Automating detection and response with Tines workflows and Sysdig

Written by John Leonard

Published on April 29, 2024

Sysdig and Tines have joined forces to provide an integrated detect, triage and respond solution that enhances cloud security. This partnership combines Sysdig’s expertise in Runtime Insights with Tines’ robust orchestration and automation features. The result is a powerful solution that enables DevSecOps, Operations, and SOC teams to streamline security workflows, shorten response times, and stay ahead of security incidents.

Better together: Sysdig and Tines 

Customers adopt this joint solution to prevent sophisticated cloud attacks. The integration of Sysdig and Tines allows for the detection, triage, and response to security threats at cloud speed. It adheres to the 5/5/5 Cloud Detection and Response Benchmark, which enables organizations to detect security threats in 5 seconds, triage and correlate in 5 minutes, and initiate a response in 5 minutes.

Top Three Benefits for the Customer
 

  1. Enhanced threat detection and response - the partnership allows for quick detection and response to complex security threats like Scarleteel.

  2. Automated response - Tines, a next-gen workflow automation platform, empowers security teams to respond automatically to threats detected by Sysdig, reducing human latency.

  3. Flexible, accessible security workflows - Tines simplifies the process of managing security workflows, making it easier for teams to tackle complex attacks.

Sample workflow: detect and enrich Sysdig alerts with Tines 

This is a fully automated detect, triage and remediate workflow, which enables customers to achieve the 5/5/5 benchmark. Sysdig generates a security alert, Tines and Sysdig work together to determine the severity of the alert and prioritize. Tines then remediates the security issue by blocking the user's AWS console login.

Let's take a closer look, step-by-step:

  • This workflow begins by receiving Sysdig Cloudtrail alerts via notification integrations.

  • Upon receiving an alert, the system retrieves user identity information from Sysdig, utilizing it to generate a risk score.

  • Tines then conducts an IP lookup associated with the user to ascertain its reputation.

  • In the event of a malicious IP address, the system autonomously implements a deny-all policy, effectively blocking the user from accessing the AWS console login.

Tines and Sysdig workflow

Detect and Enrich Sysdig Alerts with Risky User with Greynoise and Deny User from AWS Console Login

This narrative begins by receiving Sysdig Cloudtrail alerts via notification integrations. Upon receiving an alert, the system retrieves user identity information from Sysdig, utilizing it to generate a risk score. Furthermore, the story conducts an IP lookup associated with the user to ascertain its reputation. In the event of a malicious IP address, the system autonomously implements a deny-all policy, effectively blocking the user from accessing the AWS console login.

Community author

Manuel Boira at Sysdig

Get started with this workflow by signing up for the always-free Community Edition of Tines.

Built by you,
powered by Tines

Already have an account? Log in.