 We're talking about runtime security in the cloud and the world. But first of all, just to add to what you're trying to say, my name is Illyria Yaliddi, but you can call me Illyria for short, consider the full-time part of the house when you're in. And in the cloud innovation, I have container solutions. I also created something called Get-Go with Kubernetes, where I help people learn Kubernetes by workshops and work with the organizer. And I'm mostly a preacher, so when I'm not in tech, I'm preaching. Yeah. So let's dive in runtime security. The first thing, when we talk about security, a lot of things come to mind. You want to have secure systems. That's a key thing. And a lot of people talk about this thing that you call shifting security to the left, so that we can have security not as an afterthought of things that we do. Security should be primary in any system that we're developing or building, including our infrastructure. Security should not be an afterthought. So you can have, when you build systems, you think of authenticating users. If you're a software developer, you definitely want to do that. You probably want to have some authorization processes in place, as well as authentication processes. If you're an infrastructure engineer, you want to do things like static analysis of your manifest files to ensure that you don't handle vulnerabilities. You probably want to scan your images before you go into production. You do a lot of things before hitting production. And that's very good. We should always do that. Now, there is also the part that we talk about runtime and runtime security. So now my slide, yeah, I made a mistake in that slide. So runtime. So runtime has to do with, now we're live. Now when production, we are running. Our systems are off and functional. But how secure are we in production? We've done all the initial checks, like we mentioned, put authentication in place, you've scanned your manifest files, your images, all of those things. But we're live. How do you check for issues in production? How do you check that things are not working as they should not in production? That's where runtime security comes into play. And so runtime security has to do with observing and protecting software as they run. That goes very straightforward. So you're running your systems, and you want to ensure that you're seeing things are happening. You're being secured, and you're protecting your systems against attacks. So that's where runtime security comes into play. So I'll give an example. There's this thing called zero-day vulnerability. And what this refers to is vulnerability attacks. Vulnerabilities that happen when your application vendors ships an application. And that application is running in broad. But the vendor did not take, of course, they do all of the initial checks. And they find these are the errors, these are the bugs, these are the things that you should be aware of. We have a new version. These are the errors in the old version. But zero-day vulnerabilities are vulnerabilities that the vendor is unaware of, because things can be in production. And there could be attacks. You cannot prevent, you certainly cannot be aware of every possible attack that would come into your system. So that's where zero-day vulnerability comes into play. And for this kind of thing, and this is just one use case for runtime security, we want to be able to detect things on the fly. We want to be able to know how our systems are doing on as we go and protect against those things. So that's runtime. That's where runtime security plays a very major role. And I don't have too many slides, of course. But I'm going to be talking about Falco. Now, Falco is a tool from its part of the CNCF landscape. Now, of course, it's one of the tools that helps with runtime security. And so how did that come across Falco? Just a few weeks or months ago, I believe, I was taking the certified Kubernetes security exam. And I saw that Falco was part of the things on the curriculum. It means, OK, what that means, first of all, is that for the CNCF to put this in the certification, it means that it's a very important tool in the CNCF landscape. And runtime security is also very paramount in the cloud native world. So you can think of it this way. You have your Docker image, let's say Docker image, or whatever container system you're using. You have your image. And your application has been gone good. You push this image to a registry. Somebody takes that image and begins to just run containers out of your image. So the containers are running fine. Now, there could be, if you had done checks, like static analysis on your manifest files, you probably would have spotted things like, your container is going to be running as root. And you might have blocked all of those things. So you might have seen some of those issues and fixed them. But say you fixed all of those. And you find out that there is an attack on your system. Something is happening and that should not be happening. So FACO helps you with those kinds of issues, those kinds of problems. So FACO gives you something called the ruleset. You can have rules and you can detect operations, certain operations based on the rulesets that get you. You can assert certain conditions. You can check that this is happening. This should not happen. For instance, if via a container, something is being written to a particular directory, and it's not supposed to write to that directory, perhaps if it's a mutable container, which you don't have mutable images, mutable containers. So if your container is writing to a particular directory, maybe any directory that you just filled in a secure directory and shouldn't be tampered with, FACO can specify in a FACO ruleset that if something is being written to this directory, alert me, all right? You can definitely send alerts to whatever system you want. You can have alerts on Slack, you can have alerts wherever. But the beauty about it is that you can tell when things are happening as you shouldn't, you know? By default, FACO gives you a ruleset that blocks a lot of things, all right? So you can now enable certain things. So by default, you're secure, all right? Then you can now decide to enable, based on the rules that you set, enable certain functionalities in your system at runtime, all right? But whatever is