►
From YouTube: Cloud Native Security with Falco — Tom Llewelyn 1.2.4
Description
What if we can detect abnormal behavior in the application, container runtime, cloud & cluster environment using the same method? In this talk, we’ll present Falco, a CNCF project for runtime security.
We will show how to use Falco to tap into Linux system calls, the Kubernetes audit logs, and cloud events to provide low level insight into application and platform behavior, and how to write security rules to detect abnormal behavior.
Falco is also featured in the CKS exam curriculum, so this session should be useful not only for securing your cloud native infrastructure, but also in passing the CKS!
A
So
so
yeah,
so
it
gives
it
gives
me
great
honor
to
you
know.
I
got
to
talk
to
one
of
my
friends
earlier
today
when
when
katie
chong
was
talking
and-
and
I
get
the
opportunity
again
to
introduce
a
good
friend
of
mine
tom
lewellen,
he
works
in
our
in
sorry.
The
sistig
uk
team
and
today
he's
going
to
be
talking
about
cloud
native
security
with
falco
so
tom
over
to
you.
B
C
Yes,
thanks
for
the
intro
chris
as
yeah
as
chris
mentioned
yeah,
so
I
work
alongside
chris
insisting
and
the
focus
today
is
going
to
be
on
the
falco
project,
which
is
one
of
the
open
source
projects
that
was
originated
in
systig,
but
we
donated
it
to
cncf,
and
it's
now
very
much
a
cncf
run.
Projects
that
we
still
contribute
heavily
to
and
falco
is
very
much
focused
on
runtime
security
in
the
cloud
native
space,
so
we'll
delve
into.
C
C
This
there's
the
prevention
side
of
things
where
you're
actually
trying
to
modify
the
behavior
of
a
system
by
stopping
things
from
happening,
so
you
know,
could
be
killing
processes
it
could
be
just
blocking
system
calls,
you
know,
actual
doing
things
on
the
system.
The
other
aspect
is
detection,
where
you're
looking
at
what's
happening,
live
on
a
system
and
then
looking
to
detect
things
that
look
suspicious.
So
you
know
it
could
be.
C
A
process
suddenly
starts
talking
to
a
new
network
or
accessing
files
and
modifying
binaries
with
you
know
those
sorts
of
strange
behaviors
and
picking
up
on
those
two
and
they're
not
they're,
two
different
approaches
and
you
need
both
in
a
system.
So
you'll
need
prevention,
style
systems,
you
know,
guard
rails
and
so
on.
C
So
just
looking
at
a
few
examples
of
tooling
within
this,
the
linux
world
that
deals
with
this,
these
kind
of
security
enforcement
capabilities,
you
have
things
like
sec,
comp
and
sec
bpf,
which
are
involved
in
you
know.
Filtering
system
calls
so
you're,
actually
blocking
system
called
se
linux,
which
is
very
much
a
you
know,
a
linux
security
suite
and
you
know
it's
vastly
capable
in
terms
of
doing
mandatory
access,
control
and
label-based
security
profiles
and
so
on
app
armor,
a
similar
sort
of
thing,
but
takes
more
of
an
application,
wrapper
approach.
C
C
It's
very
much
taking
a
stream
of
data
and
looking
for
anomalous
activity
within
that
stream,
as
you
can
see
from
there,
though,
you
know
the
list
of
tools
that
do
this
kind
of
detection.
There's
still
there's
a
lot
to
be
done
in
this
space,
and
you
know
we're
working
in
inside
systing
on
a
lot
of
things
like
you
know,
machine
learning,
capabilities
to
be
able
to
piece
together
the
anatomy
of
an
attack
across
multiple
steps.
C
So
you
know
you
if
you
see
this
behavior
followed
by
this
behavior,
and
then
you
know
this
could
be
a
an
escalation
followed
by
a
lateral
movement.
Those
sorts
of
attack
vectors,
where
trying
to
piece
that,
together
and
from
a
detection
point
of
view,
becomes
extremely
important.
