The role of Real Time Defense in Cloud Security

View Show Notes and Transcript

In this episode from KubeCon Paris 2024, we spoke to Loris Degioanni, Co-Founder and CTO of @sysdig  about Open Source Project, Falco that celebrated its graduation this year at KubeconEU, Loris shared with us this proud moment and journey from writing the 1st lines of code to its critical role in protecting Kubernetes environments, and the future roadmap post-graduation. We spoke about the gap between traditional security measures and the dynamic needs of modern infrastructures.

Questions asked:
00:00 Introduction
01:13 A bit about Loris
01:44 What does graduation mean for Falco?
02:58 What is Falco?
04:59 eBPF and Falco
06:01 Why eBPF is secure?
07:11 Runtime Security in Kubernetes
10:32 ROI for leaders for Runtime Security Tools
12:50 Preventative Security vs Runtime Security
14:08 Runtime Security in Modern Environments
16:42 Whats the Future for Falco?
18:31 The Fun Questions

Loris Degioanni: [00:00:00] A lot of security tools, they are based on the concept that they will give you the information about something that happens today, they will give it to you tomorrow. When an attack lasts for 10 minutes or less, that's completely useless, tomorrow your data is gone. A lot of focus in tools like Falco is the runtime, where you can observe. Collect this data instantly, in a matter of seconds, have the right information to take your action very quickly instead of having to wait until tomorrow,

Ashish Rajan: preventative security versus runtime security. Do you need both?

If you haven't heard about Falco, which is a runtime security open source tool from the community of CNCF, they just graduated.

And this episode we had Loris Degioanni, who is the co founder and CTO of Sysdig, the company behind Falco. And we spoke about what's the future of Falco, why people care about Falco so much and why is it important right now to look more at runtime security in the world of Kubernetes and containers and a lot more.

In this conversation with Loris, we also spoke about things like, what are some of the challenges when you work [00:01:00] in that runtime security space, container space? And where do you see the world going now that Falco has graduated? All that and a lot more in this episode with Cloud Security Podcast. This is a KubeCon Paris special 2024.

We are here covering this. So this is definitely a great conversation to talk to a project that just graduated.

Welcome to Cloud Security Podcast. If this is the first time listening to us, but if you're listening to us for a second and third time, subscribe, follow, and do the lovely things that you do always do for audio and video.

I'll see you next episode.

Welcome to the show. It's Cloud Security Podcast talking from KubeCon. Maybe a bit of intro about yourself and where you are these days, what were your paths to your current role? That'd be great to start off just to get some context.

Loris Degioanni: Absolutely. First of all, thank you for having me.

My name is Loris Degioanni, and I'm CTO and founder at Sysdig.

Ashish Rajan: Falco is graduating, so I imagine that's probably, I have to start there. Would be a proud moment. What does graduation mean for Falco?

Loris Degioanni: Yes, it's a proud and happy moment. Definitely this Kubecon is a little bit special for us, and graduation [00:02:00] is the last step, so a project that graduates with CNCF, which is, according to the Cloud Native Computing Foundation, a level of stability and a level of also maturity in governance that essentially the highest level.

So when a project graduates, it means that it can be used, at any scale by any organization in the world. And it also means that the community has been deemed to, be capable of maintaining these this project in the long term. And so it's safe, to use Falco because you know that it's not going to disappear overnight, and so this achievement is the pinnacle of many years. Actually, Falco was originally contributed to the Cloud Native Computing Foundation in 2018. So it's been several years of work both on the technical side, but also on the community side. And now Falco is used, by thousands of users around the world.

And it is a strong community with contributors from many different companies.

Ashish Rajan: Wow. And [00:03:00] maybe for a few people who do not know Falco. a lot of context for Falco. How would you describe Falco to people who may not have heard about it, but they are in the cloud native space as well?

Loris Degioanni: Falco can be seen as a security camera for your cloud infrastructure. Okay. So the same way that you protect a building or a city by placing cameras that can collect video from different angles. Yeah. And then you reconstruct, like maybe malicious activity and you can use this information then to take action.

Yeah. So Falco is sensors probes that you deploy across your infrastructure. Some of these probes run on your Linux machines and use eBPF to collect data. Some of the probes connect to your cloud services. For example, using facilities like CloudTrail in AWS to collect information. Some other probes are connecting maybe to Okta or GitHub and so on.

All of these probes are able to collect this information and then apply it. What we call rules. So you can create a rule to define a [00:04:00] behavior that is unwanted or dangerous example of rules are detections. I don't know if a shell has been spawned in your radius containers or if somebody is logged in your AWS infrastructure without multi factor authentication or if A password or a secret has been committed to a GitHub repository.

