Why Falco?


Policy Language Benefits

Ensures Consistency and Reduces Complexity

Falco's rule language is used to define security policies for detecting and alerting on potential threats, and its use across the entire platform ensures a uniform approach to security monitoring. This means that all team members can understand the policies and alerts, regardless of their role or the context in which they are used.

Promotes Collaboration between Security & Ops teams

Since everyone is working with the same set of rules and policies, it becomes easier for these teams to share insights and work together to solve security issues. This can help to reduce the time it takes to identify and resolve security incidents.

Provides Flexibility & Extensibility

The language is designed to be easy to use, and it offers a wide range of operators and conditions that can be used to create customized rules for specific security scenarios. This allows teams to create policies that are tailored to their unique needs and requirements.

Simplifies Compliance & Auditing

Falco's rules language can also be used to alert on compliance violations, such as detecting unauthorized changes to files under PCI/DSS. As a result, it becomes easier to demonstrate compliance with regulations and standards. To better understand how Falco can be used for meeting regulatory compliance in cloud-native environments, check out this video.


Scalability Benefits

Compatibility with Container Orchestration Tools

At its core, Falco is a kernel event monitoring and detection agent. Falco can enhance these events by integrating metadata from the container runtime and Kubernetes. This tight integration with various container orchestration tools enables the expansion of Falco's detection capabilities and scope. It can, for example, detect and alert on new containers and workloads being deployed, ensuring that security visibility is comprehensive across your infrastructure. In addition, through Falco's native support for daemonset-like deployments, it can seamlessly integrate into your existing setup, whether you are using Kubernetes, Docker Swarm, or other container orchestration platforms.

Runs as a Daemonset

Like other workload objects, a DaemonSet manages groups of replicated Pods. However, DaemonSets attempt to adhere to a one-Pod-per-node model, either across the entire cluster or a subset of nodes. As you add nodes to a node pool, DaemonSets automatically add Pods to the new nodes as needed. This enables Falco to monitor all containers on all nodes, providing comprehensive security visibility across the entire cluster. To learn how Falco is used as a DaemonSet, check out our workshop.

Leverages the Kubernetes API

Falco leverages the Kubernetes API to monitor the state of pods and nodes in the cluster. It can detect anomalies and violations in real-time, and alert the user or take automated actions based on defined rules. As the Kubernetes cluster grows, Falco can use the Kubernetes API to dynamically adjust its monitoring capabilities, such as adding more sensors, without manual intervention. This ensures that the monitoring remains effective and efficient even as the cluster scales up or down.

Analyze Alerts at Scale

Falco integrates with Prometheus and Grafana to provide users with a scalable solution for visualizing and analyzing Falco alerts. This allows users to quickly identify and respond to potential security threats in their containerized environments. As your Kubernetes environment expands, so too does your cloud-native monitoring platform.


Performance Benefits

Event-driven Architecture

Falco's high performance is due to several factors, including its low overhead, event-driven architecture, and kernel-level instrumentation. The low overhead of Falco's design allows it to analyze events with minimal impact on system performance. The event-driven architecture enables Falco to quickly detect and alert, while kernel-level instrumentation ensures that it can process events in real-time, further enhancing its performance.

Uses a minimal set of resources

Falco is designed to use a minimal set of resources, such as CPU and memory, while still providing effective monitoring and detection capabilities. By using a minimal set of resources, Falco operates efficiently and does not impact the performance of the monitored applications, ensuring that the applications can continue to function smoothly without any degradation in performance.This makes Falco an ideal choice for monitoring Kubernetes clusters where resource utilization is critical and any performance degradation can have significant consequences.

Only monitor the relevant events

Falco only monitors relevant events by using filters and rules to define which events to monitor, such as file access or network connections. By filtering events, Falco can avoid processing unnecessary data, and concentrate only on security-related events. This reduces the amount of data to be processed and analyzed, which enables Falco to detect security threats more effectively and efficiently.

