Sysdig announces Falco Feeds for enhanced cloud security and compliance
Sysdig has announced Falco Feeds, a significant enhancement to the open-source Falco security project that brings enterprise-grade security rules to the community.
The announcement is particularly noteworthy for DevSecOps teams and security professionals as it addresses one of the biggest challenges in Kubernetes security: creating well-tuned security rules that minimize false positives without impacting performance.
Relevant links
Transcription
Bart: Who are you? What's your role, and who do you work for? Hi, I am Nigel Douglas and I work for Sysdig.
Nigel: I'm Nigel Douglas. I'm a cloud security strategist here at Sysdig, and I'm representing Falco.
Bart: What do you want to share with us today?
Nigel: I wanted to discuss Falco Feeds. We've noticed that the adoption of the Falco Project has increased, especially since its graduation from the CNCF, with more users seeking advanced capabilities. We recently introduced Falco Talon to the Falco Project as a response engine for Falco. Additionally, with Falco Feeds, we are dynamically providing expert research and managed roles, similar to those experienced in Sysdig Secure, but now extending these to the open source community.
Bart: What problem does Falco Feed solve?
Nigel: Falco Feed solves a few problems. The first one is that anyone can build their own rules in Falco, but not everyone has the expertise for noise reduction to reduce false positives and fine-tune it so it does not impact CPU resources. With Falco Feeds, we also extend the capabilities to detect compliance standards such as PCI Compliance, SOC2, and NIST, allowing us to meet all your compliance needs with Falco.
Bart: Can you give us a little bit of context, thinking about the before and after this announcement, what led up to this point and what's going on now?
Nigel: Falco is based on an evolving story. It originated from Wireshark, where our CTO and co-founder was a core contributor. Wireshark used PCAP, and with Sysdig Open Source, we introduced SCAP, System Call Capture. SCAP was perfect for monitoring system calls. Falco applied the same logic of monitoring system calls for detection and response. Initially, the key goal within Kubernetes was to understand insecure behavior through monitoring. However, as users are now running Kubernetes in production, particularly in large organizations, the need has shifted beyond just monitoring. The focus is now on taking action and ensuring the correct action is taken in production.
Bart: Falco is an open-source project and part of the CNCF landscape.
Nigel: Falco open source is not part of the CNCF ecosystem. In many ways, it's an early baby of the project. However, Falco is a CNCF project. Both technologies are incorporated into our platform at Sysdig. So Sysdig really does embrace open source, whether it be Prometheus, OPA, these open projects, to build a managed platform on technologies people are already familiar with within the CNCF ecosystem.
Bart: What is Sysdig's business model?
Nigel: Sysdig's business model is understanding what the problem is within the ecosystem. A lot of it involves managing the product technology stack, such as monitoring and security compliance; there are many tools that individually solve problems. Sysdig wants to encourage open source collaboration, contribution, and adoption of these technologies. When it becomes overwhelming to manage these open source technologies, Sysdig can manage the platform as a way to detect and manage them in the easiest possible way in production.
Bart: And who are your main competitors?
Nigel: The biggest competitors right now are in the cloud native application protection platform or CNAP space. You see the likes of CrowdStrike, Wiz, Palo Alto Networks, which are talking about comprehensive consolidation of posture, vulnerability management, detection and response, and even now AI assistance. These are the competitors of Sysdig.
Bart: What differentiates Falco and Sysdig from the competition?
Nigel: A few things differentiate Falco and Sysdig from other major competitors. The first part is graduation from CNCF, which provides a brilliant technical oversight committee, third-party performance audits, and a due diligence process. The fact that Falco has met all these rigorous trials and come out the other side as a graduated project shows that it is ready for production and assurance. Another thing that differentiates us is that Falco has been around long enough. We have been there since the beginning of the cloud native transformation journey and have seen users at different cycles, the solutions they want to implement, and we are really tailoring our solution around their problems as opposed to trying to reinvent the wheel.
Bart: What do we expect next from Falco and Sysdig?
Nigel: With Sysdig, there's a focus on the buzz around artificial intelligence. It's one thing to consolidate technical capabilities and technologies, but users, especially those evolving towards Kubernetes and cloud native, are having trouble understanding system calls and context-specific Kubernetes. Using an AI LLM is a brilliant partnership to take the information currently known and curate it in a way that enables action. As for Falco, it may not be taking the LLM approach, but it is developing advanced capabilities, such as the evolution of Falco Sidekick and Falco Talon, which used to forward events, specialize within the UI, and then respond. This really looks like a full detection response engine.