Top 10 use cases

for the Sysdig

cloud-native
visibility and
security platform.

USE CASES
Top 10 use Software is at the heart of innovation for today’s enterprises, transforming
every business into a software business. Fueled by modern cloud, container, and
cases for orchestration technologies, like AWS, Docker, and Kubernetes, organizations
the Sysdig including the world’s largest global companies, are making a shift from monolithic
applications to highly distributed, cloud-native microservices.
cloud-native The key challenge enterprises face as they shift to highly distributed, orchestrated
visibility environments is a loss of visibility needed to understand and solve issues in this new
dynamic environment.
and security
platform. As you adopt modern infrastructure, Sysdig helps you do it faster, with less risk and at a
lower cost. The Sysdig Cloud-Native Visibility and Security Platform closes the cloud-na-
tive visibility gap, giving you a consistent way to manage the risk, health, and perfor-
mance of your systems, applications and microservices within and across clouds.

With Sysdig, the world’s largest enterprises solve a broad array of use cases for cloud-na-
tive environments to deliver 3x faster cloud-native transformation, a 67% increase in
DevOps efficiency, and a 95% reduction in risk.

Below we highlight the top 10 essential use cases for the Sysdig Cloud-Native Visibility and
Security Platform that enable DevOps, security professionals, and service owners to reliably
build, run and respond to critical issues with Kubernetes and containers in production.

Sysdig | REPORT 2
Top 10 use 1. Vulnerability management
cases for Enterprises who are most successful with the transition to cloud-native bring
the Sysdig application security closer to the developer to ensure identification, remediation,
and mitigation of vulnerabilities from deployment to production. Through native
cloud-native integrations with common tooling in the software delivery chain, Sysdig enables
visibility developer teams to implement robust vulnerability management to avoid and resolve
security issues before a builds are completed or containers are ever deployed.
and security
platform.

Sysdig | REPORT 3
Top 10 use With the Sysdig Cloud-Native Visibility and Security Platform, your entire organization
can be aware of the risk and compliance status of images in the build pipeline, stored
cases for in container registries, and even those currently running in production. These unique
the Sysdig insights can be viewed together with application and infrastructure metrics to give de-
velopers a holistic view of the performance, health, and vulnerability status of each con-
cloud-native tainerized service.

visibility Sysdig’s DevSecOps-oriented visibility helps application teams deliver secure and reli-
able services faster:
and security
platform. •• Policies help you enforce controls for your build pipeline, registries and production
environment to block threats across your microservices.
•• Image scanning enables you to inspect your container images as a part of your build
process. This lets you generate a detailed report of vulnerable packages, software
libraries, files, and image attributes, fail builds, trigger warnings, and enforce compliance.
•• Run-time alerting gives you immediate notification if unscanned images are
deployed into production, if a new vulnerability is discovered in a package in
production, or if the scan status of one your running images changes.
•• Vulnerability feeds keep you continuously updated with vulnerability and package
data from OS vendors, package repositories, and the National Vulnerability database.

Sysdig | REPORT 4
Top 10 use 2. Kubernetes monitoring
cases for Kubernetes has significantly changed how enterprises bring services to market,
the Sysdig helping developers rapidly build and roll out new applications and services. As you
deploy more and more cloud-native applications onto Kubernetes, understanding
cloud-native and resolving issues with its health and performance, along with the applications it
visibility supports, is key to success.

and security
platform.

The Sysdig Cloud-Native Visibility and Security Platform is designed to provide unique Ku-
bernetes insights. Deep visibility into your infrastructure and applications enables you to
monitor and troubleshoot performance issues in real-time with full Kubernetes context.

