Falco rocks CNCF sandbox


Sysdig’s Falco has become the first runtime security project to enter the Cloud Native Computing Foundation (CNCF) sandbox. Falco is a project to detect intruders and abnormal application behaviour on cloud native platforms such as Kubernetes, Mesosphere, and Cloud Foundry.

Since security is only slowly crawling into the minds of container users, Michael Ducy, who is the Director of Community and Evangelism at Sysdig, has high hopes for what this could mean for the cloud native community.

“We are excited the CNCF has accepted a runtime security project not only because Falco is a great tool, but also because we believe it will bring more visibility to the need for security in cloud-native environments,” he said.

“As more organizations begin to deploy cloud-native platforms and applications, security has definitely been reprioritized. This shift seems to be due to the industry moving from “early adopters” to “early majority,” but it’s still early.”

Sysdig is mainly known for its offerings for monitoring, securing and troubleshooting Kubernetes as well as containers. Asked about the most common security issues in Kubernetes projects, the first thing that springs to Ducy’s mind is leaving access and permissions wide open.

“[…] not properly restricting access with models such as RBAC, or leaving things like ports too wide open, thus exposing the API endpoints or dashboards. Additionally, it can be quite daunting to understand all the tunables available for security in a platform such as Kubernetes.”

According to Ducy, users mainly deploy Falco as a sensor for auditing and post incident review or to stop suspicious activity. “Users run Falco and ship every alert back to a storage service like Elasticsearch. They take streams of data from our sensors in their environment as well – for instance a network IDS or firewalls – and are then are able to aggregate and analyze all this data in one location.”

“When Falco detects certain activity, such as unexpected outbound connections or commands being ran that shouldn’t be, Falco will fire an alert. This alert can trigger another system to take action (such as a serverless function). The cloud.gov team implemented such a system with Cloud Foundry to stop suspicious activity in their platform offering.”

To facilitate that, the focus of the project slightly changed since its introduction in May 2016. Back then, the team mainly focused on Linux system calls as event sources. In the coming months however, incorporating other sources such as Kubernetes audit events are on the roadmap. Like that, chances to spot abnormalities should be increased and ways to include more environmental context into the Falco rules can be offered.

Also on the to do list is a Prometheus integration to collect metrics on alerts being triggered in a user’s environment – something many will appreciate. On top of that, the Falco team wants to increase security awareness in the cloud-native community and grow its contributor base.

“Moving to the cloud can be hard when monitoring and security isn’t handled properly, but it’s a pain that can be easily avoided.” said Ducy. “We hope to be able to help more people bypass common pitfalls we have experienced with our enterprise customers.”

In order to comply with CNCF requirements, Sysdig changed the project’s license from GPLv2 to the Apache License 2.0. The Falco code has also been moved to GitHub, with more information available on the new project website.

Falco’s introduction to the CNCF sandbox comes just days after Heroku got its Buildpacks project accepted in there. Joining it is the first step to becoming a graduate CNCF project, a status only container orchestrator Kubernetes and monitoring platform Prometheus have reached yet. The sandbox stage is supposed to facilitate alignment with existing projects, encourage public visibility and remove obstacles for adopters and contributors.