Sysdig Secure Extends Falco
Falco is an open-source cloud-native runtime security project originally created by Sysdig and now part of the CNCF.
Sysdig Secure extends Falco’s rich detection for easier security policy management across the container lifecycle.
Benefits of using Falco for Runtime Detection
Strengthen container security
The flexible rules engine allows you to describe any type of container behavior or activity.
Reduce risk via immediate alerts
You can immediately respond to policy violation alerts and integrate Falco within your response workflows.
Leverage most current detection rules
Falco out-of-the box rules alert on malicious activity and CVE exploits.
How Sysdig Secure Extends Falco
Sysdig Secure extends the open-source Falco detection engine to provide comprehensive security across the Kubernetes lifecycle. Sysdig Secure allows you to:
- Block threats by extending Falco’s detection capabilities with prevention (Pod Security Policies) and automated responses
- Ease the burden of creating and updating runtime Falco rules with ML -based profiling, a flexible Policy Editor to customize rules, and an extensive curated Rules Library
- Generate fewer false positives by tuning Falco-based policies for your own environment
- Embed security across the DevOps process with image scanning, security monitoring, forensics, incident response, and audit
- Validate compliance using out of the box checks and runtime policies that map to compliance standards like NIST and PCI
Sysdig Secure and Falco Feature Comparison
What Falco Does
Identify common abnormal behaviors with a predefined rule set.
Extend the rule set for your specific container security requirements using sysdig’s powerful system-level filtering language.
Avoid common container anti-patterns with a predefined rule set.
Extend the rule set for your specific container security requirements using Sysdig's powerful system level filtering language.
Generate and forward alerts.
Trigger a variety of systems when abnormal behavior is detected from logging systems, messaging platforms, pub/sub providers, or serverless functions.
Notify other systems or humans of abnormal behavior.
Trigger a variety of systems when abnormal behavior is detected from logging systems, messaging platforms, pub/sub providers, or Serverless functions.
Falco is a behavioral activity monitor designed to detect anomalous activity in your applications, containers, and Cloud Native platforms.
Powered by Sysdig’s kernel level observability, Falco lets you continuously monitor container, application, host, and network activity, alerting on behavior that’s defined as abnormal.
Rich Rule Set
Falco uses eBFP to capture system calls with Kubernetes application context to gain visibility into runtime system activity of containers and hosts. By tapping into sysdig open-source libraries through Linux system calls, it can run in high performance production environments. Falco also ingests Kubernetes API audit events to provide runtime detection and alerting for orchestration activity. Events matching a filter expression result in an alert.
Get Started with Falco Today
Learn more at the project's website.