These are all examples and as you can see, it's a diverse set of things. The Falco sensors can evaluate these rules apply these policies and they generate alerts if the policy is violated and then these alerts are collected in a centralized place, like the security camera videos, and they can be used for compliance for alerting and notification for troubleshooting or even for taking actions, so there are integrations like a project like Falco Talon that allows you to do response automatic response by receiving Falco alerts and then take an action like, I don't know, stopping the container or killing the process and so on.

Ashish Rajan: So another [00:05:00] thing that keeps coming from the conversations called eBPF as well. Yeah. So what is eBPF and how does that play into the whole Falco world?

Loris Degioanni: eBPF stands for Extended Berkeley Packet Filter . And it's a technology that is part of the Linux kernel. Yeah. And was originally developed as the name says as a way to filter packets in the kernel as a script double way to filter packets. It's evolved, like the different generations of Linux kernel. And now it's more like a powerful, generic virtual machine that can execute code in the kernel of the operating system. So it's one of the best way to extend the Linux operating system because it's like almost like having a Java virtual machine in the kernel, right?

And, you can create the scripts or compile these programs and then you inject them in the kernel. And the beauty of eBPF is that it's just in time compiled. So it's very fast. So the scripts run very fast. So they don't slow down the operating system and therefore the applications that are running on [00:06:00] top of the operating system.

But it's also safe because eBPF is validated before it runs. Your typical kernel module. Can that you use historically to extend the Linux operating system is potentially dangerous because you can run arbitrary code in the kernel of the operating system and this code can crash the machine can steal arbitrary information while eBPF is designed to be validated before it runs so it can only do certain things and that reduces essentially, like the danger that you have when you run the script.

So it's become a essentially, the default way it's been really been embraced by the community as a way to extend the operating system and Falco uses it because the instrumentation. So the data that Falco collects is collected through eBPF. So we were essentially the first ones. Falco is a tool actually, and so not only as an open source project, but even, commercial projects.

We were the very first one that started [00:07:00] thinking about leveraging eBPF for runtime security essentially. And now it's something that is accepted by the industry, but Falco wrote the playbook for how to do essentially eBPF for runtime security

Ashish Rajan: Maybe because we're in Kubecon and a lot of emphasis is usually given to what you said about building an application, performance observability and all of that as well.

How is runtime security in Kubernetes? Like, how would you describe that? 'cause it is that the same as people talk about DAST, people talk about all the other things that happen dynamically. Yeah. How would you describe the whole container security and runtime security to people who probably don't even understand the concept,

Loris Degioanni: the power and beauty of containers and Kubernetes is that we can, orchestrate a scalable dynamic software applications in a way that is much easier and much powerful than before. Yeah. This brings many advantages, but also create concerns for a number of reasons. Number one, these applications are more and more composed, [00:08:00] using different pieces.

Some are open source, some are software written by you. Some come from dependencies. So software becomes more composite and therefore it becomes complicated to just, keep track of potential vulnerabilities of the posture of the risks that you have and so on.

This is exacerbated by, the speed at which applications scale up and down in Kubernetes which makes visibility a challenge. So very often just understanding, what you have, where it's running, is it safe? Are questions that are important and are not easy to answer.

In addition to that one of the most powerful and beautiful features of Kubernetes and in general modern cloud infrastructures is that everything is standardized and based on APIs, right? Which makes writing applications much faster because we can use playbooks, you know that are created by a whole community, but it also makes it much easier and much faster for the attackers to perpetrate, [00:09:00] their attacks because in the past, in a maybe legacy data center application, the attacker to come in some way and then do reconnaissance and understand what's happening and then move laterally gradually slowly.

And try to escalate, like the privileges and so on in the cloud. You can do this kind of stuff. The API is in Kubernetes, the API is, so if you get inside the pod, you can write a script that does the reconnaissance in 10 seconds for you, and then you can escalate completely automatically, you don't need to even need to do so as we automate more and more our software. So do the attackers. So the speed of the attacks is becoming so fast that reacting is very hard. What does it mean in practice? It means that you cannot secure these infrastructures with like traditional tools. And that's why there's a complete new wave of security tools for like Kubernetes, for containers, for cloud and so on.

And these tools need to be able to precise but also be quick. A lot of security [00:10:00] tools, even, like tools that you see here, the conference in the vendor booth, they are based on the concept that they will give you the information about something that happens today.

They will give it to you tomorrow when an attack lasts for 10 minutes or less. That's completely useless. Tomorrow your data is gone. So a lot of focus in tools like Falco is the runtime, the real time part where you can observe, collect this data instantly, in a matter of seconds.

