Abstract image of a woman sitting on books and studying on a laptop

David container security-with_falco

L
Lorenzo David

Falco is an open source runtime security monitor for containers that detects anomalous activity using rules. It builds on Sysdig by instrumenting the kernel and collecting system calls and events. Falco rules define suspicious behaviors and integrate signals from the kernel, containers, and Kubernetes. Falco detects threats by matching patterns in real time and alerts on suspicious activity, helping operators enforce policies and spot abnormal behavior.

Software
1 of 37
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Container Security
 with Falco Lorenzo David, Senior Software Engineer at Sysdig Torino
• What Security problems does Falco solve?
 • Falco Architecture and Design • Falco in Action ! Agenda
What Security problem
 Falco solves?
Infrastructure Activities Allowed Non
 Authorized
Infrastructure Activities Allowed Non
 Authorized Suspicious

 Prevention Enforcing security policies Infrastructure Activities Allowed Non
 Authorized 
 Detection Spotting anormal behaviours Suspicious
Detection Forensic Runtime Forcast Falco
What is Falco?
Falco Docker and Kubernetes 
 aware CNCF 
 Sandbox Project Open Source Runtime Behavioral Activity Monitor 
 Container Native Infrastructure and other…
What does Falco 
 actually do?
Form Factor Linux Container
 
 $ docker run falcosecurity/falco Linux Program
 
 $ apt-get install -y falco falco.org/docs/installation
In a nutshel… 1) 2)
How Falco does that?
It all started with Sysdig…
Sysdig Falco github.com/draios/sysdig github.com/falcosecurity/falco
Single host Kernel Userspace nginx (container) mongo (container) Java Virtual Machine POSIX interface cassandra Bare-metal or Virtual Machine
Sysdig Kernel Instrumentation Kernel Userspace Host nginx (container) myapp (container) JVM Linux Kernel Module cassandra Programs and Containers System Calls tracepoint system call
Sysdig User Space Filtering Kernel Userspace Host nginx (container) myapp (container) JVM Linux Kernel Module cassandra … System call Collector Complex filtering engine … Filtering tracepoint system call
Sysdig Support for ebpf Kernel Userspace Host nginx (container) myapp (container) JVM ebpf cassandra … System call Collector … Filtering tracepoint system call February 27, 2019 - sysdig.com/blog/sysdig-and-falco-now-powered-by-ebpf
Beyond System Call
Sysdig Instrumentation Host nginx (container) myapp (container) JVM ebpf cassandra … Statsd metrics Statsd metric Collector Filtering statsd System call Collector
Sysdig Instrumentation Host nginx (container) myapp (container) JVM ebpf cassandra JMX metric Collector JMX metrics … Filtering JMX System call Collector
Back to Falco
Falco Filtering Detection workflow Host nginx (container) myapp (container) JVM interface cassandra Rule engine Falco Ruleset ALERT ! ebpf clone + exec shell A shell was used as the entrypoint/exec point into a container with an attached terminal. condition: > spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint …… System call Collector
Falco Rules - rule: Terminal shell in container
 desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
 condition: > spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint
 output: > A shell was spawned in a container with an attached terminal 
 (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty)
 priority: NOTICE
 tags: [container, shell] falco.org/docs/rules/default-custom/
Falco and Kubernetes
Kubernetes Host Host Host SVC (1) SVC (2) SVC (3)
Falco Daemonset Host Host Host SVC (1) SVC (2) SVC (3) Falco Falco Falco Falco Daemonset github.com/falcosecurity/falco/tree/dev/integrations/k8s-using-daemonset
Orchestrator Metadata nginx (container) myapp (container) Orchestrator metadata Kubernetes API
 Server dev prodFalco ebpf … System call Collector … Filtering Rule engine Falco Ruleset ClusterName: demo-kubeaws
 KubernetesNodeName: ip-10-1.ec2.internal
 Deployment: example-demo-app

