 Hi, hi everybody and welcome. This is the Falco maintenance truck if you want to know what's going on on Falco You are in the right place before we start. Let's introduce ourselves I'm Jason. I'm an open source engineer at CISDig and one of the core maintainers of Falco And I am Leonardo Grasso and guess what? I am another software engineer too and I'm also a Falco core maintainer You can find us on Github and also Twitter all the links are in the in the rack We are both here on behalf of the Falco community to give you some updates about the Falco project So let's start with the agenda In this talk we will give you a brief overview about what Falco is and then we'll continue with the Project updates from the last year until now in the second part of the presentation We will dip dive into the new amassing feature of Falco The plug-in system. We will also describe the plug-in SDK and the plug-in registry Finally, we will conclude the presentation with a preview of future development. Let's start Okay, let's get to work. Maybe you are familiar with Falco Or maybe it's the first time you heard about it. So I'm gonna give a brief review for everyone to be in pair Falco is a cloud native runtime security tool that monitors everything that happens in your system and send security alerts Whenever something suspicious or a cyber attack is detected Falco is pretty easy to deploy and configure and catches cyber attacks right in the moment. They happen so that you can take immediate action That's why we love my Falco so much and why it's a knowledge as a defective standard for kubernetes a cloud native environments Sounds cool, but how does that all work in practice? Falco is designed to consume a stream of events Extract information from them and then send you alerts whenever something bad is detected data flows only one direction and Is not retained or stored everywhere. Everything happens in real time following the activity of your system The core data source Falco is able to consume is system calls System calls tell you a lot about what's going on in your system From that you have visibility over all the processes that are running and all the containers and all the kind of stuff Events are collected at the kernel level with either a kernel module or a BPF probe and In time Falco started supporting many more event sorcerers Thank you to the new plug-in system, but we'll get back to it later and then When an event matches a given security rule Falco sends you an alert in many different outputs For example simple std out. That's trivial or HTTP web book or gRPC. So it's very easy to make Falco so do your specific use case So now you pretty much know where we are But let's also give give a quick look about Falco's history in 2016 Since they started developing Falco as an open source project trying to fill some of the gaps in the cloud security industry And then later Falco was donated to the CNCF as the as a sandbox level project you know looking forward to create a community around it and make the governance truly open and Two years ago Falco was promoted to in the CNCF into an incubate 11 project and the community of Falco lovers started to grow Even further right now they present a at least the two of us are pretty proud about the communities doing so far and we look forward to see more so Pretty much. This is the introduction. So let's say we can go to the news park Yeah, from this point on we will cover the most excited achievement of the project during the last year So let's go with the project updates one of the first another will change was the new release cadence until Version 0.30 a new Falco version came out every two months or so They maintain the community after a very long discussion. I participated in that discussion I remember very well Decided to decide to switch to just to release per year. It's like a kubernetes But also is given to three release per year The new release now happen at the precise moments of the year at the end of the January May and September Of course, we will continue to release of fix a minor patches whenever needed the new release cycle reflect the Grand maturity level falco for this reason we Changed the release guidance now users should expect more stable version of Falco and also they have a bit more time at all I'm into more time between the two releases What's next? Oh another important feature of Falco is that Falco come with a robust set of Richly richly extensible default rules The community continues updates the full through separate to prove the detection of new security trees in about one year We got a lot of new rules especially in the privilege escalation detection, but also in the container security context We could not include all the rule of the days. This is live. So if you want As if you are interested in all the detail, please take a look at the falco change walk And by the way, if you don't find Predefinery rule for you your use case, please tell us or make a PR We will be happy to work with you going next I'm really proud of the huge work we did the renovating our code base and at the same time fixing a ton of backs Most of the work we did was done on those software component that we call the leaps and drivers Basically, they are the foundation Falco as you can see in this diagram Leaps and drivers were originally created by cystic as a part of another source another open source project at the beginning 2021 the source code that was transferred to the FACO security Organization and now it's fully owned by the Halko project Once that happened we immediately asked ourselves. Oh Can we improve the code and not really the first time was just the right everything Just aside. We did a lot. We spent a lot of effort in in cleanups because we We had a lot of legacy code and also in in trying to find some spot for Another thing that We really believe that there was a very important is to make those Live-send drivers are consumable by other project. We spend a