Clik here to view.
The fact that Falco has achieved graduation status with the CNCF shows that a lot of work yet has to be done to pave the way for eBPF to achieve its full potential, not only for security and observability but how it will play out in the near future and the long term as well.
Falco is like a number of other security observability tools or open source CNCF projects in that it offers a number of ways to observe or monitor and draw observability data across multiple runtimes and infrastructure as it extends from the Linux kernel throughout the runtime infrastructure.
This calls into question, though, what Falco actually does under the hood and to understand Falco, of course, you have to understand what eBPF is. In a nutshell, eBPF offers visibility, observability and networking capabilities across the runtime through so-called hooks that again extend from the Linux kernel. The hooks are used to monitor entire infrastructures extending, again, from the Linux kernel.
In the case of Falco, it offers what it calls sensors across distributive architectures, and it’s geared particularly for distributed architectures, notably Kubernetes, containers, etc. It provides several things that extend to an API or through which the rules are set of how it works, and it derives from the sensors through system calls, information that’s collected in a centralized collector, and that information, though, again, comes from the Linux kernel itself, Kubernetes infrastructure, AWS cloud trails, etc.
Falco’s overall concept is straightforward. You can think of Falco as a network of security cameras for your infrastructure. You place the sensors at key locations, they observe what’s going on, and they ping you if they detect harmful behavior.
As Falco’s CTO and founder at Sysdig Loris Degioanni, and Leonardo Grasso, a Sysdig open source software engineer, writes in “Practical Cloud Native Security with Falco”: “At the highest level, Falco is pretty straightforward: you deploy it by installing multiple sensors across a distributed infrastructure. Each sensor collects data (from the local machine or by talking to some API), runs a set of rules against it, and notifies you if something bad happens.”
Kernel Roots for Graduation
What originally began as a router-packet inspection tool, Falco evolved with eBPF. eBPF steadily drew attention once created until “let’s say, starting from 2015 and 2016” when Falco’s project team started working on the module, Degioanni told The New Stack. “So, it’s interesting because there were different ways essentially to do security for Linux. It was sort of insane to think about using eBPF. Up to that point, it was used for little scripts. It took a little bit of work — we had to submit a few patches to the Linux kernel section to enable the eBPF to actually be able to do this, but then we came up with a solution that sort of opened the eyes of the whole industry.”
And after that, essentially, the process went from sandbox to incubation to graduation. “The fact that Falco graduated is a testament to how the CNCF is becoming an important repository of projects that are more or less what the community agrees them to be, as the default step,” Degioanni said. “We are the step of the next generation of cloud native.”
Meeting compliance standards, such as SOC, and working out the bugs and improving Falco for large-scale production use was also a big factor in Falco’s graduation. “Some of the largest companies in the world now use Falco in production. That’s kind of the hurdle, right?” Degioanni said. “So the creators need to bring the project to a level of maturity and that takes a lot of effort.”
Falco is very well integrated into the Linux kernel. While eBPF is open source, its modifications take place in the kernel so that contributors make changes to and offer pull requests for Linux. Much of the work done for Falco involves relying on system-instrumentation drivers that need to be tailored for each supported Linux distribution and kernel version, Torsten Volk, an analyst for Enterprise Management Associates (EMA), told The New Stack. This forces Falco to support a long tail of older Linux kernels, Volk said.
The support for legacy systems requires the inclusion of older compilers, in turn increasing the security risk, Volk said. Addressing these factors with a combination of prebuilt drivers that can be used out-of-the-box instead of clients having to compile them, was needed to get Falco ready for graduation, Volk said. What the Falco developer team then did to address this usage need was to create a new driverkit tool that enables compiling kernel-specific instrumentation drivers and the inclusion of newer compilers that are more broadly compatible with both old and new kernel versions, Volk said.
For Kubernetes, Falco is particularly well-geared, thanks to the contributions to the project from Sysdig and the open source community. This work has been important to help get it up to speed for challenging aspects of Kubernetes observability to its statelessness, distributed nature and other attributes. “Graduation couldn’t have come at a more opportune time; Kubernetes adoption is growing fast, and security has never been more critical,” Edd Wilder-James, vice president of open source ecosystem, for Sysdig, told The New Stack.
One of Falco’s main strong points is monitoring syscalls, “but the vision doesn’t just stop at the kernel,” Wilder-James said. “Modern threats move laterally across the many surfaces in the cloud,” he said. “Falco’s approach of streaming rule-based detection applies to the cloud at large.”
Through its plugin ecosystem, Falco can monitor Kubernetes and logs from the major cloud providers, as well as provide detection for platforms such as GitHub and Okta,” Wilder-James said. “That’s an important part of ‘what’s next’ after graduation,” Wilder-James said.
Meanwhile, Falco has always been at the intersection of security and observability, CNCF CTO Chris Aniszczyk told The New Stack. “They were also very early adopters of taking advantage of eBPF in the Linux Kernel for further improvements,” Aniszczyk said. “Furthermore, the project isn’t just a benefit to the cloud native ecosystem, but any system that may be eBPF-compatible.”
However, there was no specific catalyst that enabled Falco to become a graduated CNCF project, Aniszczyk said. Falco’s graduation was “simply the time and the project fulfilled the CNCF graduation requirements and due diligence process,” Aniszczyk said.
“The uses of eBPF have grown rapidly, and we’re at a point where it’s no longer novel. At that point, in any technology’s lifecycle, you start thinking about Day 1 or 2 operations,” Aniszczyk said. “Falco slots right into those types of needs, and its adoption solidified its place among graduated projects.”
The post Falco Is a CNCF Graduate. Now What? appeared first on The New Stack.
Falco offers sensors across distributive architectures, and it's geared particularly for distributed architectures, notably Kubernetes, containers, etc.