As
and
yeah
as
you
see
on
the
bottom
of
the
slide
there,
you
can't
rely
just
on
prevention,
so
assuming
that
you've
put
all
the
prevention
in
place
and
that
you're
done
is
never
enough.
You
need
the
detection
rules
in
there
as
well
and
yeah.
C
Just
as
an
analogy
to
that,
you
know
I've
locked
all
my
doors,
but
what?
If
somebody
you
know,
if
I
leave
one
open
or
if
somebody
manages
to
break
a
window,
then
if
I've
got
a
dog
in
my
house,
then
that
dog
can
alert
me
to
what's
going
on.
So
that's
you
know
it's
it's
the
two
that
you
need
both
are
useful.
You're
not
gonna,
rely
on
your
dog
to
secure
your
house,
but
you
can
you
know
you
can
use
one
to
detect.
What's
going
on,
you
get
the
idea.
C
So
moving
on
to
falco
and
what
it
does
so.
The
first
aspect
that
falco
deals
with
is
the
system
called
stream
coming
from
the
linux
kernel
and
the
reason
that
we,
this
was
chosen
as
an
information
source
is
because
it's
fundamental
to
everything:
that's
happening
on
a
linux
system.
So
if
you
look
at
trying
to
secure
a
container
workload
on
us
running
in
kubernetes
on
a
host,
there's
a
whole
lot
of
layers
there,
but
fundamentally
you've
got
a
process.
C
That's
running
on
a
linux
kernel
and
in
order
to
interact
with
the
outside
world,
it
has
to
make
system
calls
and
so
that
system
called
stream
is
going
to
tell
us
an
awful
lot
about.
What's
going
on
in
that
host
and
what's
that,
what
that
process
is
up
to,
and
so
then,
by
starting
from
that
kernel
system
call
we
can
see.
You
know
what
processes
are
running.
C
What
I
owe
them
is
going
on
there,
what
network,
they're,
accessing
and
so
on,
and
you
know,
there's
a
complete
picture
that
you
can
build
up
just
from
that
system
called
stream.
So
it's
an
extremely
rich
source-
and
this
was
one
of
the
fundamental
things
that
systig
started
out
doing
was
tapping
into
that
system
called
stream
and
making
sense
of
it
and
tagging
that
data
with
all
the
the
kind
of
the
layers
or
as
you
build
up.
So
you
know
this
is
a
process
it's
running
in
a
container.
C
That
container
is
running
as
part
of
in
this
pod,
which
is
part
of
this
deployment,
which
is
in
this
name
space.
All
of
that
sort
of
complete
layering
up,
but
fundamentally,
if
you've
got
that
system
called
that's
where
we
start
from,
and
so
one
of
the
things
that's
just
that
falco
is
able
to
do
is
instrument
at
that
kernel
level,
and
it
does
this
in
two
ways,
so
you
can
either
insert
a
kernel
module
and
there
are,
and
we've
open
sourced
this
kernel
module
as
well.
C
So
you
can
then
insert
that
into
your
kernel
that
enables
a
ring
buffer
that
exposes
that
system
called
stream
into
user
space,
which
is
then
fed
into
falco
or,
conversely,
for
more
modern
kernels,
where
we
have
ebpf,
which
is
where
we'll
be
moving
in
future,
is
using
an
ebpf
probe,
which
then
gives
us
that
standard
interface.
So,
rather
than
having
to
insert
modules
into
your
kernel,
you
can
just
pull
that
same
data
stream.
C
Out
of
that
out
of
the
kernel,
either
way
we're
getting
the
full
system
called
stream
and
then
feeding
it
into
falcon,
and
then
you've
got
a
couple
of
libraries
in
there.
So
the
best
cap
and
lib
esp
essence,
which
are
the
the
analysis,
libraries
that
then
will
categorize
and
you
know
and
structure
that
data
as
it
comes
out
and
then
we'll
have
a
rule
set
that
you
can
give
to
falco,
which
you
can
then
use
to
spot
particular
behaviors.
