Falco in action: protecting your Cloud Native infrastructure

Transcript

1. Falco in action: protecting your Cloud Native infrastructure Edgaras Apšega

   Site Reliability Engineer // CNCF Ambassador // Kubestronaut // Cloud Native Lithuania meetup co-organizer

2. 2 Supply chain threats

3. 3 Increasing number of attacks Source: blog.sonatype.com

4. 4 Software Supply Chain Security Source: slsa.dev

5. None

6. © 2023 Cloud Native Computing Foundation 6 How do you

   know the breach happened?

7. © 2023 Cloud Native Computing Foundation 7 Security cameras are

   like runtime security Big walls and guarded entrances alone are not enough to secure a city. A better approach involves widespread, granular visibility: a network of security cameras. Runtime security measures are implemented and monitored while the application is running, ensuring that all critical data and processes are secure.

8. Falco Runtime security tool specifically designed for Kubernetes and cloud-native

   environments

9. © 2023 Cloud Native Computing Foundation 9 • Capturing system

   calls in a running process typically involves modifying either the process or some of its libraries with some kind of instrumentation. • The second option involves intercepting the system call execution after it has transitioned to the operating system. This requires running some code in the OS kernel itself. Runtime Security

10. 10 The Falco sensor

11. 11 Falco system calls sourcing

12. 12 High level architecture Sensor Sensor Sensor Sensor System Calls

    System Calls Audit Logs CloudTrail Alerts Collector

13. 13 Falcosidekick

14. None

15. 15 Falcosidekick UI

16. Falco in action Live demo

17. 17 Create/Modify Configmap With Private Credentials

18. 18 CVE-2018-1000861: Jenkins remote command injection

19. 19 CVE-2024-3094: Detecting the SSHD backdoor in XZ Utils

20. Thank you! Add me on LinkedIn!