.

Falco Talon’s proposed donation to CNCF’s Falco

By Nigel Douglas, Snr. Developer Relations Engineer, Sysdig

As the complexity of cloud-native environments grows, so do the security challenges organizations face. With Kubernetes and other cloud-native technologies becoming the backbone of modern infrastructure, enterprises are increasingly seeking sophisticated, adaptable security solutions to address the unique threat landscape of the cloud. Open-source Falco, now a Graduate project of the Cloud Native Computing Foundation (CNCF), has emerged as a leading tool for real-time threat detection in these environments. But, to meet the evolving demands of cloud-native security, Falco continues to expand its capabilities.

Today, a pivotal addition is on the horizon: Falco Talon, a new component that has been proposed to the Falco project. Talon takes Falco’s real-time detection capabilities a step further by introducing the ability to automate responses to security events in Kubernetes environments. This marks a significant evolution in the world of Cloud Detection and Response (CDR), offering security teams the flexibility to both detect and respond to incidents in a dynamic, customizable and automated manner.

Evolution of Falco and the Need for CDR

Falco’s success as a threat detection tool lies in its ability to monitor and alert on suspicious activity in real-time within cloud-native environments like Kubernetes. It achieves this by leveraging kernel-level system calls, as well as a Kubernetes Audit Logs plugin to detect potentially malicious behaviors and provide alerts for anomalies, such as unauthorized network connections, file system access, or process execution. As cloud-native infrastructure has become more complex, the industry has accepted that legacy Detection & Response (D&R) tooling was ill-advised for highly dynamic, containerized environments like Kubernetes.

Over time, Falco has grown to meet the changing needs of the cloud-native ecosystem. For instance, in 2020, the project integrated falcosidekick, developed by Thomas Labarussias, which allows Falco to send event notifications to a wide variety of third-party services, including messaging platforms like Slack and data visualization tools like Grafana. This addressed the need for better integration with the larger cloud ecosystem, making Falco more flexible in how it communicates its detection insights.

However, as the threat landscape continues to evolve, detection alone is no longer sufficient. Organizations need robust cloud detection and response capabilities that allow them not just to monitor their environments, but also to automate real-time actions to mitigate threats. This was made abundantly clear by the introduction of projects in the cloud-native ecosystem such as Tetragon and their own unique enforcement system.

How Talon will bridge Detection and Response (D&R)

The proposed donation of Falco Talon to the Falco project represents a major leap forward in cloud-native cybersecurity. While Falco has always excelled at detecting suspicious behaviors, Talon has introduced a wide set of capabilities for automating responses, empowering security teams to take immediate action when threats are detected.

At the heart of Falco Talon is the ability for users to write their own YAML rules that correlate detected events with automated actions. This level of customization allows users to define how their systems should respond to specific threat scenarios in real-time. Actions can include, but are not limited to:

  • Graceful termination of a suspicious pod or
  • Enforcing Kubernetes Network Policies to isolate compromised
  • Labeling pods for further analysis or automated remediation

These capabilities make Falco Talon a powerful tool for organizations that need a quick, flexible response to emerging threats in their cloud-native environments. Check out the full list of response actions here.

Understanding what Talon brings to the open-source ecosystem

One of the key innovations of Falco Talon is its use of “actionners“, a concept that allows users to define catalog bundles of predefined responses to different types of detected events. These response definitions are designed to provide the best possible response to a given threat, ensuring that security measures are both effective and minimally disruptive to the overall system. Igor Eulalio had previously written a piece on how Falco and Talon can be used as part of an Open-Source Approach to Threat Mitigation in AWS Cloud.

In his scenario, when a “Backdoored library was loaded into SSHD” event is detected by Falco, the Talon engine can triggers a series of actions – such as cordoning the node, draining the node, before terminating the node – which better aligns with the practices DevOps engineers are expected to follow in real-world production environments.

The beauty of this approach is that users can easily customize and reuse action blocks across different rules, much like they already do with Macros in Falco. This ensures that the response logic remains consistent and adaptable to various security scenarios.

The Architecture of Falco Talon has been carefully developed to align closely with that of Falco, making it easy for users already familiar with the platform to get up and running with Talon. The rule files are in YAML format, ensuring simplicity and readability, while the ability to override rules and reuse action blocks promotes flexibility in managing security policies across large, complex environments.

Falco’s Role in the Future of Cloud-Native Security

As Kubernetes recently celebrated its 10th anniversary, it’s clear that cloud-native computing is here to stay. The challenges that come with managing and securing these environments are becoming more sophisticated, and the security tools we rely on must evolve to keep pace.

With the donation of Talon, Falco is positioning itself as a complete Cloud Detection and Response (CDR) solution for open-source users, capable of not only detecting threats in real-time but also automating defensive actions to mitigate them. This shift is particularly exciting for organizations that are looking to stay ahead of the curve in cloud security, as it allows them to embrace the agility and scalability of cloud-native environments without sacrificing security.

Furthermore, Falco’s commitment to remaining open-source ensures that the project will continue to benefit from a diverse community of contributors and users, constantly improving and iterating on its capabilities. This collaborative approach to innovation is critical as the cloud-native ecosystem becomes more complex and the threat landscape continues to evolve.

Hot Topics

Related Articles