Kubernetes Audit Events nginx (container) myapp (container) Kubernetes API
 Server Falco ebpf … System call Collector Webhook k8s audit Delete Pod
 myapp Kubernetes Audit 
 Events
 (json stream) Filtering Rule engine ALERT ! Falco Ruleset November 12, 2018 - sysdig.com/blog/falco-0-13-released-kubernetes-audit-support/
Falco Rules # Detect any new pod created in the kube-system namespace 
 - rule: Pod Created in Kube Namespace
 desc: Detect any attempt to create a pod in the kube-system 
 or kube-public namespaces
 condition: kevt and pod and kcreate and ka.target.namespace in 
 (kube-system, kube-public)
 output: Pod created in kube namespace 
 (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace
 image=%ka.req.container.image)
 priority: WARNING
 source: k8s_audit
 tags: [k8s]
 Container Metadata and Kubernetes Audit Events
Falco as building block
Falco Elasticsearch, Fluentd and Kibana Stdout Syslog File Shell Alerting Kibana ElasticSearch Fluentd Filtering Rule engine …… System call Collector sysdig.com/blog/kubernetes-security-logging-fluentd-falco
EFK Falco sysdig.com/blog/kubernetes-security-logging-fluentd-falco
• What Security problems does Falco solve?
 • Falco Architecture and Design • Falco in Action ! Thank you!
We’re hiring.
Github • https://github.com/falcosecurity/falco Documentation • https://github.com/falcosecurity/falco/wiki Docker Hub • https://hub.docker.com/r/falcosecurity/falco/ Join the community. Website https://falco.org Public Slack http://slack.sysdig.com/ https://sysdig.slack.com/messages/falco Blog https://sysdig.com/blog/tag/falco/

More Related Content

PDF
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
PPTX
Understanding eBPF in a Hurry!
Ray Jenkins
 
PDF
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
PDF
Velocity 2017 Performance analysis superpowers with Linux eBPF
Brendan Gregg
 
PPTX
Containerd internals: building a core container runtime
Docker, Inc.
 
PDF
BPF - in-kernel virtual machine
Alexei Starovoitov
 
PDF
Linux BPF Superpowers
Brendan Gregg
 
PDF
Introduction to eBPF
RogerColl2
 
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
Understanding eBPF in a Hurry!
Ray Jenkins
 
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Brendan Gregg
 
Containerd internals: building a core container runtime
Docker, Inc.
 
BPF - in-kernel virtual machine
Alexei Starovoitov
 
Linux BPF Superpowers
Brendan Gregg
 
Introduction to eBPF
RogerColl2
 

What's hot (20)

PDF
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Kohei Tokunaga
 
PDF
BPF: Tracing and more
Brendan Gregg
 
PDF
Linux Profiling at Netflix
Brendan Gregg
 
PDF
Effective CMake
Daniel Pfeifer
 
PPTX
LLVM Instruction Selection
Shiva Chen
 
PDF
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
ContainerDay Security 2023
 
PDF
Introduction to yocto
Alex Gonzalez
 
ODP
Kubernetes Architecture
Knoldus Inc.
 
PDF
Producer Performance Tuning for Apache Kafka
Jiangjie Qin
 
PDF
malloc & vmalloc in Linux
Adrian Huang
 
PDF
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
PDF
Device Tree for Dummies (ELC 2014)
Thomas Petazzoni
 
PPTX
Staring into the eBPF Abyss
Sasha Goldshtein
 
ODP
Linux Kernel Crashdump
Marian Marinov
 
PDF
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
PDF
Linux kernel tracing
Viller Hsiao
 
PDF
Docker internals
Rohit Jnagal
 
PDF
Kubernetes Architecture and Introduction
Stefan Schimanski
 
PDF
Building Network Functions with eBPF & BCC
Kernel TLV
 
PDF
A Journey to Boot Linux on Raspberry Pi
Jian-Hong Pan
 
Faster Container Image Distribution on a Variety of Tools with Lazy Pulling
Kohei Tokunaga
 
BPF: Tracing and more
Brendan Gregg
 
Linux Profiling at Netflix
Brendan Gregg
 
Effective CMake
Daniel Pfeifer
 
LLVM Instruction Selection
Shiva Chen
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
ContainerDay Security 2023
 
Introduction to yocto
Alex Gonzalez
 
Kubernetes Architecture
Knoldus Inc.
 
Producer Performance Tuning for Apache Kafka
Jiangjie Qin
 
malloc & vmalloc in Linux
Adrian Huang
 
Hands-On Introduction to Kubernetes at LISA17
Ryan Jarvinen
 
Device Tree for Dummies (ELC 2014)
Thomas Petazzoni
 
Staring into the eBPF Abyss
Sasha Goldshtein
 
Linux Kernel Crashdump
Marian Marinov
 
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
Linux kernel tracing
Viller Hsiao
 
Docker internals
Rohit Jnagal
 
Kubernetes Architecture and Introduction
Stefan Schimanski
 
Building Network Functions with eBPF & BCC
Kernel TLV
 
A Journey to Boot Linux on Raspberry Pi
Jian-Hong Pan
 
Ad

Similar to David container security-with_falco (20)

PDF
Container Runtime Security with Falco, by Néstor Salceda
Cloud Native Day Tel Aviv
 
PDF
Docker Runtime Security
Sysdig
 
PDF
Securing your Kubernetes applications
Néstor Salceda
 
PDF
Automating Security Response with Serverless
Michael Ducy
 
PDF
Falco docker barcelona
mateobur
 
PDF
stackconf 2025 | Detect & Respond to Threats in Kubernetes with Falco by Luca...
NETWAYS
 