And so have the right information to take your action very quickly instead of having to wait until tomorrow.

Ashish Rajan: In terms of ROI as well, because a lot of people are, to what you said, they've been using traditional tools. They already have the focus on. It's been picked up today. I'll find out about it tomorrow.

What do you find as leaders using as an ROI for going down the path of using runtime, like a Falco or whatever as well? Open source project graduated? So there's a lot more trust behind it. There's a lot more people getting behind the idea that, Hey, Falco is a great tool for the open source community to be able to getting behind in [00:11:00] terms of adoption of runtime. What's the ROI that people are able to share with the business? Yeah, the board or otherwise for why go down the spot?

Loris Degioanni: Traditionally what we're seeing in terms of motion, you know for a cloud native security when like an enterprise adopts cloud security strategy normally, People start by worrying about maybe shift left security and because it's a matter of hygiene, right?

Controlling the vulnerabilities, making sure that the risk is under control and so on. And that's important, but the return of investment of runtime security is based on the fact that of course, hygiene is key, but you cannot protect everything by just doing hygiene in the end, your applications go in production, are executed, are run, and your attackers are there actively trying to exploit them.

So you cannot predict everything that the attackers will do. Runtime security is what protects your applications as [00:12:00] they run. And it's what protects your application from the unforeseen from the zero days from the unexpected ways from the stolen identity, because your software has no vulnerabilities, but you still have the human component, and so tools like Falco can take that component into account as well and help you figure out, okay, this credential has been stolen. Now it's been used for reconnaissance. And that's what happened. And that's what data has been touched. All of this kind of stuff detecting unforeseen unpredicted actions and being able to create the trail and use this trail both to reconstruct what happened and for immediate protection is something that only a runtime tool like Falco can do.

Falco is very much a key part of a good security strategy for Cloud Native. I

Ashish Rajan: guess you add to the whole eBPF flavor as well. We were talking about this earlier. Now that we understand what the ROI for having runtime security is. Preventative security versus runtime security. Do you need both [00:13:00] or do you just need one?

Loris Degioanni: Can you deploy only one? The answer is yes. I was saying before, as a typical enterprises start from posture and shift left security, then they go into runtime security. And I think that then prevention and incident management is the third step, right? You can definitely implement like a runtime security strategy with no prevention piece. And I think it's even like that is still very useful because just, like the visibility and the detection ability that you get with just, like the detection side is valuable per se. But yeah the situation where you want to be is where, as I was saying before, when the attackers automate everything, you also need to automate as fast as possible.

And so the prevention part and as part of the Falco project, there are tools like Falco sidekick like a Talon and so on. These are complementary tools that you deploy together with Falco for more like the response and prevention [00:14:00] phase. And normally I highly recommend that you use those as well because it's really like the best way to be protected.

Ashish Rajan: These days environments are a lot more complex as well. To your point about on premise where most of the network used to be protected from the internet, but now most of the environment is almost assumed to be connected to the internet as well. On the flip. Is there any contextual thing that's missing these days from when people do security?

For example, multiple clouds are getting involved or multiple container types. Is there a lot more complexity? Because what I'm coming to from this is that the preventative security in my mind, makes sense when you have a great understanding of the environment. Yeah. But these days environments itself are like I could have an application in Azure or in AWS.

Do you see that as well in the conversations you have?

Loris Degioanni: Yeah, for sure. Sometimes when talking about these, I describe these as our legacy on premise applications were more like A medieval castle, where you had your application, your castle in the middle, and then you have a big wall around it and the little door, [00:15:00] exactly.

And everything goes through the door and then you have all of your guns pointed to the door in case something, can come in or go out. Modern cloud applications are more like An amusement park where you have a lot of entrances, people going in and out and everything is connected to the outside world, right?

So there's a inherent element of more like complexity. You could almost say chaos, and And different, like the different attractions in an amusement park, everyone is different, but you need to cover everything, so definitely, for example, in the Falco community, there's really an effort in the Falco development roadmap to integrate Falco.

A couple of years ago, we modularized It's the Falco engine with the concept of plugins and plugins can be used to extend Falco to understand more of your cloud, more of your Kubernetes infrastructure and so on. So Falco started supporting only eBPF, and like system calls and like processes and applications and so on.

But Falco today has [00:16:00] plugins for GitHub, has plugins for the different clouds, has plugin for Okta and so on. So that's very important because you don't. You're not able to create the full picture. Yeah. If you're only looking at one of these aspects. Yeah. And the other thing is like again, going back to the metaphor of the security camera is how you secure an amusement park, right?