So
it's
pattern
matching
essentially
against
that
data
stream.
Within
that.
C
The
second
source
that
we've
we're
able
to
ingest
with
cystic
er
sorry
with
falcon,
is
the
kubernetes
audio
logs.
So
this
is
a
standard
api.
That's
coming
a
standard
feature
of
the
kubernetes
control
plane.
Now,
where
all
security
relevance,
data
is
being
dumped
out
of
this
stream
in
chronological
order,
and
so
we
can
see
all
of
the
activity
generated
by
users,
applications
etc
for
all
api
interactions
that
are
security.
Relevant
will
be
passed
out
of
that
kubernetes
api,
so
the
api
log.
C
So
essentially,
this
is
stuff
that
is
manipulating
etcd,
which
is
where
the
the
fundamental
state
of
your
kubernetes
cluster
is
being
stored.
That's
going
through
cube,
ati
api
to
as
the
front
end
to
that,
and
then
all
manipulations
that
are
going
into
that
come
out
of
that
audit
log
and
again
so
this
is
now
a
very
rich
data
stream
of
you
know
all
deployments
that
are
happening
any
edits
to
objects,
config
maps,
creation
of
secrets,
anything
that's
being
deleted.
C
All
of
those
sort
of
security,
relevant
data
is
all
included
in
that
audit
log
and
it's
being
and
can
be
fed
out
to
sys
to
falco
so
that
it
can
ingest
it
and
then.
Finally,
this
is
a
fairly
new
capability
that
we've
added
recently
where
falco
is
now
starting
to
be
able
to
ingest
cloud
logs.
So
aws
cloud
trail
was
the
first
one
where
we
have.
You
know
all
of
the
audit
logs
from
your
aws
cloud
accounts.
So
this
could
be
things
like
you
know:
creating
elbs,
exposing
s3
buckets.
C
I
am
role,
creation,
etc.
Users
logging
into
your
account
and
then
what
do
they
do
when
they
log
in
all
of
that
kind
of
low-level
cloud
account
activity
is
a
new
data
stream
that
we
can
ingest
so
aws
is
there.
Gcp
is
coming
and
azura
very
shortly
and
I
believe
a
gcp
may
already
be
released
and
again
what
this
gives
us
is
yet
another
data
source
that
you
can
ingest
with
falco
and
then
look
for
suspicious
anomalous.
C
Behavior
in
terms
of
you
know,
what's
being
deployed
into
your
aws
account
what
edits
are
being
made
to
the
resources
within
that?
Are
people
manipulating
policies?
Are
they
deleting
logs?
You
know
all
of
that
sort
of
stuff
that
you
can
then
look
again
for
writing
rules
against
trying
to
spot
anomalous
behavior
so
bringing
this
all
back
together
in
terms
of
the
falco
architecture.
C
So
you
can
see
that
if
we
go
kind
of
bottom
left
upwards,
so
we've
got
data
being
ingested
into
a
falco
instance,
so
that
could
be
from
the
kernel
on
the
host
where
you've
got
falco
running
or
it
could
be
external
data
sources
coming
in
via
http
via
rest
apis.
So
the
you
know
the
cloud
audit
logs
or
kubernetes
audit
logs,
which
are
being
fed
into
those
that
ingestion
service.
C
That's
then
categorizing
that
data
and
making
it
in
usable
and
that's
then
fed
into
the
filter,
expressions
which
are
built
from
the
falco
rules.
So
the
help
the
falco
rules
get
loaded
in
at
start
time
that
essentially
determine
your
runtime
policy
and
then
essentially
we're
looking
for
pattern
matches
of
my
policy
against
the
event
stream
and
then,
when
we
detect,
you
know
when
a
policy
triggers
a
rule
triggers
because
the
conditions
have
been
met
in
that
data
stream.
We
we
can
then
trigger
an
alert,
and
so
this
is
why
you
know
so.
