Threat detection and response for containers, hosts, Kubernetes and the cloud

How Falco's runtime security protects your organization

Multi-level defense is essential for effective cybersecurity. Whether it's securing your software supply chain, controlling access, or protecting against cloud misconfigurations, the acceleration of cloud adoption has rapidly expanded the potential attack surface companies need to protect.

The ultimate line of defense, however, is runtime security. Security is an ever evolving war against attacks, and one of the most powerful ways to protect your cloud-native environment is to detect threats as they occur. With the increasing number of cyber attacks and breaches, it’s crucial to have real-time visibility across your cloud, workloads, and user activity.

What is runtime security and why it matters

To effectively detect and respond to threats, runtime security solutions must be efficient and alert on suspicious behavior in real time. Attackers have adapted their tactics to the landscape of the cloud and can initiate attacks within seconds of entering your environment. While legacy solutions struggle to detect cloud-native threats, Falco can provide a layer of protection to identify and respond to these incidents as they happen. This will minimize the impact of breaches and protect your organization against financial loss and reputational damage.

what is falco

What is Falco

At the highest level, you can think of Falco like a network of security cameras for your infrastructure. You deploy Falco across a distributed infrastructure. Falco collects data (from the local machine or by talking to some API), runs a set of rules against it, and notifies you if something bad happens.

Falco makes it easy to consume Linux kernel syscalls, and enrich those events with information from Kubernetes and the rest of the cloud native stack. Falco has a rich set of out of the box security rules specifically built for Kubernetes, Linux and the cloud.

Originally developed as open source by Sysdig, Falco was contributed to the Cloud Native Computing Foundation (CNCF) in 2018 and moved to the incubating level in 2020. Since its inception, Falco has been downloaded more than 50 million times, with more than 480% growth in the last two years.

how it works

How it works

Falco provides real-time detection and response capabilities for environments from individual containers, hosts, Kubernetes and the cloud. It is able to detect malicious runtime behavior, such as crypto mining, file exfiltration, privilege escalation in applications, rootkit installs among many others. These malicious behaviors are detected via user-defined Falco rules that classify events of application activity as malicious or suspicious.

More specifically, Falco collects event data from a source and compares each event against a set of rules. Some examples of sources for Falco events are:

  • Linux kernel syscalls
  • Kubernetes audit logs
  • Cloud events (e.g. AWS CloudTrail)
  • Events from other systems (GitHub, Okta)
  • New data sources can be added to Falco by developing plugins

Rules help the Falco engine identify security issues. Falco comes pre-loaded with a comprehensive set of rules that cover container, host, Kubernetes and cloud security, and you can easily create your own rules to customize it. Newly introduced falcoctl allows you to have always-up-to-date security rules out of the box for Falco.

System calls are one of the most important data sources for Falco. If an application has been compromised, Falco is able to detect malicious or suspicious behavior based on the system calls that it performs.

Instrumenting system calls

Instrumenting system calls

Capturing system calls is performance-critical, and there are two ways in which Falco achieves this: an eBPF probe or a kernel module.

eBPF is a revolutionary technology that allows us to run sandboxed programs inside an operating system. eBPF scripts are flexible and safe, and run extremely fast, making them perfect for capturing runtime security. This makes it ideal for instrumenting system calls for Falco.

Before the emergence of eBPF, kernel modules were the norm for extending functionality in the Linux kernel. They run in privileged mode, and are written in C, making them very efficient and therefore a great option for performance-critical work. Falco offers a kernel module for situations where eBPF isn't the best fit.

respond to threats

Respond to threats

With Falco and Falcosidekick, you can forward suspicious events to serverless systems to trigger actions and remediate threats. It creates a full response engine to protect your environments.

Falcosidekick is a companion application to Falco forwards Falco events. It allows you to distribute events to more than 50 systems, such as email, chat, message queues, serverless functions, databases and more. It’s easy to configure and use both locally and inside Kubernetes.

Falco FAQs

Runtime security helps protect workloads against a variety of threats, such as:

  • Privilege escalation attacks through exploiting security bugs.
  • The deployment of unauthorized workloads by an attacker.
  • Unauthorized access to secrets or other sensitive information.
  • The activation of malware that is hidden inside an application.

Falco is designed to detect these and other threats while your services and applications are running. When it detects unwanted behavior, Falco alerts you instantly so you’re informed (and can react!) right away, not after minutes or hours have passed.

You can think of Falco like a set of smart security cameras for your infrastructure: you place the sensors in key locations, they observe what’s going on, and they ping you if they detect harmful behavior.

With Falco, a set of rules define what bad behavior is. You can customize or extend these rules for your needs. The alerts generated by the set of Falco sensors can stay in the local machine, but it is a good practice to export them to a centralized collector.

Yes, Falco can run in almost every Linux kernel, whether it is a bare-metal server or a VM or microVM.

Please check the documentation to learn about kernel versions and more specific deployment restrictions. A list of available drivers can be found here.