Sysdig,
Inc., the secure DevOps leader, today announced that Falco, the open source
cloud-native runtime security project originally created by
Sysdig,
has been accepted as a Cloud Native Computing Foundation® (CNCF®)
incubation-level hosted project. Falco entered the CNCF as a Sandbox Project in
October 2018, the first and still the only runtime security technology to join.
In the event of unexpected behavior at runtime, Falco detects and alerts,
reducing the risk of a security incident.
Gartner analysts predict that "by 2021, more than 75% of
midsize and large organizations will have adopted a multicloud and/or hybrid IT
strategy." A business benefit of cloud
environments operated by Kubernetes includes shorter software production cycles
and consistency across multicloud and hybrid deployments. As a result, organizations are standardizing on
Kubernetes as a container orchestrator. The Sysdig Container Usage Report found that in 2019, 77 percent of Sysdig customers
operated Kubernetes environments, a 26 percent increase over 2018.
Kubernetes
provides easy access to infrastructure for development teams. However, securing
Kubernetes requires putting controls in place to detect unexpected behavior.
Common risks include exploits of unpatched and new vulnerabilities, insecure
configurations, leaked or weak credentials, and insider threats that can be
used as entry points into the application and to access data.
When
operating a cloud-native environment, being able to detect anomalous activity is the last line of defense. This requires
understanding unexpected service interactions between containers, without
impacting performance. Falco efficiently leverages extended Berkeley
Packet Filter (eBPF), a secure mechanism, to capture system calls to gain deep
visibility. By adding Kubernetes application context and Kubernetes API audit
events, teams can understand who did what.
"Runtime
security is a critical piece in a cloud-native security story and essential for
anyone taking cloud-native security seriously. Access control and policy
enforcement are important prevention techniques, but runtime security is needed
to detect threats that evade preventions," said Kris Nova, Chief Open Source
Advocate at Sysdig.
Security for cloud-native systems is one of the
few areas of the CNCF landscape that is still being standardized. Acceptance as
an incubation-level hosted project signals that Falco is the de facto open
source standard for cloud-native runtime security. Falco is trusted by government agencies, financial institutions, Fortune
2000 enterprises, and web-scale companies.
"It is
great to see Falco advance within the CNCF to the incubating stage. As
cloud-native technologies and our ecosystem matures, focus rightly shifts
towards security. Falco fills a key gap in the cloud-native security landscape
around intrusion detection. Combined with other projects and technologies on
the prevention side, we have a comprehensive open source toolkit to enable an
enhanced security posture for those investing in cloud native," said Joe Beda,
Principal Engineer at VMware and CNCF TOC Member.
Falco's
accomplishments since joining the CNCF
- 100
percent increase in commits year-over-year
- 64
committers
- More
than 2000 GitHub stars
- 55
contributors, including engineers from Frame.io, Shopify, Snap, and Booz
Allen Hamilton
Since joining the CNCF, the Falco community focused on making
Falco easier to adopt and make contributions. A governance model, an outline
that sets guidelines and standards for both contributors and maintainers to ensure the project's compliance and health,
was implemented during the last year. Falco was also made available in the
Google marketplace and included in the launch of several major cloud projects,
including AWS Firelens and Google Anthos. The Falco community created an
operator that is available in the
OperatorHub.io.
One of
the major challenges of operating containers is defining the complex rules and
configurations. At KubeCon + CloudNativeCon, Sysdig announced the Cloud-Native
Security Hub, a repository for discovering and sharing Kubernetes
security best practices and configurations. The hub currently hosts Falco
rules. During the next phase, the Falco community will scale the scope to
include rules and configurations for other Kubernetes security tools.
The future of Falco
"We
created Falco because the cloud demands runtime security. Sysdig contributed
Falco to the CNCF because innovation is stifled when core technology is
controlled by a single provider," said Loris Degioanni, Sysdig Founder and
Chief Technology Officer. "Enterprises that want support, automation, and
defined workflows can use Sysdig's commercial product that incorporates Falco.
Other organizations will choose to build their own tools using Falco. Now that
Falco is an incubation-level hosted project, we expect that it will become a
standardized component of the stack."
While in
the CNCF Incubator, the Falco community will continue to drive end user
adoption. The main focus will be on making Falco easier to consume and
integrate in cloud-native environments. This includes moving components of
Falco to an API-first architecture, which enables the community to begin
developing integrations with other tools, including Prometheus, Envoy, and
Kubernetes.
To get
started with Falco, visit its Falco GitHub
page. To get involved, join the Falco Slack channel
and attend the weekly office hours calls to discuss feature work,
open issues, and repository planning.