Sysdig | REPORT 5
Top 10 use With Kubernetes, individual containers become less important, while the performance of
a service becomes more important. Sysdig lets you to visualize, explore, and alert on your
cases for containers and metrics based on the logical Kubernetes hierarchy (for example, name-
the Sysdig space > deployment > pod > container). The ability to view data with full Kubernetes con-
text is a powerful way to get insight and understand what’s taking place regardless of
cloud-native how distributed or dynamic your containers are. This helps you quickly answer questions
about the performance of a service at large, or drill down into a pod or even container.
visibility
Also key to understanding behavior and performance with Kubernetes is the ability to
and security correlate events in your environment, like pod creation and replica set scaling, with your
platform. metrics. Sysdig automatically collects Kubernetes and container events, which you can
overlay with metric views to provide insight for fast analysis and troubleshooting.

What if you want to see a map of all your Kubernetes resources and your services, and
more importantly visualize how they are communicating to each other? Sysdig dynam-
ically maps the topology of your Kubernetes infrastructure — ­ from top level views like
clusters and namespaces all the way to pods, containers, and container processes ­—
to help you visualize flows and interdependencies between your hosts, containers, and
Kubernetes cluster components. Each can be overlaid with your choice of metrics like
response times, link traffic, and error counts. This makes it far easier to discover bottle-
necks and recognize where issues exist.

Ensuring the health of your Kubernetes components is another crucial monitoring ca-
pability. Sysdig automatically polls the Kubernetes API to capture kube-state-metrics
that detail the state of your Kubernetes infrastructure. This lets you identify whether the
condition of your cluster is having an impact on application behavior. Here are examples
of questions you’ll be able to answer:

•• Does each deployment have •• How many jobs are actively running?
sufficient resources? •• How many nodes are unavailable?
•• How many pods are running per •• How many nodes are out of disk space?
deployment vs. desired?
•• Is there enough capacity to serve
pod requests?

Sysdig | REPORT 6
Top 10 use 3. Audit and compliance
cases for Security teams and DevSecOps are struggling to successfully manage auditing and
the Sysdig compliance requirements in Kubernetes and container infrastructure. Regulatory
container compliance standards are comprehensive and require heavy manual effort
cloud-native by compliance teams to map these mandates to their organization’s requirements.
visibility Enterprises that must comply with federal or local regulations, need to establish proper
audit controls and ensure that configurations across their infrastructure are compliant
and security ­— from hosts and nodes to the service configuration file inside all running containers.

platform.

Sysdig | REPORT 7
Top 10 use Container compliance needs to be as automated and agile as possible, to avoid interfer-
ing with software delivery. Sysdig helps enterprises navigate the complexity of container
cases for auditing and compliance, delivering a robust record of all activity across your hosts, con-
the Sysdig tainers, and microservices, and automatically enforcing regulatory compliance controls
for CIS benchmarks, PCI, HIPAA, GDPR, etc. via automated workflows.
cloud-native By enabling container and Kubernetes compliance checks early in the lifecycle, Sysdig
visibility helps you maintain a strict security compliance posture starting with development.
Pre-deployment container compliance scanning policies analyze images in your CI/CD
and security pipeline (Jenkins, Bamboo, etc.) or any Docker v2 registry prior to production. These pol-
platform. icies check for violations and vulnerabilities within images including container image
metadata, contents, licenses, vulnerabilities, and Dockerfile instructions.

A compliance policy is much more than a collection of rules. Using Sysdig, security teams
can define a set of compliance policies to be applied to any subset of the infrastructure,
scoped to a specific environment, application or namespace:

•• Production vs staging vs. development environments

•• Internal-only vs. external facing applications
•• Infrastructure Kubernetes namespaces and pods vs. application namespaces
•• Stateless deployments vs. deployments holding sensitive customer data

Sysdig | REPORT 8
Top 10 use Enterprises also need to ensure configurations across their infrastructure are compliant
­— from hosts and nodes to the service configuration file inside all running containers.
cases for Sysdig leverages certified container and Kubernetes compliance benchmarks like dock-
the Sysdig er-bench and kube-bench to validate configuration at every logical layer of your infra-
structure. In the event of a CIS Kubernetes and Docker benchmark configuration drift,
cloud-native guided remediation tips help users apply best practices for maintaining container com-
pliance, saving security professionals and DevSecOps time when issues arise.
visibility
Runtime operational drift means that your running containers can be manipulated, hi-
and security jacked or just behave in ways you didn’t expect due to software bugs. Sysdig provides a
platform. runtime scanning engine capable of enforcing container compliance rulesets not only
for container images but also running containers.

