In Falco's nest: The evolution of Cloud Native Runtime Security

Talking about the last evolutions in the Falco ecosystem. Falco is 10 years old, opensourced in 2016 by Sysdig. Donated to CNCF in 2018, gratuated in 2024, becoming a standard now.

What is Falco?

Analogy: the security camera for your infrastructure. Deep visibility into your systems and infrastructure.

Using EBPF, events are forwarded to a runtime, where they are validated by rules. You can provide your own rules, and take some off the shelf.

There’s also a plugin system. To emit custom events or extend capabilities.

What’s new in Falco?

Two releases 0.42 and 0.43

Capture recording to enable Forensics in Falco

Generates SCAP files, which can be inspected by Statoshark (feature parity with Wireshark, but better I guess).

Drop enter initiative

Performance upgrade: lighter kernel intrumentation (20% reduction in latency), kernel events reduced by half.

Other changes

There’s more, but go read the release notes.

Falco Operator

You used to deploy using Helm, now there’s an Operator. Bringing Falco ops to the Kubernetes Native space.

Still early days though, but v0.2.0 is their first “production-ready release”

Architecture

Two components:

  • Falco (DaemonSet/Deployment)
    • Artifact operator (sidecar)
  • Falco Operator

Deployment when you don’t need global visibility. For example when using Okta plugin to get events from Okta to be analysed by Falco.

DaemonSet when you want kernel level visibility.

Changes

So yeah, there’s a bunch of changes from v0.1.0 to v0.2.0, but not gonna list them all.

Operator can manage Falco components using CR’s. For example: FalcosideKick or FalcosideKickUI. Production-ready settings, that can be overridden.

What’s next

BPF Iterators

Improving information gathering performance over scanning procfs

This event loop needs to scan al lot of small files, which is a big overhead. Using a new feature from the Linux Kernel from v5.8 onwards, they can reduce complexity and improve performance.

Multi-thread support

Before: single threaded event loop. This was fast and performant enough.

Now: More and more events to process, so event loop can become saturated. This means more complexity though.

Developer Experience

Falco LSP

LSP for Falco Rules. Syntax highlight! VS Code extension, but the LSP is vendor agnostic.

Falco for coding agents

You can block coding agents from doing naughty stuff.