►
From YouTube: Sysdig Sponsored Session
Description
Join us for Kubernetes Forums Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Sysdig Sponsored Session
A
All
right
five
minutes,
my
name
is
Rosie
Jonny,
I'm,
CTO
and
founder
of
sysd
I've
also
been
involved
in
open
source
for
15
years.
At
this
point,
I
was
one
of
the
part
of
the
original
team
that
created
the
wall.
Shark,
Network,
analyzer
and
recently
I've
been
the
creator
and
heavily
engaged
with
Falco,
actually
with
the
amount
of
time
that
I
have
was
thinking
in
order
to
give
you
something
useful
I
just
want.
Maybe
to
talk
to
you
a
little
bit
about
Falco
Falco
is
a
tool
for
run
time,
threat,
detection
and
run
time.
A
Security
for
kubernetes
Falco
is
open
source.
It's
a
part
of
CN
CF
and
essentially
it
works
as
an
anomaly
anomaly.
Detection
engine
that
can
take
multiple
inputs,
for
example,
system
calls
that
are
captured
by
deploying
the
Falco
agent.
It
can
takes
kubernetes
audit
events
and
mixes
all
of
these
with
kubernetes
metadata
to
produce
alerts.
So
to
tell
you
if
something
is
wrong
in
real
time
at
runtime
with
your
kubernetes
environment,
Falco
is
deployed
typically
as
a
demonstrating
kubernetes.
A
So
here
in
this
slide,
you
have
the
host
of
a
machine
where
there
are
multiple
containers
that
irani
Falco
runs,
is
a
further
container
that
you
deploy
on
the
machine
and
running
this
container
deploys
a
BPF
based
instrumentation
that
can
collect
data
from
the
other
containers
that
are
running
on
the
machine.
So
one
thing
about
Falco
is
completely
transparent
and
doesn't
require
any
modification
to
the
containers
that
are
in
the
pods
that
are
scattered
by
kubernetes
on
the
same
machine.
The
other
thing
that
Falco
does
is
it
takes.
A
This
diagram
shows
multiple
machines,
each
of
which,
with
several
containers
running
and
the
color
coding
here,
is
the
service
that
the
containers
belong
to
and
typically
you
know,
looking
at
things
like
on
the
left
side
of
the
slide
is
not
super
useful
in
kubernetes.
You
want
to
essentially
find
all
the
containers
that
are
the
same
color,
so
that
are
part
of
the
same
service
and
treat
them
as
a
unit
when
you
define
policies
for
them
or
when
you
receive
events
or
alerts
for
them
all
right.
A
A
Okay
looks
like
I
have
no
network,
so
I
cannot
give
the
demo
to
you
with
Falco
I'm
able
essentially
to
collect
information
in
at
run
time,
and
the
demo
would
have.
Let
me
look
at
the
logs
coming
from
my
little
kubernetes
kubernetes
cluster,
that
is
running
on
GAE
and
being
able
to
exact
into
a
container
and
look
at
the
output
from
Falco.
That
would
have,
let
me
know.
Oh
it
worked
now.
A
It
took
a
while,
as
you
can
see,
I
just
exact
inside
the
container
and
Falco
immediately
tells
me
that
by
looking
at
the
kubernetes
api
that
somebody
didn't
exactly
side
the
container
and
that
the
shell
was
born
inside
this
inside
this
container
and
now
I'm
inside
this
container.
So
if
I
can,
if
I
do
malicious
like
activity,
for
example,
I
don't
know,
I
can
go
and
I
can
modify,
modify
a
system
binary,
which
is
something
that
you
should
never
see
again
in
real
time.
A
Sis
dig
as
a
company
offers
actually
a
full
platform
built
around
Falco.
That
allows
essentially
you
to
manage
this
engine
around
your
kubernetes
cluster,
and
there
also
allows
you
to
do
much
more
than
just
run
time
protection,
but
just
something
that
puts
together.
You
know
multiple
tools
like
Prometheus
Falco
is
the
anchor
in
a
complete
work
stream
that
can
offer
you
a
lot
of
functionality
for
a
container
security.
For
example,
here
I'm
logged
into
Cystic,
secure
and
I
see
that
there's
a
terminal
shelling
container.
A
A
A
So
if
you
want
to
learn
more
come
to
our
booth,
we
are
both
pre
paid
33
and
we
were
putting
these
on
the
tables
we're
actually
giving
away
at
our
booth
the
book
Linux
Linux
of
observability
with
eb
PF.
It's
an
orrery
book
that
is
written
by
a
laurenzo
one
of
the
Cystic
employees,
and
if
you
show
up
with
one
of
these,
you
will
be,
you
will
be
able
to
get
the
book
sign
and
get
get
a
free
copy
of
the
book.
It's
a
really
good
book
other
than
that.