For auditing, Sysdig’s unified visibility lets you see all user, container, and policy activity
together. This includes the ability to see and search all user commands within contain-
ers, down to arguments and scope. You can also view all policy violations on a timeline
and organize, filter, and map violations by namespace or environment to deliver precise
views of container activity.

Altogether, Sysdig gives security teams the tools they need to provide an up-to-date
compliance status evaluation to internal or external auditors on-demand.

Sysdig | REPORT 9
Top 10 use 4. Application health and
cases for performance monitoring
the Sysdig Application health and performance are paramount to successful engagement of
cloud-native your users with the software that you develop. Your application may be made up
of multiple microservices, which in turn can be made up of dozens or hundreds of
visibility containers. This makes the simple act of monitoring response time or enforcing a
and security service-specific security policy much more challenging than ever before. One thing is
clear, slowdowns and unavailability that elude fast resolution due to lack of detailed
platform. visibility put your revenue-critical applications and business at risk.

Sysdig | REPORT 10
Top 10 use Designed for cloud-native applications, Sysdig gives you the insight and control you
need to reliably run thousands of containerized applications to support your business.
cases for Two key Sysdig capabilities come together to deliver rich system, container, and applica-
the Sysdig tion data to dramatically simplify monitoring the application health and performance:

cloud-native •• ContainerVision™ simplifies visibility and makes it possible to inspect applications

running inside containers without requiring any instrumentation of the container or
visibility application.
•• ServiceVision™ extract service labels from your orchestrator to add service context
and security to all of your metrics and events for greater clarity and precision when viewing data.
platform. With a single instrumentation point per node in your Kubernetes cluster, you can monitor
your applications, containers, hosts, and networks. Events or actions on your target sys-
tems, infrastructure metrics, application metrics, service response times, custom metrics
and resource/network utilization are ingested without any effort from within the container.

Sysdig features default application views that provide you with detailed app-specific
performance and health information. Over 50 out-of-the-box application integrations
auto-detect your running software components and pre-populate purpose-built dash-
boards and metric views for you. This simplifies your job by pinpointing affected services
as well as the problems within a service. For example, Golden Signals visualizations help
you discover application-specific bottlenecks, understand errors, observe latency, and
identify load —
­ critical to any application, especially after rollout to ensure successful
operation in production.

Sysdig | REPORT 11
Top 10 use Sysdig makes it easy to explore metrics for each microservice, including resource usage
metrics like CPU, memory, and file I/O across applications, and microservices down to
cases for the container process level. Our topology maps give you powerful environment visibility
the Sysdig that helps you identify dependencies across containers and visually identify problems
like disconnected microservices or overloaded network links. In addition, our unique
cloud-native ability to create system call captures on incident alert, gives you deep observability into
executed commands, file system activity, network activity, and more for analysis and
visibility troubleshooting containers even after they are gone.

and security These capabilities combined helps you answer key questions like:
platform. •• What is the response time of my Cassandra service
across three data centers and 45 containers?
•• What is the slowest endpoint of my billing service?
•• Which applications have the most errors?

Sysdig | REPORT 12
Top 10 use 5. Container run-time security
cases for Container security is top-of-mind for any organization adopting containers and
the Sysdig Kubernetes. If a container is not running as expected, it could be caused by a security
incident — but how can you know? Suspicious activities such as unexpected outgoing
cloud-native connections, anomalous file access or unauthorized process behavior that occur in
visibility production present a real threat to your services and consequently your business.

and security
platform.

