Falco Plugins Bring New Data Sources to Real-Time Security
Cloud security company Sysdig has announced the addition of plugins to Falco, the Cloud Native Computing Foundation (CNCF) runtime security project, at this year’s KubeCon+CloudNativeCon North America.
Falco plugins, introduced in early access at the event, will allow users to extend Falco to include new data sources, and Sysdig is introducing the new feature alongside one such plugin for Amazon Web Services’ CloudTrail, the AWS service that monitors and records account activity across AWS infrastructure.
Sysdig CTO and founder Loris Degioanni said Falco’s real-time functionality, which in normal operation uses the extended Berkeley Packet Filter (eBPF) to collect information from the Linux kernel concerning container runtime, brings a new element to something like log monitoring.
“The beauty of Falco is that it operates in real-time,” Degioanni said. “While many solutions are based on checking configuration, following APIs, scanning images, and so on, Falco is like a security camera, it looks at the behavior of containers constantly. And this policy engine is designed to essentially make detections in real-time and alert the users in a matter of seconds, or even less than seconds.
Moreover, Degioanni said the company found that the properties of its policy engine were generic, powerful, and potentially applicable beyond just containers in the Linux kernel.
“By listening to the community, we started essentially decoupling this engine from the underlying data collection,” he said. “With the plugins, you can still use this engine, which is pretty flexible, powerful and very real-time in nature, and apply this engine to whatever you want.”
The Falco Cloudtrail Plugin provides real-time detection of unexpected behavior and configuration changes, intrusions, and data theft in AWS cloud services using Falco rules. More specifically, it reads Cloudtrail logs and returns them as events and new rules that look for suspicious or notable activity. While the Cloudtrail Plugin offers some very real functionality and brings Falco to the cloud rather than just focusing on kernel activity, it also serves as an example for further plugins that are yet to be created by the community.
The plugins themselves come in two types — source plugins and extractor plugins. Source plugins allow for new event sources and filter fields to be added to Falco and evaluated using rules and filtering expressions, while extractor plugins define new fields that can extract information from either core Falco events or events generated by other plugins. Together, the company says that the two types of plugins will allow users to “write rules for almost any kind of streaming data.”
“This is something that is designed in a completely open way to support the community and the industry in a broader sense. We’ve designed these together with the rest of the Falco CNCF community,” said Degioanni. “We’re already starting to see users interested in a variety more integrations and more data sources for Falco through this plug-in mechanism.”
Plugins can be written in any language that supports exposing C function interfaces that can be called from a C/C++ program like Falco, and Sysdig says it has written plugins using C, C++, and Go. The company has also provided a Go module to translate between C pseudo-types and Go types, and to provide convenience methods that make it easier to write plugins in Go.
Some immediate directions for expansion, said Degioanni, would be to include other major cloud providers with similar plugins for log monitoring. Beyond that, however, he said that other areas such as DNS logs or load balancer logs were all “good candidates” for new Falco plugins.
With Falco’s extension into the cloud, Degioanni said he sees a convergence between runtime detection and managing cloud infrastructure, something that Sysdig itself has further ventured into in recent times, such as the company’s recent acquisition in the infrastructure as code space.
“If you’re running containers and Kubernetes in the cloud, it’s very important to be able to have a tool that is able to protect both the infrastructure side — everything that has to do with cloud resources, with the activity and configuration changes in the cloud and so on — and the workload side (containers and Kubernetes) with a single language, a single converged set of policies, and a central place where you get both the control of these and also the notifications,” Degioanni said.
The new Cloudtrail Plugin — and the plugin feature itself — is still in “very early access,” according to a company blog post, but Sysdig expects both to be released to general availability in early 2022. Currently, when plugin support is enabled in Falco, Falco’s support for monitoring syscalls is disabled and only a single source plugin can be loaded at one time, but the company says it is looking to “allow running multiple source plugins at once, once we tackle the concurrency, fairness, and resource utilization issues that result from having multiple streams of events being processed by a single Falco rules engine.”