►
From YouTube: Detect and react to Security Treats in your Runtime and Cloud Environment - Manfred Buchmann, Sysdig
Description
Falco, the Open Source runtime security project with over 50 Millions of downloads becomes a generic security component. Falco detect and react to Security Treats in your Runtime and Cloud Environment.
Website: https://sysdig.com/
Organized by @Microsoft @kubermatic7173 @SysEleven
Thanks to our sponsors @CapgeminiGlobal, @gardenio, @sysdig, @SUSE, @anynines, @redhat, nginx, serve-u
A
I
have
to
say,
I'm
quite
nervous,
and
now
do
you
know
why
it's
about
me,
Manfred
and
after
two
years,
standing
in
front
of
people
again
real
people,
not
a
zoom
meeting,
it's
quite
a
different
feeling:
I'm,
not
sure
how
it
is
for
you,
but
it
is.
It
is
really
a
different
feeling
to
it.
But
my
goal
here
is
really
help.
You
guys
secure
your
environment
and
give
you
an
ID
what
you
can
do
with
sometimes
security
I
put
up
two
books.
A
If
you're
interested
to
read
more
about
Cloud
security,
there's
a
free
ebook,
you
get
the
presentation
later
on
on
the
link
and
you
can
download
it
there's
also
a
link
how
to
use
FICO
the
security
camera
for
your
runtime
environment.
Now
I
put
two
personal
books
up
there:
it's
a
holiday
season.
Some
of
you
may
not
have
read
blackout.
If
you
read
it,
you
can't
stop
reading
so
be
aware.
A
If
you
have
his
friends
out
there,
you
may
be
distracted
and
only
reading
the
book,
so
I
can
recommend
it,
and
one
book
you
don't
want
to
read
is
this
is
how
they
tell
me
the
world
ends.
It
was
the
McKinsey
yearbook
of
the
Year
from
last
year
about
what
governments
investing
into
I
mean
cyber
security
and
to
hack
systems.
So
it's
really
from
a
New
York
Times
journalist,
an
exciting
book
to
read
so
my
recommendations
for
your
holidays.
A
If
you
want
to
spend
time
behind
the
book,
what
is
runtime
security
runtime
security
is
all
about
secure.
Your
runtime,
like
you
said,
but
it's
detect
any
time
any
type
of
malicious
behavior
in
your
container
environment
in
your
runtime,
but
one
part
of
runtime
security
is
also
provide
information
to
your
forensic
guys
if
there
are
anomalies
in
your
runtime
system.
So
that's
also
a
part
of
it.
And
how
do
you
can
respond
to
this
incident?
A
I,
compare
runtime
security
like
to
the
movie
I
put
up
there,
compare
it
to
your
monitor,
a
bunch
of
people.
You
monitor
a
bunch
of
containers
and
you
want
to
detect
suspects
where
something
is
happening.
We
had
to
look
for
Jay.
We
had
the
reverse
cells
in
that
connection,
so
find
the
suspects
in
your
container
environment
and
similar
to
this
one.
That's
where
Fico
comes
into
place.
A
Fico
is
this
open
source
tool
created
by
Swiss
stick
and
what
it
does
is
it
captures
your
system
calls
everything
which
happens
at
the
Linux
kernel
level.
All
system
calls.
We
see
it
like
the
security
cam
like
in
stream
of
system
calls
we
get
and
get
all
the
information
from
the
kernel.
So
you
may
ask:
how
does
it
look
like
that's
a
trace
from
the
system
calls.
A
You
may
not
be
able
to
read
it,
but
just
to
give
you
an
example:
that's
what
we
see
at
the
base
level
and
what
we
take
to
capture
events
and
file
core
India
has
a
threat.
Detection
engine
turn
the
system
called
patterns
into
certain
threads.
So
what
are
the
guys
doing?
That's
really
what
behind
this
Falco
and
then
Fico
triggers
events.
A
So
for
an
example,
we
have
a
guy
in
there
who
want
to
change
your
binary
files,
your
executable
in
your
Linux
system.
They
want
to
change,
for
example,
the
use
of
Bin
directories
or
the
bin
directories,
so
what
FICO
can
do
at
the
system
level?