Sysdig | REPORT 13
Top 10 use Sysdig’s unique system call level instrumentation gives you 10x more signals about con-
tainer, host and orchestrator activity in your environment. Our behavioral models lever-
cases for age data from millions of containers Sysdig already protects to create the most effective
the Sysdig out-of-the-box container protection and response. Runtime security capabilities let you
detect, alert, and block unwanted activity or actions that deviates from the norm for con-
cloud-native tainers — and the processes inside — while they are running in production. With dozens
of out-of-the-box policies, you can easily scope and apply rules that protect the contain-
visibility ers within your infrastructure. And with an easy-to-use UI-based editor, any cybersecurity

and security or DevOps professional can create simple but effective security policies for security and
control. In addition, using machine learning, Sysdig can analyze and model the known
platform. behavior of your container images and auto-generate runtime profiles. By learning the
baseline activity of containers, runtime profiling saves the time and effort required to
manually create and update security profiles and reduces issues resulting from human
error. This includes giving you the ability to create whitelist policies for known processes
and commands that you want to allow with your containers.

Sysdig’s runtime security monitors the behavior of your containers at execution time.
Based on the policies you’ve enabled, if the conditions are met, a security event is trig-
gered. This includes conditions such as:

•• Unexpected or unknown processes running inside a container

•• Disallowed outbound or inbound connections
•• Unexpected opens of listening ports or remote ports
•• Reading sensitive files or directories
•• Running a shell to be running inside your container

For security incident response, Sysdig can take multiple actions like isolating or killing
the container, but also creating a Sysdig capture with all the system activity for perform-
ing forensics and post-mortem analysis.

Sysdig | REPORT 14
Top 10 use 6. Multi-cloud monitoring and security
cases for Enterprises are taking advantage of multiple cloud types and locations including
the Sysdig AWS, Google, IBM, and Azure along with private data centers as they move toward
a multi-cloud strategy to avoid being locked into a single cloud provider. Thanks to
cloud-native container and orchestration technology, deploying and moving applications and
visibility services across clouds is easier than ever. But how do you monitor performance,
health, and security across diverse, distributed infrastructure? And how do you see
and security what’s happening inside your containers across clusters and regions to ensure you’re
meeting your business goals?
platform.

Sysdig | REPORT 15
Top 10 use Sysdig provides technology that is inherently multi-cloud. This enables cross-cloud and
multi-cloud monitoring, security alerting, troubleshooting and forensics with full visibil-
cases for ity into your microservices.
the Sysdig With a consistent method to manage the risk, health, and performance of your systems
cloud-native across clouds, you benefit from our cloud-native visibility and security solutions across
AWS, Google Cloud, Azure, IBM Cloud, and private clouds in various combinations. This
visibility empowers you to compare and correlate services across different cluster deployments
and clouds. Sysdig’s multi-cloud capabilities give you more consistency and the flexi-
and security bility to choose the cloud solutions that best support your business without the steep
platform. learning curve of adopting one off operational tooling.

Sysdig also provides flexible deployment models to meet the unique requirements of
any customer:

•• Cloud: Sysdig runs a multi-tenant backend software-as-a-service for you

•• Software: You deploy, run and operating the Sysdig platform wherever you’d like

For customers who are comfortable storing security and performance data in a 3rd party
cloud service, Sysdig gives you a completely hands-off way to operationalize visibility for
your cloud-native applications. If you have greater data restrictions or other business
imperatives that prohibit public cloud use, you can run our software in your on-premises
data center or virtual private clouds.

Sysdig | REPORT 16
Top 10 use 7. Prometheus monitoring
cases for Prometheus has become the default open-source tool for monitoring in conjunction
the Sysdig with containers and Kubernetes environments. Its popularity is driven increasingly
by cloud application developers who instrument their code to deliver valuable
cloud-native performance and usage metrics in highly dynamic service-oriented architectures.
visibility At the same time, moving to production at scale requires additional capabilities for
successful enterprise-class monitoring.
and security
platform.

