Falco reaches CNCF Graduation status, marking a new era in Cloud-Native security

Bart: Who are you? What's your role? And who do you work for?

Edd: Hi, my name is Edd Wilder-James. I work at Sysdig, where I'm the VP of Open Source.

Bart: What do you want to share today?

Edd: We're really excited to announce at this conference that Falco has become a CNCF graduated project. This is the end result of a six-year journey inside the CNCF from sandboxed, incubated, and now reached the level of a mature, dependable, open source community and a very reliable threat detection system for Cloud Native.

Bart: What problem does Falco solve?

Edd: Falco acts as a security camera inside your cloud-native infrastructure. It monitors syscalls and other cloud events. And when bad things happen, for instance, a root container is starting in your shell, someone's trying to overwrite something in /bin, Falco is then able to generate an alert, which you can then send on into logging pages or for remediation action. So essentially it's that last defense to make sure that bad behavior is not happening inside your infrastructure.

Bart: Could you share the before and after Falco's announcement?

Edd: So the journey to graduation for Falco has become one of maturing. For us, that's in two ways. As a community attracting other developers, as well as Sysdig, who contributed that to CNCF, we have developers from IBM, Red Hat, Chain Guard, Apple, all in the project leadership. And those people bring a lot of great perspectives. We operate maturely as an open source project. We have defined governance. This means to users, they can rely on the fact that the community is operated well and the project isn't just going to go away because one vendor isn't interested anymore. At the same time, we've made better documentation. We have learned how to explain what Falco is better to the community. So that's what going up to graduation means. We've come to an enterprise quality open source project. After graduation, what does that mean? Well, we announced this week our roadmap to 1.0. And there are things in 1.0 that get us, Falco, to that level that's very appropriate for a wide user base. We're installed in lots of places, so we really start to care about performance, resource usage. We're installed on every node in the Kubernetes cluster. We care about ease of installation, usability. A lot of the polish that people expect are all in our roadmap to 1.0 and stability. We want to be installed in as many places as possible and protecting as much of cloud native infrastructure as possible.

Bart: What's Sysdig's business model?

Edd: So Sysdig, we're a cloud security platform known as CNAP these days in the industry, as Gartner coined it a year ago. So we cover the whole gamut from cloud security, posture management, vulnerability management, access control, all the way through to the runtime security at the other end. And we do all that actually on top of Falco inside our product, which delivers that runtime insight of what's going on that feeds the rest of the more comprehensive security platform. We're both quite unique in that we are a SaaS cloud product, but we also offer on-prem. So we work in hosted clusters on-prem and in the cloud. I think one important thing to note about attacks these days in the cloud is there are multiple layers. People very often get in through, say, identity compromises or compromises on a GitHub account. So it's as important for us to be able to monitor detections from those as it is from actual things going on at the CPU level and Windows altogether. The aspect of security in the cloud these days is because the API services are very predictable, it takes the hackers way less time. We think it's probably 10 seconds to compromise, five minutes for you to find out where it is, another five minutes for you to figure out what's actually going on. So you have 10 minutes altogether to figure out how to defend against an attack, which is why these days we see these platforms coming up. And it's very important to have a tight feedback loop between what's happening in real time and the knowledge of the rest of your infrastructure. So you can really pinpoint attacks quickly.

Bart: Who are your main competitors and how do you differentiate?

Edd: So we compete with folks like Palo Alto Networks, CrowdStrike, and Wiz are the main people you'll see around here. In many ways, we differentiate, but I think the key one really is our ability to do streaming detections in real time. And then we take that information, not just because we can then detect compromises very quickly, but then we're able to feed that information back up into the rest of our product. Pretty much anybody these days is drowning in CVEs and other vulnerability alerts. And so the main issue for people is how do you prioritize? And so we're able to take this runtime information, this runtime insight from which code paths are being executed right now in your clusters, and use that to go back. Okay, here's where your... Security teams should spend their very valuable resource because we know not only does this container have a CVE, but it's actually in danger of being used in real time. So humans are always the most valuable resource in security. We believe in prioritizing so they can focus and get their job done as efficiently as possible.

Bart: Kubernetes is turning 10 years old this year. What do you expect to happen in the next 10 years?

Edd: Firstly, it's amazing that Kubernetes is turning 10 this year and what a great ecosystem it's created. We joined that party about eight years ago when the first line of Falco was written. So, we obviously saw the containers of the future and we believe right now, firstly, I think we'll see even further and deeper adoption beyond where we are. I think there are large strides to make in terms of taking the pain out of the infrastructure for developers. There are a lot of moving parts that are still confusing. I imagine that what we really want to do, both in security and in DevOps and all these places, is have much more of a turnkey experience for developers where they have to worry a lot less about the scaling and operation side of things. So I expect to see best of breed things coming together, platformization, and ultimately the destiny of successful technology is to become invisible. And that's probably where we're going to head. Thank you.