Celebrating Falco’s Journey to CNCF Graduation

How Network Packets Influenced Cloud-Native Instrumentation
By Loris Degioanni - FEBRUARY 29, 2024

SHARE:

Celebrating Falco Graduation

Today, we are proud to celebrate Falco’s graduation within the Cloud Native Computing Foundation (CNCF). Graduation marks an important milestone for a journey that began in 2018 when Sysdig contributed Falco to the CNCF. It’s a significant accomplishment for the industry at large, enhancing the security of modern computing platforms, and has only been made possible by a huge community effort from developers from many companies, and a constellation of adopters worldwide. To understand the impact that Falco has made on the industry, it’s important to understand its origin story.

In 2014, when we started writing the first lines of code of what would ultimately become the Falco drivers, I could hardly have imagined what Falco would become, and its significance to modern computing platforms. The journey has been fun and long, starting even earlier than 2014: Falco’s origins trace back to network packets.

The Journey from Packets to Security Instrumentation in the Cloud

In the late 1990s, the rapid expansion of computer networks highlighted the need for affordable network visibility tools. The Berkeley Packet Filter (BPF) emerged as a significant advancement, enabling packet capture and filtering within the BSD operating system. BPF is the precursor of today’s widely used eBPF, and was originally released together with an accompanying library, libpcap. libpcap was used as the base for tools like tcpdump and Wireshark (originally Ethereal), which became standard tools for packet analysis.

In the following years, the utility of network packets quickly extended beyond troubleshooting to security. A good example is Snort, an open-source intrusion detection system released in 1998. Snort, leveraging packet data and a flexible rule engine, offered real-time detection of threats coming through the network.

With the evolution of computing architectures, packet-based signals were becoming harder to collect and decode. Tools like tcpdump, Wireshark and Snort remained extremely popular, but trends like containerization, encryption and the transition to the cloud made them substantially less effective. 

That is why, after over a decade spent working on these tools, a small group of people decided to rethink what security-focused instrumentation would look like if you could design it from the ground up to support cloud native infrastructures. We decided to focus on the Linux kernel, and in particular on its system call layer, as the instrumentation layer, and we included support for containers and Kubernetes from day 1. Using system calls, we could offer the same workflows of packet-based tools (detailed captures, filters, trace files…), but in a way that was tailored to the modern paradigms. 

The Falco instrumentation components, which we creatively called Falco libs, were released in 2014, together with the command line sysdig tool, which you can think of as tcpdump for system calls.

Runtime Security is Born

Falco was released in 2016. It put together syscall capture and a rich rule engine, allowing to flexibly create detections for both containers and hosts. The community immediately took notice, and runtime security was born.

Falco grew in two dimensions: instrumentation technology and richness of detections. On the first front, we pioneered the use of eBPF to collect security signals. Using eBPF for security is something that is obvious to anyone in the industry today, but in 2018, when we released our eBPF driver, it was unheard of. Actually, it was impossible to imagine: we had to work with the Linux kernel community to address some outstanding issues in eBPF before we could make it functional.

On the second front, Falco gradually became more and more modular, including support for data sources like Kubernetes audit logs, cloud trails, third-party applications like Okta and GitHub, and many more. Our vision is that, as all software becomes cloud software, runtime security requires much more than the collection of kernel signals. Threats are complex and can originate inside your containers, but they can also come from your control plane, your infrastructure, your identities, your data stores, and your cloud services. Falco offers a unified and correlated view that can be used to detect many types of attacks and track them as they move across your infrastructure.

The Power of Community

Contributing Falco to the Cloud Native Computing Foundation (CNCF) in 2018 was a major step for the project. It was based on the belief that runtime security is a key component of the modern computing stack based on Kubernetes, and that it needs to become a default piece of the stack. We also believed that only a community approach, where the good guys work together, gives all of us a real chance against bad actors. 

Falco’s graduation is the culmination of a long journey, and is a great example of open source innovation, where contributions build upon past achievements, connecting diverse communities and technologies. It means that Falco is tested, validated and deployed enough that you can trust it in the most demanding scenarios. Reaching this point wouldn’t have been possible without the contributions of many people: early adopters, developers, core maintainers, sponsors, the community of users, the Cloud Native Computing Foundation. We cannot thank each of them here, but we want to make sure they know we appreciate what they did.

As for Falco as a project, we are delighted to reach such a milestone, but we think this is just the beginning. There are many features we want to add, but even more importantly we want to make sure Falco is easy to deploy, lightweight and always able to detect the latest threats. That way, we hope, we can help run your cloud software confidently and safely. 

Subscribe and get the latest updates