Falco: A New Approach to Security and Visibility



Throughout his career, Loris Degioanni has led innovative approaches to open source security and visibility, from creating the popular tool Wireshark to developing Falco, a game-changing platform that uses eBPF to provide real-time anomaly detection in Kubernetes.  

On this episode of the Open at Intel podcast, recorded at KubeCon North America last fall, Degioanni discusses his work at Sysdig and Falco, talks about his involvement in the industry shift from packet-based to system call‒based security via eBPF, and shares why he thinks open source is creating a brighter future for AI and security. 

Editor’s Note: Since we recorded this episode, Falco has graduated as a CNCF project. This milestone represents Falco’s maturity level and elevated position in the cloud native landscape. 

Listen to the full episode here. This conversation has been edited and condensed for brevity and clarity. 

Falco: A New Approach to Observability

Katherine Druckman: Will you tell us about yourself and your open source projects? 

Loris Degioanni: I’m the CTO and founder of Sysdig, a company that offers a cloud native security platform for containers and Kubernetes. Sysdig has a couple of open source projects, including a command line tool for system inspection and troubleshooting with a heavy focus on containers. I compare it to your tcpdump for system calls, with deep visibility in containers and Kubernetes. The other and biggest project I’m involved in is Falco, which I started in 2016. Falco is essentially the industry standard for runtime security for containers and Kubernetes. You can think of Falco as a security camera for your containerized infrastructures. 

Katherine Druckman: Can you tell us about how Falco came about? 

Loris Degioanni: Falco was created by Wireshark, a network analyzer that allows you to wirelessly plug your computer into a network and capture packets. It offered a lot of functionality for protocol dissection to help you observe and understand what’s happening on the network. Packets are a rich data source that can tell you what’s happening not only on the network but also across users, applications, and devices on the network.   

I used to say packets never lie, but since the launch of containers around 2013, packets are no longer an easy vantage point. Cloud providers like Amazon and Google own the network, and it’s not easy to connect to the stream port. It’s also normal for people to pack hundreds of containers on a single machine. When you’re sitting on the router, trying to figure out what’s happening on the network, you’re missing data.  

So we asked ourselves, if we could start from scratch and design for containers, Kubernetes, and Linux, what would the instrumentation be? We looked at the ways to use the kernel of the operating system (OS) to get and interpret data. Our solution was initially based on kernel modules, so you could sit in the kernel and see what every single container is doing without instrumenting them. That later evolved into using eBPF, which was a sort of revolution in instrumentation. Now you can take signals generated by eBPF and create a rule system on top of them to express stuff like, “I want to know every time one of my sensitive files is accessed for read or write.” Falco allows you to express this kind of policy, and then it translates it into things that can be evaluated using data that’s collected through eBPF. 

You can deploy Falco sensors across your infrastructure to create essentially a network of security cameras that will alert you when something suspicious is going on in your applications. So we’re applying what we were previously doing with packets but using system calls and eBPF to support containers and modern cloud infrastructures. 

Kernel Programmability, Sandbox Safety

Katherine Druckman: In the last three years, I’ve heard more and more about eBPF and how critical it is to observability. Could you share more about your work with eBPF? 

Loris Degioanni: Falco was one of the first projects in cloud native to leverage eBPF. We inspired the industry to do runtime security and detection and response using eBPF. eBPF is like a little virtual machine that runs in the kernel of the OS. With eBPF, you can write what are basically scripts—in this case, actual programs compiled to run in the kernel—but instead of running as code in the kernel, the VM runs them. The benefit is that you get complete, versatile programmability of the kernel of the OS while running the programs in a safe sandbox environment. For example, every program is validated before the kernel can run it so that it can’t access dangerous data or crash the system. So you get control to extend the kernel any way you want through a script, paired with the safety of doing it in a way that doesn’t create security issues—or performance issues, because eBPF is very efficient. 

Katherine Druckman: Do you see people using Falco in ways you didn’t expect when you created it?   