No
integration
for
kubernetes
needed?
We
see
that
the
Linux
level,
if
anybody
changes
a
file
in
here
in
this
example
on
the
top.
You
see
the
bin
directory,
the
user
bin
directory
or
whatever
it's
just
right
into
it.
We
get
an
alert,
that's
what
I
did.
A
In
this
example,
I
went
into
the
use
of
indirectly
I
didn't
touch,
it
means
I
created
a
file
and
if
you
have
FICO
running
at
the
kernel
level,
that's
what
you
get
from
FICO,
you
get
the
event
up
there
and
it
tells
you
error,
Five,
Below,
binary.
You
see
the
binary
directory,
you
see
which
file
I
created.
A
That's
what
file
code
delivers
you
in
terms
of
security,
and
you
just
install
the
FICO
agent,
and
you
see
this
once
in
the
log
files
and
you
define
the
rules,
but
you
may
say:
does
this
only
work
in
my
Linux
environment
at
what
is
about
the
container
environment?
The
container
is
isolated.
Do
you
see
similar
information
up
there?
So
what
FICO
does
in
this
picture?
A
We
have
a
kernel
driver,
which
is
all
system
calls
below
the
containers
every
system
called,
and
if
you
don't
want
to
compile
the
module
can
use
eppf
to
see
the
same
information.
We
see
the
same
information
at
the
system,
kernel
level.
If
you
run
applications
in
a
container
or
not,
it
doesn't
matter
for
us
and
using
this
as
an
example,
let's
take
a
container
example,
somebody
does
a
terminal
shell
into
a
container.
A
A
Another
event
a
shell
was
spawned
into
the
Container
there's
also
in
the
second
line
from
the
bottom.
You
see
the
Pod
name,
all
the
information
about
your
kubernetes
environment.
A
Any
reaction
the
key
here
is-
and
here
comes
to
my
next
question.
The
one
thing
is
the
system
calls,
but
the
other
thing
is
map
the
system
codes
into
this
information.
That's
the
threat
detection
engine,
but
we
don't
need
a
kubernetes
integration
for
this
type
of
information
and
we
see
everything
in
there.
So
you
just
install
it
and
get
all
this
information.
A
So
no
kubernetes
integration
needed
and
you
see
all
the
information
with
the
agent
from
FICO,
but
going
a
step
further.
The
fiber
community
extended
Falco
to
use
plugins,
and
now
you
can
use
plugins
the
plugin
works
like
in
web
server,
which
takes
information
to
charge
point
the
information
stream
to
this
web
server.
Fico
takes
the
information
and
the
detection
rule
works
for
it.
We
built
an
information
now
also
for
the
kubernetes
audit
blocks,
so
we
can
not
only
trace
the
system
codes.
A
We
also
can
trace
and
detect
anomalies
or
I
call
it
suspects
in
the
audit
log
from
kubernetes
intake.
If
somebody
deletes
a
namespace,
if
namespace
changes
are,
they
are
all
coming
up
now
in
this
threat
detection
engine
or,
for
example,
if
somebody
does
a
config
map
and
in
this
example
there
are
private
access
keys
in
there
in
the
second
line,
I'm,
not
sure,
if
you
see
my
monitor
in
the
second
line,
you
see
their
private
access,
which
should
not
be
in
the
conflict
map.
A
So
this
type
of
rules
in
there
and
that's
the
information
we
can
take
from
the
kubernetes
audit
logs
and
you
get
all
the
events
from
the
audit
blocks
and
can
then
react
on
it.
Click
or
shell
trigger
command.
So
it's
not
only
any
more
system
calls.
It
is
also
kubernetes
audit
log
information
in
there.
A
That's
what
FICO
shows
you
and
extend
into
it,
but
FICO
doesn't
stop
up
there.
The
plugin
structure
extends
it
also
into
the
cloud,
so
we
can
trigger
now
Cloud
alerts
and
monitoring,
Cloud
events,
monitoring,
Cloud
resources,
so
system
calls
kubernetes
and
Cloud
events,
but
what
do
I
mean
by
Cloud
events?
