Sysdig me Amadeus: Falco graduates to CNCF

Time for runtime

Falco’s graduation comes at a time when some companies are pursuing incident visibility to determine materiality. 

Immediately knowing when someone is inside an environment and shutting them down in seconds decreases the attack surface and impact, clearly.

Falco has surpassed the 100 million download mark and gained hundreds of active code contributors since moving to the previous phase, “Incubation,” within the CNCF in 2020.

Bad actors have adapted their tactics to the cloud and initiate attacks within seconds of entering an environment. In on-premises environments, attacks can take weeks; in the cloud, it can take fewer than 10 minutes from initiation to completion. Sysdig says that real-time visibility across cloud environments, workloads and user activity is critical to quickly coordinate the correct response and minimise the impact of possible breaches.

Real-time cloud security camera

The Sysdig team suggest that Falco is ‘like a network of real-time security cameras for the cloud’ when in use, this is because it continuously collects data through rule violations and will immediately notify users of anomalous runtime activity, offering precise insights into an incident’s nature and severity. 

“Falco was developed as an open source answer for those in search of a widely accessible and seamlessly integrated runtime security solution for cloud-native infrastructures. The attack surface is ever-expanding, from host systems to the device in your pocket, and Falco has become the gold standard for runtime security. Hitting 100 million downloads and graduating within the CNCF gives companies confidence in the project’s maturity and underscores that prevention is not enough in the cloud,” said Loris Degioanni, CTO and founder of Sysdig.

An early pioneer of eBPF, Falco monitors kernel-level events and enriches them with insights from the broader cloud-native ecosystem. Through plug-ins, Falco boasts extensibility to cloud services and platforms, such as Okta and Github, providing one tool with the ability to make connections across environments.

Shift left & shield right

Open source Falco is the core engine providing unique runtime insights to the Sysdig platform, enabling organisations to both shift left and shield right. For prevention, runtime insights help customers connect the dots across environments and prioritise their most critical security risks. Falco rule libraries provide a deep understanding of what’s happening at runtime and prioritise in-use vulnerabilities. For detection and response, runtime insights power the ability to combat the most advanced threats through adherence to Falco rule sets. Ultimately, runtime insights provide end-to-end security – from prevention to defense – for the software development life cycle. 

“Since joining the CNCF, Falco has been an early pioneer of the application of eBPF to security and has undoubtedly contributed to the momentum we’re seeing within the open source runtime security space. With users at many of today’s largest-scale organisations and 50-plus integrations, we’re excited to continue cultivating the Falco community as a newly graduated project,” said Chris Aniszczyk, CTO of CNCF.

Falco detects threats and notifies a security engineering team via integration with the security incident management platform. This integration creates a feedback loop, ensuring that the security team is aware of potential threats and equipped to respond.

The project’s social stream is found at @falco_org