lot of time that also in refining the face To be honest, there is a lot of work in progress still today, but we were right indeed. We are very happy to say that Cisflow project from IBM, but also stock rocks from red dot are using our libraries and drivers What's also we also in increased the sub-test ability especially We have a wider Okay, we support more kernel for our BPS problem, sorry, and ARM support is coming very soon. Other improvements. One perhaps one of the most other features other Stuff we implemented the last year our security fix in particular to Address the two CVs discovered during the last year if you are curious about that the CVs or in general Or security stuff that we continues Address you can take a look to our security device that you can find all the link in the in the deck We also increased the the syscall support We added the some missing security critical syscall like for example user folder to be and Exec via after that work To address the Okay, now It's time to talk about the most exciting feature that fuckers and got the new plug-in system The plug-in system is the result of about one year of work We could guess that the plug-in system is a way to extend the capability of Falco But he's also for us is also a standard way for new feature and integration to add in falco and Indeed it is but plug-ins also a Way to extend the applicability of the falco philosophy To an endless number of new domains Okay, so let's get to it This point the plug-in system was mentioned a couple of times already, but we only scratched the surface So given the fact that this is one of the most game-changing feature that we introduced over the past year We thought it was good to have a dedicated section just for it in this presentation. So Plug-ins are little modules that can extend the functionality of Falco basically and they can be loaded around time in the form of Dynamic share libraries, which also means that you can develop them in basically any language as long as you are able to comply with a very simple little C API and then Plug-ins fit inside Falco libraries and can extend one or more day capabilities We really tried our best to keep the learning curve as simple as possible To allow everyone to get involved with a lot of effort especially even and especially those that are are new for the project and finally plugins are developed and Compile distributed outside of the Falco code base Which is which also means that everyone can have their own plug-in and you know The effort can be really committed driven because it's easy for people to create their own extension share it And it's also easier for adopters to adopt file code to their specific use cases One of the things that for example a plugin can do is providing a new event source to Falco again Falco historically only supported system events coming from the kernel and then in time We had additional an additional support for another event source, which was committed is audit log So the next logical step Was for the plug-in system to standardize this and create and unify the coherent way for people to develop new event sources for Falco Events coming from new new sources are processed by the Falco engine Just like system events and then they can be matched against security rules just like before and You can also extract more data For those roles which I'm gonna cover later and here for example a good A good instance of this is the AWS cloud trail plugin, which basically allows you to connect Falco to your AWS infrastructure grab and read all the audit logs and Basically makes you able to discover at runtime if something bad is about you know happen like for instance It's someone logs in without multifactor authentication of or if a sensitive file or S3 bucket that gets touched Then Falco again extracts data from those events. Guess what plugins can extend this functionality to This basically allows plug-in developers to define new fields for the event sources supported by Falco Which can then be used to write new security rules a good example for this like you see on the right is again the cloud trail plugin As you can see here, we use totally new fields in the rules like just for example the entity type to detect the unsafe login and Then those same new fields introduced by the plugins just like before with security with system events Can then use to create outputs to send along with the alerts on the Falco output framework Sounds cool. You may wonder how do I start I do get involved with this We did our best to provide SDK packages so that contributors could get up to speed without thinking too much about all the technical details We got something in the workings for C++ for example, but we got something fully functional for go We have a go SDK with which you can write plugins for Falco out of the box It works. We personally like go and it is a much loved language in the cloud native community So that's why the go wasn't one of the first languages which we gave priority to support with a within SDK Another reason is that writing simple and yet performant code between C and go is not an easy task So we thought I mean reasonably we thought that creating something built out of the box for the community was a good thing Plus many I mean we we expect many other Community supported SDK for other languages are about to come in the future too. So please stay tuned for this This is a pretty Simple review what you can expect your developer experience to look like with you play with you go SDK We really try to give things as simple as possible So developing a plugin is just a matter here of defining a new type and make it like Implement an interface with few methods the SDK takes care of Implementing all and satisfying all the plug in API requirements. So you don't have to think about it So once you're happy with your work and you have your go code You can just compile it to a C share library and look it into Falco Plugins are part of the Falco