PPTX
kubernetes security with falco & falco talon
Jaber Zare
 
PDF
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
PDF
Container Runtime Security with Falco
Michael Ducy
 
PPTX
How to Secure Containers
Sysdig
 
PDF
monitoring kubernetes for cka, kubernetes
akdenizerdem
 
PDF
Falco meetup OpenShift
Stephane Woillez
 
PPTX
Threat Hunting at Scale: Auditing Thousands of Clusters With Falco + Fluent ...
Furkan Turkal
 
PDF
WTF my container just spawned a shell!
Sysdig
 
PDF
Securing your Container Environment with Open Source
Michael Ducy
 
PDF
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Néstor Salceda
 
PDF
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
ContainerDay Security 2023
 
PDF
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
PPTX
Introduction to Falco presentation.pptxx
Knoldus Inc.
 
PDF
Practical Cloud Native Security With Falco Loris Degioanni Leonardo Grasso
batoylezlie
 
Container Runtime Security with Falco, by Néstor Salceda
Cloud Native Day Tel Aviv
 
Docker Runtime Security
Sysdig
 
Securing your Kubernetes applications
Néstor Salceda
 
Automating Security Response with Serverless
Michael Ducy
 
Falco docker barcelona
mateobur
 
stackconf 2025 | Detect & Respond to Threats in Kubernetes with Falco by Luca...
NETWAYS
 
kubernetes security with falco & falco talon
Jaber Zare
 
Implementing Active Security with Sysdig Falco - Barcelona Software Crafters
Néstor Salceda
 
Container Runtime Security with Falco
Michael Ducy
 
How to Secure Containers
Sysdig
 
monitoring kubernetes for cka, kubernetes
akdenizerdem
 
Falco meetup OpenShift
Stephane Woillez
 
Threat Hunting at Scale: Auditing Thousands of Clusters With Falco + Fluent ...
Furkan Turkal
 
WTF my container just spawned a shell!
Sysdig
 
Securing your Container Environment with Open Source
Michael Ducy
 
Implementing Active Security with Sysdig Falco - Docker Meetup Barcelona
Néstor Salceda
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
ContainerDay Security 2023
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
Introduction to Falco presentation.pptxx
Knoldus Inc.
 
Practical Cloud Native Security With Falco Loris Degioanni Leonardo Grasso
batoylezlie
 
Ad

Recently uploaded (20)

PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
DOCX
Modern SharePoint Intranet Templates That Boost Employee Engagement in 2025.docx
Sharepoint Designs
 
PPTX
Tech Workshop Escape Room Tech Workshop
muthuiyad
 
PPTX
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
PDF
Types of Token_ From Utility to Security.pdf
Herond Labs
 
PDF
Wondershare Recoverit Full Crack New Version (Latest 2025)
hashmi66g66
 
PDF
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PDF
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
PDF
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
PDF
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
PDF
AI Guide for Business Growth - Arna Softech
Arna Softech
 
PPTX
"Secure File Sharing Solutions on AWS".pptx
sudharani74442
 
PDF
AI-Powered Threat Modeling: The Future of Cybersecurity by Arun Kumar Elengov...
Arun Kumar Elengovan
 
PPTX
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
PDF
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
PDF
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
PPTX
Trending Python Topics for Data Visualization in 2025
IT IDOL Technologies
 
PDF
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 
assetexplorer- product-overview - presentation
nonameist3434
 
Modern SharePoint Intranet Templates That Boost Employee Engagement in 2025.docx
Sharepoint Designs
 
Tech Workshop Escape Room Tech Workshop
muthuiyad
 
WiFi Honeypot Detecscfddssdffsedfseztor.pptx
singlesrihari
 
Types of Token_ From Utility to Security.pdf
Herond Labs
 
Wondershare Recoverit Full Crack New Version (Latest 2025)
hashmi66g66
 
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
DNT Brochure 2025 – ISV Solutions @ D365
sai vignesh
 
Topaz Photo AI Crack New Download (Latest 2025)
hashmi66g66
 
Top 10 Software Development Trends to Watch in 2025 🚀.pdf
KodekX
 
AI Guide for Business Growth - Arna Softech
Arna Softech
 
"Secure File Sharing Solutions on AWS".pptx
sudharani74442
 
AI-Powered Threat Modeling: The Future of Cybersecurity by Arun Kumar Elengov...
Arun Kumar Elengovan
 
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
How Tridens DevSecOps Ensures Compliance, Security, and Agility
Tridens
 
How to Make Money in the Metaverse_ Top Strategies for Beginners.pdf
Herond Labs
 
Trending Python Topics for Data Visualization in 2025
IT IDOL Technologies
 
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 

David container security-with_falco