C
C
There's
a
very
good
open
source
project
called
falco's
sidekick,
which
we'll
talk
a
bit
more
about
which
can
which
you
can
ingest
falco,
and
then
that
has
integrations
with
all
sorts
of
third-party
capabilities,
and
you
can
also
do
things
like
create
prometheus
metrics.
You
can
push
out
metrics
from
it.
C
C
So
you
can
see
in
this
rule
here
we
rule
file
here
we've
got
a
few
macros
being
created,
so
I'm
looking
for
things
that
are
a
container
looking
for
things,
writing
to
fifos
and
so
on
so
and
each
of
these
macros
has
a
condition.
So
that's
a
what
are
we
looking
for
in
the
pattern
match
and
one
of
them
is
looking
for
a
container
id.
C
Other
conditions
are
looking
at
the
process
command
line,
and
then
here
we've
got
our
full
rule
for
container
drift
detection.
So
this
is
essentially
it's
an
event.
Type
is
open
or
create
and
open.
Exec
is
true.
It's
a
container,
it's
not
writing
to
a
fifo
and
it's
not
writing
to
valid
docker
and
the
raw
res
is
greater
than
or
equal
to
zero.
So
then,
essentially,
this
is.
C
Can
we
spot
a
new
file
being
opened
a
certain
binary
essentially
created
within
a
container,
and
if
I
click
on
this,
hopefully
this
will
switch
me
into
a
nice
pre-record
of
this.
So
I
decided
not
to
anger
the
demo
gods
and
try
and
actually
do
a
live
demo,
but
this
will
play
us
a
nice
little
execution
of
that
rule
that
we
just
saw.
So
essentially
we
already
have
the
rules,
so
we
sent
falco
comes
with
a
default
rule
set,
which
is
quite
large
and
complex.
C
And
you
can
see
that
there
we
go,
we've
created
a
falco
instance.
That's
now
there
and
running,
and
now
we're
going
to
spin
up
a
container
and
within
that
container,
we're
then
going
to
create
a
new
executable
file
and
then
try
running
it
so
created
a
file
created
a
container
we're
now
running
in
the
shell
inside
the
container
and
my
colleague
that
developed
this
forgot
that
he
doesn't
have
vim
inside
his
container.
So
he
has
a
couple
of
aborted
attempts
to
create
the
file.
C
And
then
we
compile
that
and
then
run
8.8
the
output
of
the
compiler,
and
you
can
see
straight
away
when
that
executable
ran
inside
the
container.
It's
now
triggered
my
rule
in
falco,
and
I've
got
that
detection,
as
I
you
know,
which
has
got
the
variable
substitution
in
it.
So
you've
got
the
context
of
what
was
going
on,
and
so
you
know
it's
pretty
simple,
so
this
is
just
in
a
single
standalone,
falco
local
container
running
on
its
own.
C
But
you
know
in
terms
of
that's,
you
know
sort
of
my
first,
my
first
falco
rule,
but
you
get
the
idea
of
you
know.
This
is
fairly
simple.
When
you
know
it's
the
classic
thing
of
try
and
do
one
thing
well,
which
is
what
falco
aims
to
do,
which
is
that
detection
piece
giving
you
that
rich
capability
of
starting
from
a
very
fundamental
information
source
and
building
up
from
there
in
terms
of
then
developing
policy
and
having
rules
to
do
things?
C
As
I
say,
falco
comes
with
a
default
rule
set
which
gives
you
quite
a
lot
of
additional
rules,
not
just
the
one
we
saw
there.
There's
also
the
cloud
native
security
hub,
which
is
a
systick
sponsored
website
where
we
have
policy
being
developed
and
so
on
there.
You
can
go
in
and
look
for
specific
use
cases
and
find
falco
rules
amongst
other
things,
and
you
can
see
you
know,
there's
things
there
for
fluently
elastic
and
so
on.
C
There's
also,
quite
often
when
a
new
cve,
a
critical
cv
is
discovered
that
has
a
large
impact.
