Falco is a cloud native runtime security tool for the Linux operating system, designed to detect abnormal behavior and warn of potential security threats in real-time. Now it's about to release its first stable version.

Falco was originated by SysDig in 2016. It was donated to the Cloud Native Computing Foundation (CNCF) in 2018 as an incubator project and has now attained graduation status. This means that the project has matured enough to be used in production.

As a complete cloud native surveillance system, Falco enables teams to detect and respond to threats, find and prioritize software vulnerabilities, detect and fix misconfigurations, and maximize performance and availability. It does that by employing custom rules on kernel events to provide real-time alerts and help users gain visibility into abnormal behavior, hence contributing to comprehensive runtime security.

The key here is runtime security. Falco monitors the Kernel by enabling an agent that observes syscalls and events based on custom rules. Falco doesn't stop there tough; it can enhance these events by integrating metadata from the container runtime and Kubernetes. These alerts can easily be forwarded to more than 50+ third parties using the JSON format which allows for storing, analysis, or triggering reactions easily. The collected data can be analyzed off-host in SIEM or data lake systems.

Before adopting it for your own needs, first you have to take care of some considerations:

• Understand dependencies: Assess the environment where you'll run Falco and consider kernel versions and architectures.
  
  
• Define threat detection objectives: Clearly identify the threats you want to detect and evaluate Falco's strengths and limitations.
  
  
• Consider performance and cost: Assess compute performance overhead and align with system administrators or SREs. Budget accordingly.
  
  
• Choose build and customization approach: Decide between the open source Falco build or creating a custom build pipeline. Customize the build and deployment process as necessary, including incorporating unique tests or approaches, to ensure a resilient deployment with fast deployment cycles.
  
  
• Integrate with output destinations: Integrate Falco with SIEM, data lake systems, or other preferred output destinations to establish a robust foundation for comprehensive data analysis and enable effective incident response workflows.

After getting the stamp of approval from CFNF, Falco is on track to release its 1.0.0 version and is the following objectives:

• Standardizing on feature adoption and deprecation in the Falco engine
  
  
• Building more robust key features and updating the Yaml structure
  
  
• Adding new constructs to address the most commonly requested features from users
  
  
• Making the modern eBPF probe the default driver
  
  
• Package consolidation, following Linux distribution best practices
  
  
• Complete supply chain security best practice efforts

For the full details check the project's roadmap.

More Information

Falco

Related Articles

Sysdig Exposes The Risk and Cost Of Cloud Usage

Happy Birthday To Wolfi Linux Undistro  

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info