A
So
we
are
taking
the
cloudtrail
events
and
pointing
cloud
files,
basically
with
the
plugin
into
FICO
as
a
stream,
and
then
you
get
the
events
for
S3
buckets.
You
get
the
SNS
events,
local
file
systems,
but
you
also
can
build
your
own
rules
and
if
you,
for
example,
let's
take
the
cloud
event
if
you
use
Lambda
I'm,
not
sure
if
some
guys
of
you
also
using
Lambda,
if
you
have
Xposed
S3
buckets,
then
you
can
put
up
code
and
execute
it
in
Lambda
such
type
of
events.
A
A
Best
practices-
these
are
a
list
of
common
rules.
There
are
many
more
Woods
FICO
FICO
loads,
the
rules
in
yaml
files,
and
you
can
change
the
yaml
files,
edit
yaml
files.
Add
your
new
rules
like
I.
Had
the
bin
directory,
you
can
say,
use
my
data
directory.
There
should
be
no
access
from
this
one
and
it
triggers
an
event
on
it,
and
these
are
common
rules
or
if
there
is
a
new
cve
which
does
a
reverse
Trail.
A
A
A
That's
that's
not
different
on
on
the
exploit
side,
they
may
be
more
exposed,
and
then
you
can
say
I
have
a
pattern
for
this
one
and
if
I
could
triggers
the
event,
the
one
thing
I
have
to
say:
open
FICO
is
a
work
in
progress.
At
the
moment.
Not
all
system
calls
implemented.
You
can
Implement
additional
Vines.
It's
work
in
progress,
so
the
community
adds
more
and
more
system
calls,
but
they
are
not
all
system
calls
in
there.
A
If
you
open
up
file
core,
there's
a
command,
we
chose
you
or
which
system
calls
are
integrated
yet,
and
so
you
know
what
you
can
capture
and
what
you're
not
can
capture.
If
you
want
to
capture
more
there's,
an
additional
tool
called
systick,
some
use
it
as
debugger
systick
shows
you
everything
which
goes
in
the
kernel.
What
you
have
seen
on
the
beginning,
but
again
you
can
build
your
own
rules
based
on
the
system
called
Zain
and
if
you
talk
about
exploits,
exploits
very
often
use
the
same
pattern.
A
So
then
it's
easy
to
catch
them,
but
you
also
can
catch.
If
somebody
changes
the
container,
we
call
it
the
container
drift.
Somebody
changes
the
ETC
directory
the
config
files.
Then
you
know
something
changes
in
your
running
container
and
these
are
the
common
rules
we
see
out
there.
One
thing
I
just
forgot
to
mention
there
are
no
more
and
more
rules
which
which
also
looking
into
the
application
space
you
see
red.
Is
you
see
mongodb
the
elasticsearch?
So
this
is
specific
events.
A
If
something
happens
in
the
elasticsearch
containers,
these
rules
are
all
built
by
the
community.
You
can
extend
it,
you
can
add
things,
but
with
FICO
you
get
all
of
them.
If
you
have
FICO
installed,
you
just
change
the
yaml
files
from
time
to
time
and
you
get
the
new
rules
in
it
or
if
their
new
system
calls
implemented,
then
you
would
install
a
new
version
of
file
core
one
thing
on
FICO
FICO
ions
on
each
node,
so
the
log
information
ends
up
on
each
node
in
each
vehicle
node.
A
How
can
I
consolidate
all
this
information
into
a
common
place
and
for
this
one,
the
community
developed
an
add-on
which
is
called
FICO
of
sidekick
and
FICO
sidekick
has
on
the
one
side,
the
UI,
but
FICO
sidekick
has
the
capability
to
consolidate
all
this
information
from
the
FICO
agent.
We
call
it
agents
into
a
central
place
and
you
can
Define.
It
goes
into
S3.
It
goes
into
an
object
and
also
trigger
events
trigger
a
slack
match
message
trigger
a
metamorous
message.
That
is
what
FICO
does,
and
here
I
show
you.
A
The
UI
gives
you
also
a
graphical
interface.
I.
Have
this
sources
over
the
S
is
gone?
