What you can do with Falco today

Falco shines at detecting threats, intrusions, and data theft in real time. It works well with legacy infrastructures, and excels at supporting containers, Kubernetes, and the cloud. Falco secures both workloads (processes, containers, services) and infrastructure (hosts, VMs, network, cloud infrastructure and services). It is designed to be lightweight, efficient, and scalable, and to be used in both development and production. Falco can detect many classes of threats out of the box, but should you need more, you can add custom detections. Falco is driven by a thriving open source community, bringing support and constant enhancement.

Falco today

Secure your whole machine by instrumenting the operating system

One of the major benefits of Falco is its ability to provide host security. It achieves this by leveraging kernel-level eBPF instrumentation to capture low-level system events, such as file accesses, process creations, and network activity. This allows Falco to detect suspicious behavior, such as unauthorized access attempts, malware infections, or privilege escalations, that may indicate a security breach. Additionally, Falco's rules engine can be customized to detect specific types of attacks and enforce security policies tailored to your organization's needs.

Protect containers, Kubernetes and cloud native applications

Born "cloud-native", Falco is able to provide advanced container security. By tracking container behaviors and communications with the kernel, with an eBPF probe or a native kernel module, Falco can detect suspicious activities and threats in real-time. Falco can also enrich container events with metadata from the operating system, the container runtime and the Kubernetes API, providing users with more context about what's happening in their containers.

In addition to container security, Falco also provides robust Kubernetes security capabilities. It can ingest audit logs generated by the Kubernetes control plane to detect unauthorized or malicious requests to the API. Falco can also identify changes in Kubernetes resources and configurations, allowing users to detect unauthorized modifications that could compromise the security of their environments. With Falco, users can be confident that their Kubernetes clusters are secure and protected against potential attacks.

Detect and alert on suspicious behavior in your cloud environments

As more organizations migrate their applications to the cloud, the need for robust security measures becomes increasingly important. The nature of cloud-native environments can make it challenging to keep track of all the assets and configurations, which can expose infrastructure and applications to vulnerabilities.

Falco has powerful plugins that hook into the security event logs of your cloud provider of choice, and ensure that any unexpected or malicious behavior is detected and mitigated.

Protect your organization across the cloud

Falco offers a range of plugins that provide additional security benefits. These plugins integrate with various cloud services, such as GitHub and Okta, to enhance the security posture of your whole organization.

For example, the GitHub plugin for Falco can detect unauthorized access attempts and anomalous activity within your code repositories. With this plugin, you can monitor user activity and detect suspicious actions, such as attempts to download sensitive code or make unauthorized changes.

Similarly, the Okta plugin for Falco can provide enhanced identity and access management capabilities. This can be particularly useful in the event of a security incident, such as the FireEye outbreak, where rapid alerting and response are crucial for containing the damage and mitigating the threat.

Falco FAQs

Yes. Kernel module and old eBPF All you need are the extracted kernel headers that are passed into the cmake make setup. Modern eBPF For newer kernels >= 5.8 Falco supports a modern_bpf eBPF driver. For modern_bpf you DON’T need kernel headers as BTF information and eBPF CORE is used. As a consequence modern_bpf will work for all distros and future kernel versions.

The most common cause of excessive notifications are noisy rules. Falco ships with a set of default rules, which can be disabled, either individually or by using tags, and default macros, some of them designed to be overridden, depending on the needs and the use case.

There’s also the possibility of configuring a minimum rule priority, used as a threshold to filter out rules with a lower priority (alerts are ignored), and a rate limiter. Take however into account that these options might reduce the visibility of potential threats.

First, make sure Falco is running, either as a service or as a container. Second, the event must be generated on the same host as where Falco is running, otherwise, Falco won’t see it since a different kernel will be serving that process.

Finally, make sure the rule you want to trigger is not too strict and the event is being filtered out. Start by having less parameters in the conditions and keep adding them until the rule is just noise enough. Be also aware that Falco tries to optimize using buffers, so the alert might take some seconds to be displayed.