What you can do with Falco today

Falco can help organizations comply with industry regulations and align with well-known security frameworks. For example, Falco can detect adversarial tactics, techniques, and procedures (TTPs) aligned with the MITRE ATT&CK framework, ensuring proactive identification of threats, intrusions, and data theft in real time. It works well with legacy infrastructures, and excels at supporting containers, Kubernetes, and the cloud. Falco monitors both workloads (processes, containers, services) and infrastructure (hosts, VMs, network, cloud infrastructure and services).

It is lightweight, efficient, and scalable, making it ideal to use in both development and production. Furthermore, Falco assists engineering teams in maintaining regulatory compliance by actively detecting misconfigurations associated with frameworks such as PCI DSS and NIST. Falco can detect many classes of threats and misconfigurations in running workloads out of the box, but should you need more, you can add custom detections. Falco is driven by a thriving open source community, bringing support and constant enhancement.

Falco today

Align threat detections with the MITRE ATT&CK Framework

The landscape of containers, Kubernetes and Cloud is evolving fast, and so are potential attacks. To help InfoSec teams use Falco in their incident response workflows, we have aligned Falco's threat detection capabilities with the well-known MITRE ATT&CK framework.

Falco's rule alignment with the MITRE ATT&CK matrix enables detection of Tactics, Techniques, and Procedures (TTPs) employed by adversaries, aiding rapid identification and response to potential security incidents. Falco can help organizations proactively defend their systems, maintain compliance, and strengthen overall security posture.

Maintain regulatory compliance

Falco offers real-time runtime detection powered by eBPF, making it a good solution for organizations seeking to maintain regulatory compliance with frameworks such as PCI DSS, NIST, and others in cloud-native systems. Unlike traditional security tools that struggle with the ephemeral nature of these environments, Falco is purpose-built for cloud-native architectures and integrates with container orchestrators like Kubernetes.

Falco adapts to the dynamic nature of containers, ensuring continuous compliance. With a comprehensive library of predefined rules based on security best practices and compliance standards like PCI DSS and NIST, Falco covers a wide range of security events, including unauthorized access attempts, privilege escalation, data exfiltration attempts, and more. By leveraging Falco's robust capabilities, organizations can observe their cloud-native systems while meeting the stringent requirements of regulatory frameworks.

Falco FAQs

Yes. Kernel module and old eBPF All you need are the extracted kernel headers that are passed into the cmake make setup. Modern eBPF For newer kernels >= 5.8 Falco supports a modern_bpf eBPF driver. For modern_bpf you DON’T need kernel headers as BTF information and eBPF CORE is used. As a consequence modern_bpf will work for all distros and future kernel versions.

The most common cause of excessive notifications are noisy rules. Falco ships with a set of default rules, which can be disabled, either individually or by using tags, and default macros, some of them designed to be overridden, depending on the needs and the use case.

There’s also the possibility of configuring a minimum rule priority, used as a threshold to filter out rules with a lower priority (alerts are ignored), and a rate limiter. Take however into account that these options might reduce the visibility of potential threats.

First, make sure Falco is running, either as a service or as a container. Second, the event must be generated on the same host as where Falco is running, otherwise, Falco won’t see it since a different kernel will be serving that process.

Finally, make sure the rule you want to trigger is not too strict and the event is being filtered out. Start by having less parameters in the conditions and keep adding them until the rule is just noise enough. Be also aware that Falco tries to optimize using buffers, so the alert might take some seconds to be displayed.