There
will
be
a
blog
post
written
by
somebody
assisting
who
then
will
develop
a
specific
falco
rule
to
detect
the
exploit
of
that
cbe,
and
then
that
will
be
pushed
out
to
this
as
well.
So
you
know
with
this
over
time.
This
resource
should
be
building
up,
but
you
can
contribute
to
this
as
well.
So
you
see
on
yeah
on
the
site.
C
Installing
it
is
fairly
straightforward,
so
debian
or
red
hat
systems,
there
are
rpms
and
d
packages
available,
so
you
can
just
app
get
or
yum
install
it.
If
your
distro
doesn't
have
those
available,
then
you
can
just
run
a
shell
script
that
will
pull
down
the
latest
binary
and
install
it
for
you
into
locally.
And
finally
you
can
you
can
run
it
as
a
docker
container
as
well.
C
If
you
want
to
install
it
onto
kubernetes,
then
we
also
have
home
charts
available
or
you
can
just
go
and
grab
the
demon
set
and
apply
that
directly
so
depending
on
which
you
prefer,
but
again
so
running
falco.
As
a
system
d
process
gets
you
a
better
isolation
and
you
know,
means
you're
running
low
level
on
the
host
outside
of
the
container
runtimes.
C
Actually,
when
it
comes
to
kubernetes,
you
can
then
just
deploy
it
out
as
a
demon
set
onto
the
kubernetes
cluster.
That
demon
set
will
require
privileged
access,
of
course,
because
it
is,
it
still
needs
to
hook
into
the
kernel
on
the
host.
So
it's
going
to
require
that
root
level.
Access
to
do
that.
C
And
then
in
terms
of
additional
things,
so
this
this
is
just
an
and
this
slide
that
will
hopefully
be
made
available,
but
there's
a
whole
load
of
additional
tools
that
you
can
use
to
then
help
you
manage
and
create
and
deploy
falco
into
your
environment,
so
falco
ctl
for
just
controlling
things
sidekick,
as
I
mentioned
earlier.
So
this
has
got
a
whole
load
of
integrations
into
third-party
things.
C
So,
once
you've
triggered
a
rule,
you
can
pass
it
into
sidekick
and
that
can
integrate
into
various
other
workflows
so
that
you
can
trigger
other
things
and
then
other
clients
and
so
on
also
a
prometheus
exporter,
which
can
be
very
useful
in
terms
of
then,
if
you're
using
prometheus
as
your
monitoring
tool
as
your
monitoring
framework,
then
you
can
feed
those
events
into
prometheus
as
well
and
start
dashboarding
it
and
so
on
so
yeah,
just
a
quick
mention
of
sidekick.
So
this
is
a
community
contribution.
C
It
came
from
somebody
not
connected
with
cystic
at
all
who's
developed
this
as
a
way
to
integrate
falco
into
things.
Like
slack
elastic.
You
know
you
can
see,
there's
a
whole
load
of
lists
of
integrations
on
there,
so
it's
extremely
powerful
and
capable
and
yeah
there's
a
growing
list
of
that,
because
there's
been
a
nice
architecture
for
adding
these
integrations
into.
C
So
that's
extremely
useful
and
you
can
see
that
yeah.
What
just
just
the
explanation
of
what
that
falco,
sorry
that
sidekick
capability
is
going
to
do
is
actually
then
take
the
events
out
of
falco
and
publish
them
into
you
know
an
sns
topic
or
a
teams
channel
or
whatever
else
you
want
to
push
that
event
to,
and
that
could
then
have
you
know
third
part
additional
workflows
triggered
from
that
event.
C
C
If
you
want
to
build
one
by
yourself,
another
thing
you
can
do
so
cm,
so
the
security
information
and
event
management.
So
there's
a
number
of
products
out
there
available
for
doing
this
kind
of
event:
management
where
you
essentially
they'll
all
ingest,
a
stream
of
events
from
various
sources
and
then
help
hope
to
correlate
events
and
respond
to
things
when
you
have
a
security
breach.
