observed behavior and related policy rule suggestions

Profile Contents

A container image profile is a collection of data points related to:

  • Network activity

    • TCP ports (in/out)

    • UDP ports (in/out)

    image_profile_network.png
  • Processes detected

    image_profile_processes.png
  • File system (informational only)

    • Files (read/write)

    • Directories (read/write)

    image_profile_filesystem.png
  • System calls detected

    image_profile_syscalls.png

Learning/Done Learning

If the containers run consistently, the learning phase lasts about 24 hours.

(Note that containers, for example, that are triggered for a job that lasts an hour and then are re-triggered a week later, would have a much longer learning phase.)

When enough samples are collected for observation, the image status is designated as Done learning. At this point, you can create a policy based on the profile.

image_profile_learning.png

Confidence Levels

The confidence level is a smart statistical indicator calculated based on behavioral consistency, both temporal and across different containers, for a given image. Low, Medium, and High confidence levels are displayed in the UI with 1, 2, or 3 squares.

Policies should only be created from profiles with HIGH confidence levels. In this case, the container behaves very predictably across the cluster and you can create a policy to whitelist the observed behavior and trigger notifications on any anomalous activity.

Using Image Profiles

To use the Image Profile tool, follow these basic steps:

  1. Contact Sysdig (SaaS) or the Sysdig administrator (On-Prem) to enable the feature.

  2. Allow the agents to collect information for at least 24 hours.

  3. Review the collected profiles details, selecting those that are Done Learning and have High Confidence.

  4. Use the checkboxes to include details and create per-image policies.

  5. Repeat regularly.

Review Profiles and Create Policies

  1. Log in to Sysdig Secure and select Policies > Image Profiles.

  2. Filter the list by Done Learning to see the actionable profiles. Focus on those with High Confidence levels (three squares).

  3. Select an image title to review and expand the elements in the Details panel. Select an individual element to see the specific data collected.

    image_profile_data.png
  4. Check the boxes for the items you want to include and click Create Policy from Profiles.

    The standard Runtime Policies page is displayed.

    By default, the:

    • Title is "Image Policy - <image name>"

    • Description is "Policy automatically generated by Sysdig Profiler"

    • Severity is Medium

    • Scope is limited to that image

    • Action is Notify only

  5. Edit any defaults as desired and click Save.

    The new policy appears in the Runtime list.

    image_policy_list.png

Additional Profile Options

From the Image Profiles page, there are two additional actions you can take: Restart or Delete Profile. Restart purges the profile for the image and resets it to the initial learning state. Delete completely removes the profile from the database.

image_profile_start_delete.png

Restart Profile

Click Restart Profile to begin the learning process again. Restart is useful when the previously created policy generates false positives due to changed behavior of the containers.

Delete Profile

If you click Delete Profile, then:

  • The profile is deleted from the list. If the agent continues to detect activity on this image, the profile will be created again.

  • If you have already created a policy based on this profile, you should remove it as no longer useful.

  • This option is useful for deleting profiling for images that are no longer used.