Falco Threat Detection Extends to gVisor to Monitor Highly Sensitive Workloads

gVisor users can now run Falco for increased security and alerting of container workloads

SAN FRANCISCO — September 15, 2022 – Sysdig, the unified container and cloud security leader, today announced that open source Falco threat detection is the first security tool to monitor gVisor. gVisor, the container security platform developed by Google and open sourced in 2018, provides an additional layer of isolation between running applications and the host operating system.

While gVisor hardens applications with strict kernel isolation, the additional isolation could result in tools being unable to monitor for security events. The new Falco-gVisor integration solves this problem, enabling users to collect and analyze security events from gVisor. gVisor and Falco users, such as Mercari, can now enjoy the dual protection of container sandboxing and threat detection for their workloads.

“gVisor provides secure isolation between the container applications and the host operating system. This prevented us from monitoring gVisor with Falco, which uses host kernel system calls as a data source,” said Hiroki Suezawa, Senior Security Engineer at Mercari Inc. “Mercari has been using Falco for threat detection and container activity logging and has seen the power and flexibility of Falco’s rules engine. The collaboration between gVisor and Falco teams allows us to simultaneously use the enhanced isolation in gVisor, and threat detection and container activity audit in Falco. This drastically improves container security.”

Falco, an open source tool for continuous risk and threat detection across Kubernetes, containers, and cloud, monitors runtime system calls against set rules to trigger security alerts. Created by Sysdig and contributed to the CNCF in 2018, Falco now has more than 45 million downloads and contributions from a broad base of organizations. Falco detects unexpected behavior, configuration changes, intrusions, and data theft in real time.

What the Falco-gVisor integration means for users
The Falco-gVisor integration means that gVisor users now only need to instrument each host for monitoring, rather than every application, enabling Falco to monitor both containers and nodes. It was developed with the Falco open source community, based on engineering contributions from Sysdig and the gVisor team at Google.

Unifying the strong isolation capabilities of gVisor with the deep visibility of Falco enables users to detect anomalous behaviors within their workloads, adding syscall monitoring to the container sandbox that gVisor offers.

“The Falco-gVisor interface is great for any gVisor user looking for a multi-layer defense. gVisor’s runtime monitoring infrastructure allows Falco to see what’s happening inside the gVisor sandbox without the user having to do anything different. The integration is seamless as the same rules and configurations apply equally to containers running with gVisor,” said Fabricio Voznika, Staff Software Engineer at Google.

“Today’s security threats come from many directions. Falco and gVisor are a great combination, reducing the system surface exposed to containers, and providing visibility into what’s happening at the workload level,” said Edd Wilder-James, Vice President of Open Source Ecosystem at Sysdig. “Container-based architectures make Falco indispensable, and we’re excited this capability is now available to gVisor users.”

Resources

• Read: Getting started with gVisor support in Falco.
• Read: Tutorial on how to configure Falco with gVisor.
• Join: Sept. 22 CNCF webinar “gVisor + Falco strengthen K8s & container security without losing visibility.”

Media contact

Amanda McKinney Smith
[email protected]
703-473-4051

---