No Fear, Falco Is Looking After Us!

The presentation discusses the use of Falco, a behavioral tool for cybersecurity, and provides tips for improving its effectiveness and addressing false positives. It also addresses the possibility of updating the ruleset to catch new vulnerabilities and the use of user space drivers for data collection.

• Falco is a behavioral tool for cybersecurity that detects actions that happen
• Tips for improving Falco's effectiveness include being clear about what's important for the organization, tuning detection based on parent process lineages, and excluding values from fields in the check
• The default Falco ruleset doesn't get updated for every new CVE, but it is possible to write rules to catch new vulnerabilities
• User space drivers for data collection are possible but not currently in the roadmap for Falco maintainers
• Collaboration with the community is encouraged for developing new projects

The speaker mentions a user space hooking technology called pdig that was able to take system calls with a user space hooking technology using pTrace, but it was slow for real workloads. Another user space application called divisor was more efficient for shipping Cisco's without needing to P trace. The speaker encourages collaboration with the community for developing new projects.

Falco is a Cloud-Native Runtime Security project and the highest adopted threat detection project for Kubernetes. "Hackers only have to be right once" is so yesterday and Falco and its vibrant community are shifting the rules of the game! In this session, experienced Falco contributors will introduce the project and its ecosystem, present the most recent developments in the space, and show how to get involved as contributors and adopters. Topics of broad and current interest include the recent submission for graduation, the improved eBPF support, the security enhancements, news about falcoctl and the ecosystem integrations, and the envisioned roadmap for the project.