Runtime security receives major boost from Sysdig’s open-source Falco
In 2021, Sysdig Inc. published a container security and usage report that identified a few troubling findings.
While a majority of global Sysdig customers were scanning containers before deployment, over half of those containers were running as root, a user default that provides access to all commands and files on the operating system.
In addition, more than a fifth of containers were live less than 10 seconds. This underscored the importance of having security tools that can provide real-time monitoring for intervals of 10 seconds or less.
“We also found that 27% of users have unnecessary root access and 73% of cloud accounts have public S3 buckets,” said Loris Degioanni (pictured), founder and chief technology officer of Sysdig. “This can generate consequences when you make a mistake. As infrastructures and software become more sophisticated and automated, there’s more risks and opportunities for misconfigurations that tend to be more often the source of issues in the cloud.”
Degioanni spoke with John Furrier, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during the AWS Startup Showcase: Open Cloud Innovations event. They discussed the challenges of securing IT beyond the datacenter, Sysdig’s technology for continuous threat monitoring, the firm’s ongoing partnership with Amazon Web Services Inc., and the role of the open-source community to combat bad actors in cybersecurity. (* Disclosure below.)
Focus on visibility
Risks such as those identified in Sysdig’s report highlight the need for a new way of viewing security protection in IT networks. A datacenter running monolithic applications was a castle, with think walls and a single entrance. Today’s cloud infrastructure is wide open, and calls for a different approach to defending critical assets.
“The metaphor I like to use is an amusement park,” Degioanni said. “You have a big area with many important things inside and users and operators that are coming from different entrances that you cannot really block. We cannot build a giant wall around the amusement park; we need people to come in. Getting visibility and doing it in real time is much more important.”
To provide that visibility, Sysdig created Falco, an open-source tool for continuous risk and threat detection across containers, Kubernetes and cloud. Falco, which acts as a kind of “security camera” for monitoring anomalous behavior, has been downloaded over 30 million times and is currently maintained as an open-source project by the Cloud Native Computing Foundation.
“With Falco, our open-source runtime security engine, we took key design decisions at the beginning to make sure the engine would be able to support and parse millions of events per second with minimal overhead,” Degioanni said. “Ease of deployment and performance were more important goals here. It’s not uncommon for Sysdig to have users of Falco with tens of thousands, hundreds of thousands of machines and sometimes millions of containers.”
Real-time detection
In recent months, Falco has become more closely aligned with AWS CloudTrail, a service from the public cloud provider that provides users with controls in compliance and operational risk auditing for AWS accounts.
“Recently, we announced an extension of Falco to support cloud infrastructure and security by parsing cloud logs like CloudTrail,” Degioanni explained. “It is a rule engine based on policies that are driven by the community and allow you to detect misconfigurations, attacks and anomalous conditions in your cloud applications. Falco is able to detect if somebody is running a shell in a container or if somebody is downloading a sensitive file from an S3 bucket, all in real-time.”
Sysdig has also pursued technology to provide a deeper dive into container security. In 2020, Sysdig extended its alliance with AWS to offer what it characterized as the first inline container scanning tool for AWS Fargate, an event-driven platform that scales based on application demand for infrastructure support.
In May, Sysdig unveiled new incident response and runtime detection tools for AWS Fargate, which included file integrity monitoring, a key standard used in the payment card industry.
“It was a project done in cooperation with Amazon so we could have strong runtime security for containers that are running in Fargate,” Degioanni said. “Falco can be used to protect workloads that are running in virtual machines or containers and also the cloud infrastructure.”
Sysdig’s continued work with Falco and the open-source community represents a notable element in the evolution of enterprise security. As the world’s major companies continue to embrace open-source tools for critical applications, the need for security to keep pace becomes infinitely more important.
Degioanni sees security as a community problem, one in which the solution will come from the strength of the open-source ecosystem.
“We are in a war; it’s the good guys versus the bad guys,” Degioanni said. “The bad guys are coordinated, motivated, sometimes well-funded and well-equipped. We win only if we fight this war as a community. The future of security is going to be open source.”
Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the AWS Startup Showcase: Open Cloud Innovations event. (* Disclosure: Sysdig sponsored this segment of theCUBE. Neither Sysdig nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)
Photo: SiliconANGLE
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU