New Plug-in Capability Extends Open Source Threat Detection to CloudSAN FRANCISCO – October 11, 2021 – KubeCon + CloudNativeCon North America – Sysdig, Inc., the secure DevOps leader, today announced the addition of cloud security monitoring functionality to the Falco open source software project. The new Amazon Web Services (AWS) CloudTrail plug-in provides real-time detection of unexpected behavior and configuration changes, intrusions, and data theft in AWS cloud services using Falco rules. The Falco community developed this extension with Sysdig based on a new plug-in framework that allows anyone to extend Falco to capture data from additional sources beyond Linux system calls and Kubernetes audit logs. As organizations manage critical data across multiple clouds, they need consistent threat detection across their distributed environments. Additional plug-ins will allow organizations to use a consistent threat detection language and close security gaps by using consistent policies for workloads and infrastructure. In addition, more than twenty new out-of-the-box policies supporting compliance frameworks were released.
Falco Community Blog: Falco Plugins Early Access
Falco, a cloud-native runtime security project, is the de facto detection engine for containers and Kubernetes with over thirty million downloads. Created by Sysdig and contributed to the CNCF, Falco is an Incubation-level hosted project. The new plug-in capability and framework have been contributed by the Falco community and Sysdig to the project over the last few months. As of today, the AWS CloudTrail plug-in is available for use in preview mode and contributors can build new plug-ins on the framework.
Real-time detection of cloud configuration risk and threats
Today, security teams are forced to export AWS CloudTrail logs into a data lake or security information and event management (SIEM) for processing, and then search for threats and changes to configurations that can indicate a risk. This approach adds delay in identifying risks, as well as cost and complexity.
Falco inspects cloud logs using a streaming approach, applying the rules to the logs in real time and immediately alerting on issues, without the need to make an additional copy of the data. This approach complements static cloud security posture management by continually checking for unexpected changes to configurations and permissions that can increase risk. In addition, it acts as a modern intrusion detection system (IDS), detecting threats based on unusual behavior that can indicate a threat.
Consistent tool for threat detection across containers and cloud
Cloud and security teams struggle with an ever-growing list of tools to master and manage. Falco provides a single tool for threat detection across container and cloud environments, reducing complexity by reducing the number of tools in the stack. Users can use the same rule language to create consistent policies for workloads and infrastructure, removing security gaps. Because there is a shortage of talent in both cybersecurity and DevOps, reducing the learning curve by using consistent tools for threat detection is critical.
Users can get started immediately using out-of-the-box rules contributed by the community that map to compliance frameworks and best practices. They can also create custom rules to meet their specific needs using standard YAML code.
The plug-in capability for Falco creates the foundation for contributions that will extend support to other cloud environments and operating systems. The AWS CloudTrail plug-in and additional out-of-the-box rules are immediately available to try in preview form on the Falco GitHub site. Falco users and contributors can access pre-release documentation now. The official release is planned in the upcoming months.
What the Community is Saying
“The Falco plug-in capability gives DevOps and security teams a single threat detection tool with a single rules language across container and cloud environments. This allows users to create consistent policies for workloads and infrastructure and close security gaps,” said Chris Aniszczyk, CTO of Cloud Native Computing Foundation. “The basis is now in place for rapid innovation by the community to extend Falco to additional cloud environments.”
“Now Falco can detect threats across containers and AWS cloud services using a streaming approach,” said Loris Degioanni, Founder and Chief Technology Officer, Sysdig, “Users can immediately alert on indications of lateral movement without the cost and complexity of copying logs.”
- Read the Falco Community blog post for technical details
- View the preview documents
- Check out the Falco project in GitHub
- Get involved with the Falco community
- Follow @falco_org on Twitter