CNCF Graduates Falco Project to Improve Linux Security
The Cloud Native Computing Foundation (CNCF) announced today that Falco, an open source tool for defining security rules in Linux environments, has officially graduated.
Originally developed by Sysdig, Falco was donated to the CNCF in 2018 as an incubation level project. Since then, maintainers from Amazon, Apple, IBM, Red Hat and other organizations have been reengineering the codebase to include a testing framework and other quality checks, in addition to adding more capabilities.
Falco enables IT teams to apply custom rules to kernel events that generate real-time alerts whenever a threshold is exceeded. Designed to run at the kernel level of the Linux operating system, Falco was also one of the first security tools to take advantage of extended Berkeley Packet Filtering (eBPF) to allow it to run as an isolated sandbox at the kernel level of the Linux operating system to ensure rules could be enforced at scale.
Adopters of Falco include Cisco, Shopify, Skyscanner and Vinted, with most Falco use being in IT environments that have adopted Kubernetes clusters. Falco is also at the core of the cloud-native application protection platform (CNAPP) that Sysdig provides. In addition, Falco is based on a plug-in architecture that has been used to extend the reach of the rules that an IT team has defined.
Loris Degioanni, creator of Falco and CTO for Sysdig, said that as IT environments have become more dynamic, the need to apply security rules at the kernel level of an operating system has become more apparent. Organizations need to be able to ensure security at a level of scale that can only be achieved when rules are enforced at the subsystem level of an operating system, he noted. Alerts generated in real-time then make it possible for cybersecurity teams to respond more adroitly to threats that are increasing in volume with each passing day. In contrast, other approaches poll IT environments intermittently to discover potential threats, noted Degioanni.
Now that more distributions of Linux have added support for eBPF, the number of organizations that can take advantage of Falco to achieve that goal is steadily increasing.
Not many security teams appreciate the impact eBPF can have on enabling organizations to secure IT environments at scale—yet. Most security platforms today run in user space. That approach enables cybercriminals to more easily launch brute force attacks designed to deplete security platforms of the IT resources they need to combat threats.
It’s not clear how quickly more providers of security platforms will be embracing eBPF, but cybersecurity teams should carefully evaluate the underlying architecture their security platforms are based on. Anything that today runs in user space is likely going to need to be replaced to run at higher levels of scale as the number of cyberattacks only continues to increase.
In the meantime, cybersecurity teams can take some comfort in the fact that the providers of the IT infrastructure they are trying to protect are reengineering those platforms in ways that make them easier to secure at scale.
