Project Falco: Sysdig Reengineered for Security Monitoring
What happens when you cross snort, ossec and strace? You get a tool very much like Project Falco, an open source behavioral activity monitor for detecting anomalous activity within containerized applications.
Falco is based on the Sysdig Project, an open source tool (and now a commercial service), built for monitoring container performance by way of tracking kernel system calls. Instead of tracking system calls for performance, Falco uses the same instrumentation for anomaly and intrusion detection.
Sysdig launched Project Falco in May and thus far has gathered about 468 stars on GitHub.
“We’ve taken that same core of kernel instrumentation, and packaged it up that makes it easier for people to run and detect behaviors that are suspicious,” said Apurva Davé, Sysdig vice president of marketing.
Falco was built for “the individual code-level guy who is running his own system and building his own ops” but also “scales up for a serious enterprise that is looking to take output from Falco and correlate it to the rest of its security and performance information,” further explained Mark Stemm, Sysdig software engineer who oversees Falco.
Behavioral Activity Monitoring
The Sysdig project was created a few years back by Loris Degioanni, one of the co-creators of Wireshark, an immensely popular tool that gives administrators packet-level visibility about what is happening across a network.
Sysdig was designed to monitor containers actions in close detail. Any time a container needs to access system resources, such as CPU, memory, file access or network, it calls down to the host kernel. So Sysdig provides a way to add a module into each host’s OS kernel, allowing that users to see every single system call that is executed on that host, be it call from the OS, the container or the containerized application. In this way, the agent can see everything the container is trying to do.
When applied to security, this type of monitoring Sysdig calls “behavioral activity monitoring,” Davé asserted.
The idea is a move away from the traditional enterprise security approach of thwarting malicious activity at a firewall, by blocking unneeded ports, through passwords and other authentication mechanisms. Falco’s approach is to keep an eye out for any suspicious behavior.
Using Sysdig, sets of low-level system calls are aggregated into a library of higher-level “events” that can trigger “alerts.” Falco also provides a rules system that can define malicious behavior using the data generated by Sysdig, and alert users when such behavior is detected.
For instance, the use of a Bash shell inside a container is worth an alert. “If someone is running a shell within a container, then that is probably pretty suspicious because it means that someone is doing general purpose things inside your microservice,” Stemm said. An alert, written in YAML, may look something like this:
desc: a shell running in a container
condition: container.id != host and proc.name = bash
output: “Shell running in container (user=%user.name container_id=%container.id container_name=%container.name shell=%proc.name parent=%proc.pname)”
According to the GitHub page, the software covers other scenarios such as:
- A container is running in privileged mode or is mounting a sensitive path like
/procfrom the host.
- A server process spawns a child process of an unexpected type.
- Unexpected read of a sensitive file (like
- A non-device file is written to
- A standard system binary (like
ls) makes an outbound network connection.
Thus far, Falco has about 40 built-in rules for detecting security breaches, which are encoded in YAML and stored on GitHub. Users can write their own rules as well.
Admins define how the alerting mechanism should send out notifications, and what messages should accompany the alert. The alert is a mix of a template of plain text, and fields that can be filled in by the software to describe the specific events. Falco can also communicate with container orchestration tools such as Kubernetes and Marathon/Mesos, allowing Falco to recognize orchestration level concepts such as “pod” and “deployment,” so they can be used in rules and output strings.
Admins specify the output channel, such as email or log or another program, in another configuration file. Alerts can also be it to a Security Information and Event Management (SIEM) system. “There, we become an input for one of those systems to cross-correlate the event that we saw with any other underlying problems,” Stemm said.
While there are no shortage of intrusion detection tools on the market, Falco could be advantageous in the emerging market for protecting containerized applications and microservice-based applications, Davé said. Most intrusion detection devices run in the user-space, there is very few that link directly into the kernel, Davé noted.
You don’t have to have Sysdig already installed to use Falco, and, at present, the company hasn’t commercialized Falco yet. The company’s first step is to build it into the company’s commercial DevOps monitoring service, Sysdig Cloud.
“Over strategy is to leverage this insertion point of kernel instrumentation to do much more in your environment than a monitoring product was ever able to do,” Davé said.
Intel’s Matthew Brender Discusses Telemetry and the Intel Snap Tool
Intel sponsored this story. Sysdig is a sponsor of The New Stack.
Feature image: The NGC 6357 diffuse nebula, from the NASA Astronomy Picture of the Day.