Falco Cloud Security Monitoring Now on Amazon Web Services
Who would have thought a few years ago that Linux’s Extended Berkeley Packet Filter (eBPF) would become the foundation for cloud native security monitoring tools such as Sysdig‘s Falco open-source security program? Now, Falco, a cloud native runtime security project, which is the de facto Kubernetes threat detection engine, has expanded its reach to Amazon Web Services (AWS) via a brand new CloudTrail plug-in.
The company announced the new offering at this year’s KubeCon+CloudNativeCon, held earlier this month in Los Angeles, and virtually.
This combination will give you real-time detection of unexpected behavior and configuration changes, intrusions, and data theft in AWS cloud services using Falco rules. This is based on a new Falco plug-in framework that allows anyone to extend Falco to capture data from additional sources beyond Linux system calls and Kubernetes audit logs.
Falco has worked with AWS’s Cloudtrail, its secured logging system, for some time. But, with the new plug-in framework, it’s much easier to integrate the two.
Before this, you had to export AWS CloudTrail logs into a data lake or security information and event management (SIEM) for processing. That’s, in a word, slow. Only after it was imported could you search for threats and risky configuration changes.
With this new approach, you can use Falco to inspect cloud logs using a streaming approach. This lets you examine the logs in real-time to immediately spot trouble on the way.
You can put it to work immediately by using community-provided out-of-the-box rules. These map to compliance frameworks and best practices. You can also create custom rules to meet your specific requirements using YAML.
This new method also makes it much easier to manage critical logging and security data across multiple clouds. Looking ahead, Sysdig promises additional plug-ins will allow you to use a consistent threat detection language and close security gaps by using consistent policies for workloads and infrastructure… eventually.
For now, this pairing of CloudTrail and Falco is a beta. Even so, today the Cloudtrail plugin and related Falco rules can:
- Read Cloudtrail logs and return them as events
- Identify suspicious or notable activities in Cloudtrail logs.
As of today, the AWS CloudTrail plug-in and additional out-of-the-box rules are via the Falco GitHub site. You can also build new plug-ins on the framework.
Sysdig hopes to formally release it early next year. In the meantime, they’d like to get potential plugin developers to look at the APIs and provide feedback while moving towards an official release.
Why look at it now? Well, as Chris Aniszczyk, Cloud Native Computing Foundation (CNCF) Chief Technology Officer, remarked, “The Falco plug-in capability gives DevOps and security teams a single threat detection tool with a single rules-language across container and cloud environments. This allows users to create consistent policies for workloads and infrastructure and close security gaps. The basis is now in place for rapid innovation by the community to extend Falco to additional cloud environments.”
To this, I’ll add that anything that gives me the power to check for security problems in real-time is worth a look in my book.