Loris Degioanni: All the time. Falco is both a language and policy engine and a data-collection solution. We decoupled the two purposes because we think they have value independently. Falco’s language and policy engine is used for other stuff, such as defining policies for CloudTrail logs. There are also many tools that are built on top of our data collection side to do captures, introspections, and analysis. For example, in a talk here at KubeCon, an Apple developer shared how she built essentially an anomaly detection engine that can look at containers, determine their normal behavior, and automatically alert you to abnormal behavior. That implementation is a different way of doing detections from the same data collection process.  

Just One Piece of the Security Puzzle

Katherine Druckman: What would you say to somebody who feels good about their application’s security, but they’re not using a runtime security detection solution like Falco? 

Loris Degioanni: Good security is a puzzle made up of many pieces. Falco and runtime threat detection is an important piece of the puzzle, but just one. I recommend thinking about security from day one of building your cloud native stack. Security includes many facets: users, infrastructure, applications, and personas, such as how your developers manage their vulnerabilities. You also have to think about how you’ll detect and respond to attacks. So it’s multifaceted and involves many people. Falco is the piece that helps detect and respond to threats in real time. 

Supporting Developers as We Shift Left

Katherine Druckman: How can the community make it easier for developers to address security early in the life cycle? 

Loris Degioanni: Traditionally, security has been positioned in a slightly antagonistic way. The security team and developers often fight, but in practice, security is a common goal. In recent years, the industry’s trending in the right direction. For example, the CI/CD pipeline helps developers approach security in a more natural way. The sooner we can notify developers of a security issue, the easier it is for the developer to address it. Allowing developers to make updates to code as they’re typing in their code editor is much better than telling your developer that you’re blocking their application from going into production and asking them to start over. DevOps and DevSecOps practices like this help bring different parts together to catch issues early. 

There are also technology-specific approaches. For example, Sysdig has a feature called In Use that helps prioritize vulnerabilities. We often use container image libraries that have vulnerabilities, but many aren’t ever loaded by our software. They’re still important to address, but I don’t need to ask a developer to stop what they’re doing and address it right now. Vulnerabilities that are actually loaded into your Java or Go application and are in production are more dangerous. This kind of prioritization helps developers focus on the most- important steps. 

The Future of AI and Security Is Open

Katherine Druckman: What else are you excited about in the open source world?  

Loris Degioanni: As CTO of Sysdig, I’ve been spending quite a bit of time lately on AI and large language models (LLMs). The giant generative AI models of the world are showing us a new path for humanity, but at the same time, we’re seeing fantastic grassroots movements that are doing really cool things with smaller models. In AI, the open source ecosystem is going to be even more important in the long run than the big players like Microsoft, Amazon, and OpenAI. 

Katherine Druckman: What are you most optimistic about in the open source security community? 

Loris Degioanni: If security is a battle between good guys and bad guys, the bad guys work together to create exploits and share information. For the good guys to successfully fight this battle, they need to do the same. The big players in security tend to be pretty siloed and secretive. But things are changing—there are a bunch of things like network security and runtime security that’s now being done in open source. For example, Falco’s rule set is curated and driven by the community, and anybody can add a Falco rule just by opening a pull request for the latest vulnerability. It’s a much better way to do this because it distributes the benefits and the work to a large community that can work together. I like to say the future of security is open.  


To hear more of this conversation and others, subscribe to the Open at Intel podcast: 

About the Author

Katherine Druckman, Open Source Evangelist, Intel 

Katherine Druckman, an Intel open source evangelist, hosts the podcasts Open at Intel, Reality 2.0, and FLOSS Weekly. A security and privacy advocate, software engineer, and former digital director of Linux Journal, she’s a longtime champion of open source and open standards. 

Loris Degioanni, CTO and Founder, Sysdig 

Loris Degioanni (he/him) is the CTO and founder of Sysdig. He is also the creator of the popular open source troubleshooting tool, sysdig, and the open source container security tool Falco. Prior to founding Sysdig, Loris cocreated Wireshark, the open source network analyzer that has more than 20 million users today. Loris holds a PhD in computer engineering from Politecnico di Torino and lives in Davis, California.