blocked, FACO detects and alerts you that this is what's happening in your system. Let me see. Yeah, so FACO was created by Sysdig. It's now a CSF project for runtime threat detection engine. Like I said earlier, it analyzes the behavior of the system and compares it with a set of rules and triggers and alerts to the positive match is found. So FACO can, I'll just give some rundown. Of course, my slides are not too much. I'm doing a lot of talking. Now, say you, because some people ask, can you run FACO on Kubernetes? Can you run it on your bare metal servers and things like that? Yeah, I'll get into that, all right? But first of all, let's talk about the event sources. How does FACO get its events? How does it know what's happening? So there's this thing called system calls in Linux, all right? And what that means is that as a Linux user, you're probably trying to perform an operation. Maybe you're reading a file or you're writing to something, you're writing to this, whatever operation you're doing. So in Linux, all right, and I know there was a Linux talk just a few, I think a few talks back, my great. So Linux has this thing called system calls where I'm trying to write to a file, all right? But underneath, what's happening is that a system, a call is being sent, all right, to carry out that operation on my behalf. I'm just writing to a file, but there are some system calls, there are some functions in the Linux kernel that does the actual work, all right? So FACO, now, so whatever I'm doing on my Linux environment, my Linux machine or device or, you know, a Linux kernel, whatever I'm doing, it has a system call underneath, all right? And so how good would it be if I can track, I can have a look at those calls, all right, those system calls and be able to make meaning from them. So for instance, I get a system call, I'm not an expert, I'm by no means an expert on the Linux kernel, all right? But say you have a function that maybe is read, for instance, in the Linux kernel. Now, I'm trying to read the file, that function is triggered, all right? And what FACO does is it takes that call, it takes the argument that call, and it builds a story and it gives you this information. So you can now say, oh, okay, this particular container, for instance, is trying to write or is trying to read from this directory, this particular file. So you have all of that detection and in your research, you might have specified that, okay, if somebody is trying to read from this directory, that's probably an attack, okay? Now, this is runtime. It's not something baked into your image, it's not, this is at runtime. Something is happening at runtime and they're looking at, they are trying to read up files from your system, read up documents from your system. And FACO can give you all of these things on the fly as you go. So this is runtime security, that's where system calls come into play, all right? Linux system calls. So now you can also, FACO can also get, because if you're using Linux, for instance, now this is where, this is why we have these different areas, all right? Where you can get events from. So typically you take FACO and you install FACO on your machine, all right? You just take the binary and you begin to exclude the binary on your machine and it begins to detect system calls. But if you're running something like Kubernetes on the cloud, GKE, AKS, you know, and you like, managed Kubernetes engine, you don't have access to these systems. You don't have access to the control plane, for instance. You can't access it to the control plane and put FACO there, all right? So what you just have is, you just have Qubectl, you're talking to your cluster somewhere, all right? So FACO can also retrieve events from Kubernetes audit events, all right? So that helps you in your Kubernetes environment. And of course, you can also read up cloud logs, FACO can read up activities from cloud logs too. So that's very good. Before I go for that, let me just say this. This is my thinking and I think this is preferable. It's better to have, so look at this scenario. If you have Kubernetes running on premises, for instance, all right, on your servers, you have a couple of servers distributed and Kubernetes running there. I would rather install, you know, have FACO running on those servers than in Kubernetes. Now, the reason for this is if I get an attack on my Kubernetes cluster, FACO is gone. There's no detection anymore, all right? But if I have FACO on my servers, just pay on my servers, all right? Even if something happens to my Kubernetes environment, my Kubernetes cluster on those servers, FACO can still detect those things. So I still get, I get more information as to what happened before things went bad. So I just wanted to chip that in. If you have access to your host machines, I'd advise that you put FACO there directly. All right, I think I have about 10 minutes more. Yeah, so I picked some resources. I was going to go into a demo, all right? But because I'm stuck somewhere, but there's this tool by FACO on LensyStick.com, FACO 101, where you can, you know, have a look at FACO and see it at runtime. You can have hands-on tutorials with FACO. So I mentioned several things that FACO has a new set that you assert things against. You assert behaviors against. It has that new set. And of course, Yamal Pao's will help you do this. And yeah, so this is all that I have for this talk. Was very short, but I'm glad that I was able to do it regardless. So thank you so much. Awesome, awesome. That was a great presentation, Hilary. I guess it's time for questions. So if anyone have any questions, please feel free to drop it on the YouTube chat. Yeah, Hilary would be happy to answer all of your questions. And I can also, I can also answer questions. Yes. You can find me on Twitter, of course. Exactly, yes, Hilary is super active on Twitter. So you can find me at Hilary. I would of course, this handle on the chat as well. Since there are no other questions, I guess that's it for Hilary. Yes, thank you so, so much Hilary for joining us. This was super insightful talk. And yeah, we hope to, of course we hope to see you in the next one. And yeah, keep doing the play. In better conditions, hopefully. Yes. Also. Thank you so much. Awesome. Okay, in case you missed that, that was a session from Hilary on runtime.