C
If
you're
looking
to
do
that,
building
with
your
own
open
source
stack,
then
you
can
use
efk
for
that.
So
you
can
push
the
events
out
of
falco
and
then
use
that
to
construct
your
own
seam.
So
if
you
are,
you
know
of
a
build
it
yourself
bent.
Then
please
do
that
and
then
you
can
see
that
yeah
you've
got.
You
can
start
looking
at
generating
those
charts
and
pictures
of
what's
going
on,
and
you
know
what
rules
are
being
triggered.
C
So
you
can
then
start
seeing
threat
maps
of
what's
happening,
live
on
your
systems
and
so
on
and
what's
going
on
over
time
and
there's
a
whole
load
of
resource
out
there.
So
again,
there's
a
whole
lot
of
links
here
that
we
will
be
able
to
provide
you
with
after
the
event
talking
about
you
know
the
various
technologies
that
falco
is
built
on
things
about
ebpf
and
so
on
and
various
other
sources
of
information
around
falco.
C
It
is
a
growing
project
in
terms
of
both
you
know,
usage
and
contribution,
and
you
know
the
momentum
it
has
is
growing.
So
please,
if
you
want
to
get
involved,
there
are
a
number
of
ways
you
can
contribute
so
falco
rules.
As
I
mentioned,
we
have
that
security
hub
where
we're
always
looking
for
new
use
cases.
So
if
you
start
using
falco,
you
develop
something
yourself
and
you
think
it's
useful
to
the
community,
please
to
contribute
it
back.
C
If
you
want,
if
you
have
a
new
integration
that
you'd
like
to
see
in
sidekick,
well,
you
know
you're
free
to
develop
it
yourself
and
contribute
it
back
as
well,
and
then
we're
always
looking
for
additional
use
cases,
workflows
third-party
integrations
documentation
and
so
on.
So
it's.
If
you
would
like
to
contribute,
then
there
will
always
be
plenty
for
you
to
do
so.
Please
contact
the
project.
Maintainers
and
they'll
be
happy
to
give
you
something
to
do
so.
How
are
we
doing
for
time?
Yeah,
just
a
few
minutes
left.
C
So
most
of
what
I've
been
telling
you
about,
you
know
the
third
party
integrations
and
you
know,
building
your
own
seam
and
all
of
that.
Well,
all
of
that
integration
work
and
that
policy
management
work
comes
out
of
the
box
with
systig
secure
and
we
also
add
in
additional
capabilities
like
image
scanning
for
vulnerabilities
and
misconfiguration
cloud
compliance
from
a
static
point
of
view.
So
you
know
things
like
cis
benchmarks
and
compliance
standards
for
your
cloud
accounts
and
for
your
workload
platforms
and
then
in
terms
of
what
we
do
with
falco.
C
C
C
A
I
don't
see
any
questions
on
slack
or
in
youtube,
but
folks
are
online.
Please
feel
free
to
ask
questions
in
either
of
those
portals,
as
as
tom
had
just
there.
If,
if
you're
watching
this
on
the
replay,
you
can
also
ask
questions
in
the
falco
falco
slack
channel,
which
is
over
on
the
kubernetes
slack
group
rather
than
the
cncf1
but
yeah.
Thank
you.
Thank
you
very
much
tom.
It
was
a
great
presentation
josh,
I'm
not
sure
if
you've
got
anything
else
to
add
to
that.
D
D
If
you
want
to
head
over
to
the
track
one
youtube,
I
will
post
the
link
in
the
in
the
youtube
chat.
You
can
also
find
it
again
on
kcduk.io,
we'll
be
finishing
off
and
curry's
talk
on,
kubernetes
is
doomed
and
then
we'll
be
kicking
off
with
with
the
pub
quiz.
So
we'd
love
to
have
all
of
you
over
there
to
join
us
for
that.
But
thank
you
very
much
and
and
that's
chris
and
I
are
out
for
today.
I
think
pop.