You cannot put a wall with Armguards in a because you want people to easily go in and out, right? That's the point of our cloud applications, not only our users, but our developers need to go in and out easily, right? So the way you solve this problem more and more is by observing what's happening and a clear, crisp understanding of what's happening.

And then, if something is wrong, try to take action as fast as possible.

Ashish Rajan: Awesome. And a final question for what's the future Falco? You mentioned roadmap. Now that it's graduated, what do you have in mind?

Loris Degioanni: Yeah, I think there are two dimensions. One is as Falco graduates and the CNCF sort of certifies, that Falco is [00:17:00] a tool that you know, at the same level of like Kubernetes or Prometheus in terms of being able to use it in production.

It's important for us to devote time to just make sure that deploying Falco. using it. And that also means like the overhead and ease of leveraging functionality. So all of this kind of stuff that is enterprise integrations ability to send data to the other tools in the ecosystem, all of this kind of stuff becomes important, because Falco is a grown up project and grown up projects are not only a matter of sexy features, but also just usability in the most demanding, infrastructures in the world.

Yeah. And from more features point of view, I think that scope and breadth is what we want to keep expanding. So the ability to have more and more detections, more and more policies and rules. Falco comes from with a flexible rule based engine. So we want to extend these engine to become more flexible to be able to detect more things in more environments.[00:18:00]

So not only let's say containers and Kubernetes, but also Linux hosts and on premise infrastructure. So and then. Cloud services and and other applications, I dunno, Falco for Slack, yeah. You to be able to detect stuff like somebody applauding maybe a sensitive file to Slack.

Yeah. You could have a Falco integration and a Falco rule for that, so these are all directions where we see Falco going in terms of offering more and more scope and covering more and more aspects of a modern. Not only cloud infrastructure, but development team.

Ashish Rajan: Thank you for sharing that.

I've got three questions for you. This is fun questions as you get to know the fun side of Loris as well. What is something that you spend most of your time on when you're not working on solving the Falco challenges of the world.

Loris Degioanni: I'm an outdoors lover, especially now that we are in the winter.

I, I ski, love skiing with my family, with my kids. So that's normally the way I spend my time. It's outside work. And in general, anything mountains.

Ashish Rajan: Anything mountains. Awesome. The next question I have is what is something that you're proud of that is not [00:19:00] on your social media?

Loris Degioanni: Falco. We've wrote the first line of code.

As an experiment in 2016, and being here now, like eight years later celebrating the graduation, it's been a process that makes me proud personally for having started this project, having written the first line of code, but also, So I'm very proud of just the community that has gathered around this tool and what they were able to accomplish, on the technical level, but also on the human level.

So just being part of this team makes me very proud.

Ashish Rajan: Wow. Yeah. And the scale, obviously that's where the graduation comes in as well. Final question. What is your favorite cuisine or restaurant that you can share?

Loris Degioanni: I'm Italian.

Ashish Rajan: Is that a bad thing?

Loris Degioanni: I think the answer is so a little bit obvious, but yeah, especially the part of Italy where I come from, which is the northwest part of Italy, Piemonte, where many great recipes from there, but handmade pasta, truffle is from there. [00:20:00] Nutella, he's from there. Oh really? Yes. Wait

Ashish Rajan: I have to ask this question 'cause I'm asking every Italian person that I meet then are you a panettone

or pandoro?

Loris Degioanni: Pandora? A pandoro? I am more pandoro. . I think I'm not the typical. Italian is more like tradition panettone know, but I'm Americanized a little bit

Ashish Rajan: fair.

No, but appreciate you coming on the show as well. Thank you for answering those questions. We can people connect with you to talk more about Falco and everything else that's going on with that? If they wanna reach out

Loris Degioanni: the website is all of the information to connect to us. We, of course, have Slack.

We have a mailing list. We are very active on GitHub. Nice. But you find all of the links on the Falco website. Awesome. Now, thank you so much for coming on the show. I really appreciate this. Thank you for having me. No, thank you.

Ashish Rajan: Thank you for listening or watching this episode of Cloud Security Podcast.

We have been running for the past five years, so I'm sure we haven't covered everything cloud security yet. And if there's a particular cloud security topic that we can cover for you in an interview format on Cloud Security Podcast, or make a training video on tutorials on Cloud Security Bootcamp, definitely reach out to us on [00:21:00] Thank you for listening. By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister AI Cybersecurity Podcast, which I run with former CSO of Robinhood, Caleb Sima, where we talk about everything AI and cybersecurity. How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of ChatGPT, and everything else continues.

If you have any other suggestions, definitely drop them on info at CloudSecurityPodcast. tv. I'll drop that in the description and the show notes as well so you can reach out to us easily. Otherwise, I will see you in the next episode. Peace.