Sysdig | REPORT 17
Top 10 use In addition to being a contributor to the project, Sysdig integrates the Sysdig Cloud-na-
tive Visibility and Security Platform with Prometheus capabilities to bring a broad set of
cases for functionality for monitoring, troubleshooting, and security to enterprises. In particular,
the Sysdig to support enterprise Prometheus users at scale and in production, Sysdig enables key
capabilities including global metric views, long-term data retention, and high availabili-
cloud-native ty in addition to features like access control.

visibility Sysdig automatically collects Prometheus metrics from instrumented applications and
3rd-party exporters and is then also able to layer on more Sysdig-collected metrics and
and security event data. This helps developers, DevOps, operations, and security teams get even more
platform. visibility into infrastructure and applications. By combining and correlating Prometheus
metrics with other metric types, like JMX, StatsD, default application and system met-
rics along with orchestration events you get a robust 360-degree view of your enterprise
applications and infrastructure. This gives you the freedom to continue monitoring leg-
acy applications using existing tooling while focusing Prometheus instrumentation on
your newest developments.

Because data is critical for identifying trends and helping guide future decisions, Sysdig
helps Prometheus users avoid the compromise of deleting metric data because of server
capacity concerns. Sysdig’s horizontally scalable backend is based on modern distrib-
uted systems design. Prometheus users are able to maintain higher-resolution metrics
for longer, helping you do valuable time and trend comparisons. Plus, if you’re looking
for a more maintenance-free approach, the Sysdig Monitor SaaS solution lets you take
advantage of a fully-managed, cloud-based solution for maintaining all of your metrics.
This frees you to focus on the work of instrumenting your apps with Prometheus to get
the right metrics.

Sysdig | REPORT 18
Top 10 use For governance and compliance, controlling access to your systems — ­ including your
monitoring solution — ­ is key. Sysdig offers Prometheus users several capabilities de-
cases for signed for enterprise users to ensure security and control. Integration with LDAP directo-
the Sysdig ry services and Single Sign On (SSO) simplifies user setup and access control.

cloud-native With Sysdig you can also isolate data without deploying isolated infrastructure. Sysdig
Teams functionality gives you fine-grained permissions to lock down access to individ-
visibility ual hosts, services, namespaces, containers, and more ­— all within a single managed
system. This, combined with enterprise class data management, scale, integrations,
and security and support gives Prometheus users unparalleled flexibility for monitoring and trouble-
platform. shooting large, complex environments.

Sysdig | REPORT 19
Top 10 use 8. Capacity planning
cases for Capacity planning for container and Kubernetes environments can be particularly
the Sysdig challenging for cluster operators. Automated scaling helps deliver quality of service
for an optimal user experience, but dynamic environments built on containers
cloud-native can complicate the art of determining headroom, capacity utilization, resource
visibility constraints, and future requirements.

and security
platform.

Sysdig | REPORT 20
Top 10 use Sysdig’s data-rich infrastructure insights help you visualize where in your environ-
ment capacity is over or under-utilized and give you a line-of-sight into how resources
cases for currently impact your operations, and where you should future-invest to keep pace
the Sysdig with demand.

cloud-native For example, Sysdig customers often use metrics to observe average and peak loads and
measure usage against quotas requests and limits. Armed with the information Sysdig
visibility makes available, enterprises can make informed decisions about the resources required
to support new and existing applications along with planned growth. With Sysdig you
and security can answer questions like:
platform. •• How effectively are we using compute resources?
•• Which services will require additional resources, and when?
•• What impact do my resource constraints have on observed performance?

By understanding real-world dimensions of measurements like CPU, memory and I/O

in development and production, you can drive significant cost savings by avoiding pur-
chasing and provisioning more resources than required to deliver required performance.
Conversely, you can identify when to proactively increase available resources as your
cluster crosses utilization watermarks to avoid degradation due to overtaxed resources.