Kernel-level instrumentation to observe system events

Falco uses kernel instrumentation to observe system events by monitoring system calls and other kernel-level signals. The Falco kernel components are designed to be fast and non intrusive, as they do not alter the system's behavior. By using this approach, Falco can collect rich information of what applications are doing nearly in real-time while minimizing overhead and preventing interference with regular workload behavior.


Flexible Deployment Benefits

Tailor the install process to your specific needs

Users can select which components to install. You can configure specific settings for your needs. And you can even choose the deployment environment, whether it be in Kubernetes, on a bare metal VM, an IoT device or Edge computing. More documentation on install options can be seen here.

Deploy in a “Cloud-Native” way

By installing Falco as a containerized pod within Kubernetes, it becomes easier to scale, manage, and deploy multiple instances of Falco. Containerization provides a lightweight and portable way to package and deploy applications, allowing for faster and more consistent deployments. Kubernetes is designed for enabling automatic scaling, self-healing, and centralized management of Falco instances. This can lead to improved operational efficiency and reduced overhead for security teams.

Deploy Additional Components

The benefit of Falco installation playing nice with common cloud-native services such as Prometheus or Grafana is that it enables seamless integration with existing monitoring and observability toolchains. This integration can help organizations streamline their security workflows, enabling faster detection and alerting. It can also provide a more holistic view of the security landscape, allowing security teams to identify and mitigate potential threats more effectively.

Falco uses eBPF by default

Deploying Falco using eBPF reduces complexity by removing the need for additional kernel modules or user-space agents. This simplifies deployment and maintenance, making it easier to integrate Falco into existing environments. Deploying Falco using eBPF provides a simplified user experience. With eBPF, users can deploy Falco with a single command, eliminating the need for additional configuration or setup.


Customization Benefits

Meet specific security requirements

Defining custom Falco rules can benefit security by allowing organizations to create rules tailored to specific security requirements. Custom rules can detect behaviors unique to an organization's environment, providing more targeted security alerts. They can also help organizations comply with regulatory requirements or internal security policies.

Build your own Falco Plugins

Creating custom Falco plugins can benefit security by allowing organizations to extend Falco's functionality to handle events from additional sources beyond system calls. Custom plugins can integrate with other tools or data sources, providing a more comprehensive view of the security landscape. They can also automate workflows or remediation actions based on Falco alerts.

Trigger your own custom actions

Configuring custom Falco alerts can benefit security by allowing organizations to automate incident response workflows. Custom alerts can trigger specific actions, such as executing custom scripts or sending notifications, enabling faster response times and reducing the impact of security incidents. They can also help organizations comply with internal processes or regulatory requirements.

Enrich alerts with custom metadata context

Defining custom metadata can benefit security by enriching Falco alerts with context specific to an organization's needs. Custom metadata can provide additional information about the alert, such as user information or application details, enabling faster investigation and response times. It can also help organizations comply with regulatory requirements or internal security policies.

Falco FAQs

No, Falco is deployed once per Linux OS (host OS or guest OS when a hypervisor is involved) - typically as privileged DaemonSet for a deployment in Kubernetes. Falco instruments the Linux kernel (either via a kernel module or eBPF probe) and can therefore monitor everything (e.g. system calls) within each container, because every container scheduled on the same node shares the same kernel.

In addition, Falco can hook into the container runtime and that way associate each kernel event with the exact container (e.g. container id, name, image repository, tags) as well as Kubernetes attributes such as namespace or pod name etc.

Lastly, Falco supports gVisor in GCP. However, please note that when for example microVMs are used in Kubernetes Falco would need to be installed in each microVM / VM guest OS.

Please check the documentation to learn about limitations in kernel instrumentation options for some platforms such as GCP or AWS Fargate.

System calls are Falco’s default data source. To instrument the Linux kernel and collect these system calls, it needs a driver: either a Linux kernel module or an eBPF probe.
The Falco Project provides literally thousands of prebuilt drivers for the vast majority of the most common Linux distributions, with various kernel versions available for download. If a prebuilt driver for your distribution and kernel version is not yet available, it is also possible to build the driver locally. You can find a table listing all compatible kernels on that page.