configuration, which is kind of like in the YAML file you see on the left So basically it's pretty easy to just set it up and configure it like you like like you like Here instead you can see some go interfaces for implementing either the even sourcing or the field extraction capabilities that I showed before The guys the K defines the core interfaces in totally separate packages so that you can just import the ones you need and the Compone your plug-in with with the feature you want to extend in the system You can also see how those two features specifically relate in the Falco execution flow Now there's no time to go deep into this Maybe in the Q&A session if you really want but it's it's worth mentioning that the USDK heavily optimizes these two Specific code paths because they are executed many times per second and we had to reduce the sego Overhead as much as possible The plug-in framework is this the gap SDK are a Relative stuff, but we went further at some point during the development We realized that we needed to respect some technical strength for example plugins capable of Sourcing events needed an unique ID and it could be assigned we also needed a way to Coordinate plug-ins out of outdoor because for example they have to choose the name of the new data source okay, so they all all name on the other source must not And Then we decided at this point to create a record of plug-in officially unknowledged by the That's basically is our plug-in registry that also host some plug-ins and Which also helps the developer to share about their plug-in? And it was a success indeed the ecosystem is growing faster in just about three months We got a lot of plug-ins the first plug-in actually is the Deporting of the data source that was already present in FACU Kubernetes a little log reported it as a plug-in and The other one is Amazon cloud trail that was the first plug-in implemented a plug-in that grabs the ground another plug-in that works with the second agent and another plug-in to create a rule on the Event on the off the event There are already other requests open and with the new plug-in that are coming But we are looking forward to seeing your plug-ins. We are waiting for you If by the way, if you need any help with that or to get to know more about the plug-in developer Please reach out will be we will be happy to help always Okay, so far we have talked about to plug infinity, but what's beyond that? Let's find out some development that are in progress immediately after we implemented the plug-ins That which which also needed a dedicated reset because you know each plug-in has each set of rule that the dedicated for that data source we recognize that that we needed We need to Distribute to distribute the plug-ins artifact, but also the rules files. So we made a plan Basically, we are going to develop a tool for downloading and installing the plug-ins and rules in a deployment or But also we wanted the ability to automatically get updates especially about rules Imagine that you have a rules Installed yesterday, but a new cd come out the rules get update and you can receive automatically the updates Since we already had a tool Call it a proper couple. That's unfortunately. It's a bit abandoned at the moment Our plan is just to respect it and probably and provide us future. That's the future through it. Oh Oh Another maybe more important effort to going on is the Renovation It's not actually nation. It's a new Basically in the last month there were a lot of discussion about the modernization of our All those discussion made by the community converged to a proposal that's currently Development the most relevant that aspect of this proposal are the Compile ones run everywhere support the use of the native the bpf ring buffer Also, we are trying to reduce the usage of the bpf helpers and the and we will add the native Multi-access support So of course for time constraint we can cover all the detail here But you can find out all the tail the proposal the link are in the slide and also I believe the outer of the proposal is In this room, so if you want to ask I would say better we okay we are Reaching most the end of this talk, but before we leave we would like to say that you can find as In our hours We will be we will be very happy to meet you The Falco challenge the Kubernetes luck is where all the conversation in the community happens So please feel free to join and say hi. I can assure you Everyone is very welcoming and nice plus we meet each other every Wednesday for the community call And that's also where we discuss all the current developments and requirements If you really want to stay tuned you can also subscribe to the mailing list We write basically whatever happens like every new release or when the community called time changes Which happens with you know different times and stuff? So before jumping to the Q&A session We would just wanted to remind you that you can download this presentation You can find the link on step comm and there's actually some value because we realized We couldn't feel all these lights with the QR codes and we placed links all around the place So you can find easy pointers for many of the kinds that we thought about there Yeah, so thank you for attending. I really hope you enjoyed this Any questions at this point? Is it on? Oh, there we go. Yeah So you went through the discussions of like the plug-in system and building binaries like DLL sir Yeah, is there any idea of adding support for example to wasm? Something interesting to look at that kind of basically it's just a sharing the library There are a set of C signboard that the bagging has to export It's just that at the moment and the file called Dynamics load the Dr. C. Show file But it would be very interesting To look at that. Good idea. Thank you Anything coming from the virtual from from this lag group was like channel, okay? Anyone else? Well, I think we can we can close it then. Thank you so much everyone