I,
see
the
priorities,
there's
also
taking
off
events.
Is
it
a
list
event?
Is
it
this
vulnerabilities?
So
this
type
of
information
you
see
in
there
at
the
same
time
also
the
events,
let
me
say
the
graphically
Ray
is
much
more
nicer.
You
see
more
information
in
there,
but
it
consolidates
the
information
from
all
single
nodes
and
uses
and
is
the
kind
of
event
engine
to
trigger
other
events
out
there.
A
You
don't
have
to
use
sidekick
days,
go
client
in
there
or
you
do
your
own
integration
or
you
put
it
into
elasticsearch
or
whatever.
But
then
you
don't
have
immediate
reactions.
A
When
you
install
FICO,
you
have
multiple
possibilities:
the
one
possibilities
you
install
it
on
the
base
operating
system-
you
don't
install
it
in
a
container,
you
just
install
it
on
a
base
operating
system
and
run
it
as
a
service.
This
is
the
most
secure
way
because
there's
no
kubernetes
control
for
it.
You
just
run
it
at
operating
system.
You
see
all
the
events
like
I
showed
you.
You
see
everything,
but
at
the
same
time
it
is
also
a
certain
complexity
to
manage
it
to
maintain
it.
A
So
what
we
see
in
the
industry,
most
people
deploy
FICO
as
a
container
SLR
in
kubernetes
and
use
the
hand
chart
and
deploying
kubernetes.
They
go
with
the
risk.
If
somebody
comes
into
the
API
server
and
stops
it
that
that's
a
certain
Abyss
most
secure
is
at
the
Linux
level,
from
an
Administration
level
that
we
say
in
a
medium
type,
most
guys
out
there
use
kubernetes
and
run
FICO
as
a
port.
Up
there
that's
most
deployments.
We
see
out
there
for
the
installation.
A
You
go
to
the
FICO
website,
headshots
available
examples
for
the
different
Linux
releases
up
there,
so
quite
easy
to
install
and
to
run
it.
A
In
this
way,
documentation
on
fico.org
there's
a
lot
of
documentation.
I
also
recommend
to
use
to
read
the
blog
post.
The
blog
post,
in
my
opinion,
gives
you
a
lot
of
examples:
what
to
monitor,
how
to
catch
see
a
certain
cves,
but
also
a
lot
of
blog
posts
as
they.
Actually,
they
show
you
how
do
I
catch
the
latest
CVS?
A
What
has
been
changed
in
the
configuration
files
in
the
yaml
files
in
the
rules
to
catch
it
and
give
you
examples?
How
do
I
catch
this
cve?
How
do
I
catch
this
one?
So
my
recommendation
is
to
keep
the
kind
of
up-to-date
taking
the
blog
post
from
the
FICO
Community.
You
also
can
I
would
recommend.
Also
read
the
blog
post
from
Swiss
stick.
We
are
strongly
involved
into
FICO.
We
have
a
lot
of
example
on
the
latest
CVS
how
you
can
catch
them.
A
In
terms
of
get
started,
fico.org
you
do
an
apt
get
and
it's
running
on
Linux.
If
you
want
to
have
a
first
looks
like
just
out
FICO,
as
I
said
on
the
installation,
page
start
FICO
and
go
for
it
meter
developers
at
Slack,
but
you
also
invited
to
contribute
future
Woods
share
it
or
build
your
own
plugins.
The
plugin
structure
is
simple
on
the
end,
most
plugins
work
as
a
web
server
take
events
and
turn
it
into
the
FICO
engine.
A
That's
what
behind
FICO
so
super
easy
to
run
in
terms.
If
you
want
to
get
more
information
more
details,
you
can
find
us
any
idea
where
you'll
find
us
here.
Meowy
come
up
to
the
fourth
floor.
We
can
show
you
live
and
talk
in
details
and
coming
back
to
my
book
blackout
and
somebody
read
it:
what
is
it
about
Hector's,
turning
off
the
energy
in
Europe
for
months,
so
no
hospitals
having
energy
and
you
can
imagine,
what's
going
on
you
go
to
a
gas
station
and
you
don't
get
energy.