►
From YouTube: Keynote: Why Wait? Find Cloud Risks and Threats in Real Time with Stream Detection - Loris Degioanni
Description
Keynote: Why Wait? Find Cloud Risks and Threats in Real Time with Stream Detection- Loris Degioanni, Sysdig
Cloud service providers offer cost-effective and efficient collection and storage of cloud logs, which is a rich source of data for devops and security teams. Copying logs out of the cloud to query them later is expensive and complex to manage. With stream detection you can find risks and threats in real time and fix issues faster while saving time and money.
Loris will share how you can utilize Falco's real-time telemetry in your cloud-native environment to enable smarter alerts faster and stay ahead of bad actors and malicious attacks.
A
Good
morning,
everyone,
my
name,
is
loris
dejani,
I'm
cto
and
founder.
At
sysdig.
Sysdig
is
a
leading
provider
in
container
kubernetes
and
cloud
security
and,
of
course,
we're
hiring.
A
Today,
I'm
going
to
talk
about
detecting
threats
in
cloud
environments
and
in
particular
in
cloud
infrastructures,
and
I
want
to
start
by
just
you
know,
recapping,
you
know
what
you
can
do
in
with
the
majority
of
cloud
providers.
Typically,
cloud
providers
offer
standardized
opinionated
facilities
for
collection
of
logs
from
different
services
that
are
ideal
for
collecting
information
that
can
be
used
to
detect
threads
in
cloud
infrastructures.
A
A
Now
what
we
do
after
that
is
a
little
bit
more
complicated,
because
this
log
needs
to
be
essentially
collected,
parsed
and
treated
in
some
way
and
very
often
the
way
people
hunt
for
threats
in
these
logs
is
they
take
them?
They
move
them
to
a
login
backend,
which
requires
both
bandwidth
cost
and
storage.
Cost
and
then
they
essentially
create
alerts
or
rules,
or
something
like
that.
A
Based
on
that,
I
argue-
or
I
propose
a
better
way
to
do
this
and
a
way
that
is
based
completely
on
open
source
and
it's
based
on
falco,
which
is
a
cloud
native
foundation
incubating
project,
and
the
best
way
to
that
I
have
to
describe
falco
is
falco.
Is
the
security
camera
for
modern
apps?
Falco
is
deployed
by
many
many
thousands
of
users
around
the
world?
From
you
know,
small
single
single
machine
deployments
to
giant
scale
deployments
in
some
of
the
of
the
biggest
companies
in
the
world
and
falco
is
based
on
some
core
principles.
A
The
idea
of
enriching
this
data
with
context,
for
example,
kubernetes
metadata
context,
the
the
idea
of
having
robust
defaults
and
something
that
works
very
well
out
of
the
box
to
detect
threats
into
runtime
security,
but
also
have
a
nice
language
for
extensibility
and
falco
is
optimized
for
real
time
and
runtime
security.
A
Falco
traditionally
works
for
containers
and
virtual
machines
and
sits
on
every
single
endpoint
and
is
able
to
capture
the
data
from
multiple
containers
by
sitting
in
the
kernel
of
the
of
the
operating
system,
and
these
these
are
some
examples
of
detections
of
rules
that
you
have
with
falco.
You
know
a
shell
is
running
in
a
container.
A
Somebody
is
modifying
a
system
binary.
Somebody
is
trying
to
escape
a
container
and
so
on
and
so
forth.
So
very
granular,
real-time
detection.
That's
why
I
call
it
a
security
camera.
What
we've
done
recently
as
falco
community
is
with
extended
falco.
This
diagram
shows,
essentially
you
know.
The
flow
of
information
from
falcon
typically
historically
falco
is
capturing
system
calls
using
either
a
kernel
module
or
an
ebpf
probe.
A
Falco
in
real
time
can
just
see
at
the
stream
of
events
that
cloudtrail
is
producing,
and
this
is
an
example,
for
example,
of
overall
I'm
not
trying
to
teach
you
the
falco
syntax,
it's
not
r,
but
this
is
not
the
scope
here,
but,
as
you
can
see,
this
is
a
rule
that
detects
a
console
again
without
multi-factor
authentication
and,
as
you
can
see
you
know,
the
condition
is
typically
like
the
the
the
rule,
the
the
actual
filter,
that
falco
looks
in
in
the
events
and,
as
you
can
see,
it's
pretty
readable
and
allows
you
to
express
essentially
falco
rules
using
clutter
events.
A
Of
course,
you
can
write
your
own
cloud,
real
events
you
don't
have
to,
because
falco
comes
equipped
with
a
nice
set
of
default
rules
that
allow
you
to
detect
a
bunch
of
stuff,
including
configuration
changes,
unusual
behavior
from
from
users,
data
exfiltration,
for
example,
from
history
buckets
somebody
may
be
making
an
extra
bucket
public
or
somebody
accessing
sensitive
data
on
the
bucket.
All
of
this
kind
of
stuff
is
already
part
of
the
default
rules
that
you
get
when
you
deploy
falco
for
cloudflare
security.
A
To
summarize,
we
have
something
that
compared
to
maybe
the
traditional
way
of
doing
things.
First
of
all
leverages
a
tool
that
is
a
cncf
tool
that
is
free
as
a
free
beer
and
free
as
free
speech
is
real
time
and
responsive.
So
it
doesn't
need
to
index
the
data.
It
doesn't
need
to
treat
the
data
before
it
generates
the
alerts,
but
is
able
to
in
few
seconds
essentially
to
notify
you
when
there's
something
wrong
going
in
your
cloud
infrastructure-
and
this
is
a
very
good
complement
to
like.
A
I
don't
know
cloud
security,
posture
management
tools
that
maybe
look
at
apis
and
do
this
kind
of
stuff,
because
the
use
of
real-time
security
and
runtime
security
with
falco
is
very
instantaneous
and
and
immediate,
provides
full
coverage,
and
it's
very
interesting
because
now
with
falco,
you
have
protection
both
for
the
workloads
for
the
containers
and
with
the
same
tool
with
the
same
syntax
with
the
same
deployment.
You
also
have
coverage
for
the
cloud
infrastructure,
where
very
often
your
kubernetes,
your
containers,
your
virtual
machines,
run
falco
is
efficient.
A
Therefore,
it's
very
cheap,
don't
doesn't
store.
Data
requires
very
little
cpu,
because
it's
it's
very
optimized
for,
like
ebpf
system
called
treatment,
it's
scalable.
A
So
it's
designed
to
work
at
scale
in
big
infrastructures
and,
of
course
you
know
it
allows
to
avoid
expensive
copies
and
data
movements,
so
it's
also
very
affordable.
I
could
keep
talking
about
that,
but
I
think
I
just
concluding
by
giving
you
some
pointers.
The
first
one
is
the
falco
website.
The
second
one
is
the
community,
where
myself
and
all
of
the
other
falco
contributors
and
maintainers
get
together.
We
have
a
slack
channel.