Alex - stock.adobe.com

Sysdig CNAPP runtime threat detection wins over BigCommerce

Sysdig's fast, comprehensive data collection, now part of a larger CNAPP product, sealed the deal with the e-commerce company. Next, it might replace vulnerability management tools.

A former container observability vendor that became a cloud-native application security provider turned heads at one large customer with its prowess in runtime threat detection and response.

Sysdig, which began a pivot into cloud security posture management (CSPM) in 2021, has since embraced the cloud-native application protection platform (CNAPP) category first defined by Gartner the same year. CNAPP combines application security tools that cater to developers with runtime security tools that protect applications and their associated infrastructure, melding the trends of shift left and shield right under DevSecOps.

What set Sysdig apart from other CSPM and CNAPP vendors in product evaluations last year by BigCommerce, an e-commerce company based in Austin, Texas, harks back to the vendor's roots in container performance monitoring: It performed the fastest data collection without aggregating -- and therefore abridging -- raw logs and events the way its competitors did.

A lot of vendors out there love to aggregate the data, and for us specifically, we'd rather have all the raw events, all the raw logs, than potentially missing [something].
Jordan BodilySenior infrastructure security engineer, BigCommerce

"We wanted near real-time alerting," said Jordan Bodily, senior infrastructure security engineer at BigCommerce, which tested five tools including Sysdig before choosing Sysdig in October 2022. "A lot of vendors out there love to aggregate the data, and for us specifically, we'd rather have all the raw events, all the raw logs, than potentially missing [something]."

In BigCommerce's tests, Sysdig fetched this high-fidelity data related to file integrity monitoring -- a key process in compliance with the Payment Card Industry Data Security Standard -- in less than 10 minutes, while the nearest competitor took 15 minutes to deliver aggregated results. Bodily did not specify how much data was involved in the tests or what other vendors BigCommerce evaluated.

While Sysdig can perform threat detection on raw data streams, it can also help filter and prioritize those results for longer-term storage in a separate security information and event management system (SIEM), Bodily said.

"We'd rather take anything and everything and filter off of that than have predefined policies or rules," Bodily said.

In fact, such policies in the CSPM tool BigCommerce previously used were what sent Bodily's team searching for a replacement last year. Bodily declined to name that vendor, but said updates to its software would routinely break the preset policies BigCommerce used and reawaken policies the IT organization had snoozed or dismissed, leading to alert fatigue.

Jordan Bodily, senior infrastructure security engineer, BigCommerceJordan Bodily

As Sysdig continues to broaden its CNAPP product, it also plans to draw on its existing vulnerability scanning feature to add automated vulnerability fixes, which could displace at least one other incumbent vendor in BigCommerce's environment, Bodily said.

"This may sound like a trivial concept, showing the [differences] between one scan and another, but ironically a lot of [products] out there simply don't do it," he said. Sysdig's vulnerability scanning already does, which Bodily hopes can lead to automated vulnerability management for his team in the future.

"We want to start automating that process to where the only real human interaction that's needed is at the end, where we are officially triaging new CVEs to find out what our impact or our risk is, and then ultimately determining if we need to create a [service desk] ticket," he said.

Sysdig banks on runtime strength in CNAPP push

Sysdig calls the data collection feature that swayed BigCommerce "runtime insights." It's based on the open source Falco project, which a Sysdig blog described as "a security camera for modern cloud infrastructure." Plugins recently added to Falco help Sysdig collect data from a broader array of sources than the Kubernetes and container infrastructures where it started.

Now, Sysdig is staking its claim in CNAPP based on that runtime threat detection and response. Sysdig folded its runtime detection and response in with its CSPM features such as host and cloud services monitoring within the Sysdig Secure product this week. Into that mix, it added threat detection and response for third-party SaaS apps including GitHub and Okta. This week's release also included an update to runtime insights called Live, which maps running infrastructure and workloads -- and the relationships between them -- to track threats as they surface.

CNAPP, as Gartner defines it, also calls for application security tools that support the beginning of the software development lifecycle. Here, Sysdig has partnered with companies such as Anchore and Snyk to round out features such as static and dynamic application security testing.

Gartner CNAPP Simplified View diagram.
The CNAPP category defined by Gartner combines tools for application developers and runtime infrastructure security.

Ultimately, comprehensive data collection isn't likely to be a selling point for most enterprises as it was for BigCommerce, said Edward Amoroso, founder and CEO of Tag InfoSphere in New York City, the parent company for Tag Cyber, a cybersecurity research and advisory firm. Nor is the speed of its runtime threat detection, he said.

Where Sysdig can stand out in a teeming CNAPP market -- Gartner listed more than 25 representative vendors in its 2023 market guide -- and the even bigger DevSecOps world beyond will be an appeal to more pragmatic concerns, according to Amoroso. In that vein, Sysdig can tout its open source roots in Falco, the fact that it can offer both runtime and static vulnerability detection in an age of tool consolidation, and the ways it helps enterprises sift through the flood of vulnerability data and alerts, he said.

"I'm not big on analyst categories. I think that that just tortures everyone," he said of the CNAPP label. "No CISO starts with categories -- they start with tasks that need to be done."

Regardless of terminology -- SIEM, SOAR, XDR, MDR and CNAPP are just a few -- enterprises and the vendors that sell to them are trying to address the security challenges presented by modern software development and distributed cloud infrastructures, said Melinda Marks, an analyst at TechTarget's Enterprise Strategy Group.

"The vendors that can monitor applications including all of their components [and] how they are interacting with resources have the advantage of providing visibility along with context ... to understand exposure [to threats] and possible attack paths," she said. "The faster organizations can detect and respond to attacks, the better they can protect their applications and minimize the impact of incidents."

Sysdig is a relative newcomer to the security market, but that could work in its favor, since many enterprises prefer to replace legacy security tools as newer vendors broaden their offerings, rather than wait for traditional vendors to develop or acquire new features, Marks said.

"Sysdig has the advantage of wide adoption of Falco ... and they have years of experience working with the cloud-native and Kubernetes communities," she said. "These are areas where traditional security vendors struggle to incorporate security ... leaving blind spots that make it difficult to detect and respond to issues."

Beth Pariseau, senior news writer at TechTarget Editorial, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.

Dig Deeper on IT systems management and monitoring