Sysdig dashboards provide instant insight into the resource usage. In addition, you can
use automated alerting to monitor for distinct capacity thresholds for any metric you
choose to receive proactive alerts when your resource utilization rises above or dips be-
low your defined watermarks.

Sysdig | REPORT 21
Top 10 use 9. Container troubleshooting
cases for Being able to see the status and performance of your containers in production
the Sysdig deployments is critical. But once you see a problem, then what? Most system
administrators have experienced the moment when you know something’s wrong,
cloud-native even where, but not why. When something goes wrong, time to resolution is key
visibility for ensuring uninterrupted service to your users. Containers make the job of
troubleshooting even harder as they are often no longer running or are rescheduled
and security to other nodes leaving you with little to no information to determine root cause.

platform.

Sysdig | REPORT 22
Top 10 use The Sysdig Cloud-Native Visibility and Security Platform helps you reduce your mean
time to repair (MTTR). Sysdig dashboards and metric views are a great tool for seeing the
cases for "what" of an issue, however most administrators would prefer not to watch a screen 24
the Sysdig x 7 in order to know if a problem exists in the first place. To accelerate your response to
system or application issues, Sysdig’s automated alerting within the Sysdig UI lets you
cloud-native set alerts against any metric or group of metrics. This includes the ability to configure
anomaly detection and watch for outliers in a group of hosts or container and proactively
visibility gives you a "heads up" that something is not right in your environment.

and security Typical monitoring solutions stop at alerts and leave the hard work of gathering logs or
platform. using some combination tools to search for the data you need to get to the bottom of an
issue up to you. With Sysdig, the alerts you set can automatically trigger a Sysdig cap-
ture file that contains a recording of all of the kernel-level system calls and OS events
from the time of your system event. These data-rich, in-context system captures put the
data you need to determine root cause right at your fingertips. This means no more log-
ging into production hosts to troubleshoot, and no more jumping to external tool sets to
find and search for evidence of what happened.

And if your containers are gone? Sysdig capture files arm you with all of the context and
data you need from the affected containers even when they are no longer running. Click-
ing on a capture file link opens the contents in Sysdig Inspect, our intuitive open source
UI for capture file analysis. Inside Sysdig Inspect, you’ll find an organized overview of all
of the system, network, and application activity. Here you can correlate metrics, zoom in
on a specific time slice to isolate conditions, and further drill down to help you get a clear
picture of what caused a problem.

Our customers report that integrated troubleshooting with this level of control in one
interface accelerates their time-to-resolution for container issues by 10x or more. Sysdig
not only makes troubleshooting easier and faster, but it also makes troubleshooting
possible in your ephemeral containerized environments.

Sysdig | REPORT 23
Top 10 use 10. Container forensics
cases for Containers are designed to be small, lightweight, and distributed. This is ideal for
the Sysdig deployability and repeatability but complicates getting the information you need for
incident response when you encounter security events.
cloud-native
visibility
and security
platform.

Sysdig | REPORT 24
Top 10 use When a security incident strikes, Sysdig’s ability to capture every single system call on
a host lets you quickly identify infected containers, system, user, and network activity
cases for before and after security events. By automatically recording 100% of pre- and post-attack
the Sysdig activity, you can drill down from a policy violation, to user activity, system call, and even
down to the actual data written to file. With Sysdig you can inspect data and perform
cloud-native your forensics investigation outside of production, even if the containers are long gone.

visibility If you experience a security issue in your container environment, with Sysdig you can
answer time-sensitive questions like:
and security
platform. ••
••
What happened?
What was the breach?
•• Was any data exfiltrated?
•• How did they break into my system?
•• Who did it?

The ability to perform forensic analysis with containers is a critical capability for any en-
terprise. Sysdig’s ability to see inside containers and provide full orchestration context
combined with alerting and deep system captures gives you the ability to automate a
full security lifecycle from intrusion detection and prevention through incident response
and forensics.

Sysdig | REPORT 25
Let's explore
your use cases
together.
sysdig.com