Security monitoring

Falco Open Source adds AWS Cloud Security Monitoring

SAN FRANCISCO–(BUSINESS WIRE)–KubeCon + CloudNativeCon North America – Sysdig today announced the addition of cloud security monitoring functionality to the Falco open source software project. New Amazon Web Services (AWS) CloudTrail Plugin Provides Real-Time Detection of Unexpected Behavior and Configuration Changes, Intrusions, and Data Theft in AWS cloud services using Falco rules. The Falco community developed this extension with Sysdig based on a new plugin framework that allows anyone to extend Falco to capture data from additional sources beyond Linux system calls and logs. Kubernetes Audit. As organizations manage critical data across multiple clouds, they need consistent threat detection across their distributed environments. Additional plug-ins will allow organizations to use consistent threat detection language and close security gaps using consistent policies across workloads and infrastructure. In addition, over twenty new out-of-the-box policies supporting compliance frameworks have been released.

Falco Community Blog: Early Access to Falco Plugins

Falco, a cloud-native runtime security project, is the de facto detection engine for containers and Kubernetes with over thirty million downloads. Created by Sysdig and contributed to the CNCF, Falco is an Incubation level hosted project. The new capability and plugin framework have been contributed by the Falco and Sysdig community to the project over the past few months. Starting today, the AWS CloudTrail plugin is available for use in preview mode and contributors can create new plugins on the framework.

Real-time detection of cloud configuration risks and threats

Today, security teams are forced to export AWS CloudTrail logs to a data lake or Security Information and Event Management (SIEM) to process them, then scan for threats and configuration changes which may indicate a risk. This approach adds delay in the identification of risks, as well as costs and complexity.

Falco inspects cloud logs using a streaming approach, applying rules to logs in real time and immediately alerting to issues, without the need to make an additional copy of the data. This approach complements static cloud security posture management by continuously checking for unexpected configuration and permission changes that could increase risk. Additionally, it acts as a modern Intrusion Detection System (IDS), detecting threats based on unusual behavior that may indicate a threat.

Consistent tool for container and cloud threat detection

Cloud and security teams struggle with an ever-growing list of tools to master and manage. Falco provides a single tool for threat detection in container and cloud environments, reducing complexity by reducing the number of tools in the stack. Users can use the same rules language to create consistent policies for workloads and infrastructure, removing security gaps. Because there is a talent shortage in both cybersecurity and DevOps, it is essential to reduce the learning curve by using consistent tools for threat detection.

Users can immediately start using out-of-the-box community-provided rules that align with compliance frameworks and best practices. They can also create custom rules to meet their specific needs using standard YAML code.

The plug-in capability for Falco creates the foundation for contributions that will extend support to other cloud environments and operating systems. The AWS CloudTrail plugin and additional out-of-the-box rules are immediately available to try as a preview on the Falco GitHub site. Falco users and contributors can access pre-release documentation now. The official release is expected in the coming months.

What the community says

“The Falco plug-in feature gives DevOps and security teams a unique threat detection tool with a single rules language across container and cloud environments. This allows users to create consistent policies for workloads and infrastructure and close security gaps,” said Chris Aniszczyk, CTO of Cloud Native Computing Foundation. “The foundation is now in place for rapid community innovation to extend Falco to other cloud environments.”

“Now Falco can detect threats to AWS containers and cloud services using a streaming approach,” said Loris Degioanni, Founder and CTO, Sysdig, “Users can immediately alert to lateral movement indications without the cost and complexity of copying logs. ”


About Sydig:

Sysdig is driving the secure DevOps movement, enabling organizations to confidently secure containers, Kubernetes, and the cloud. With Sysdig, teams secure construction, detect and respond to threats, continuously validate cloud configurations and compliance, and monitor performance. Sysdig is a SaaS platform, built on an open source stack that includes Falco and sysdig OSS, the open standards for detecting and responding to runtime threats. Hundreds of companies trust Sysdig for container and cloud security and visibility. Learn more at