 Good morning, everyone. My name is Loris de Giovanni. I'm CTO and founder at Sysdig. Sysdig is a leading provider in container Kubernetes and cloud security. And of course, we're hiring. Today, I'm going to talk about detecting threats in cloud environments, and in particular, in cloud infrastructures. And I want to start by just recapping what you can do with the majority of cloud providers. Typically, cloud providers offer standardized, opinionated facilities for collection of logs from different services that are ideal for collecting information that can be used to detect threats in cloud infrastructures. For example, in Amazon, we have CloudTrail. Every cloud provider has similar services. And CloudTrail is very nice because it automatically collects in a standard format logs from multiple services and puts them in chip storage, for example, S3 on AWS. Now, what we do after that is a little bit more complicated because this log needs to be essentially collected, parsed, and treated in some way. And very often, the way people hunt for threats in these logs is they take them, they move them to a log in backend, which requires both bandwidth cost and storage cost, and then they essentially create alerts or rules or something like that based on that. I argue or I propose a better way to do this and a way that is based completely on open source and is based on Falco, which is a cloud native foundation incubating project. And the best way that I have to describe Falco is the security camera for modern apps. Falco is deployed by many, many thousands of users around the world from small, single machine deployments to giant scale deployments in some of the biggest companies in the world. And Falco is based on some core principles, the idea of collecting granular data, traditionally coming from containers and for system calls, using, for example, EBPF as a source of collection. The idea of enriching this data with context, for example, Kubernetes metadata context, the idea of having robust defaults and something that works very well out of the box to detect threats and do runtime security, but also have a nice language for extensibility. And Falco is optimized for real time and runtime security. It's simple and is designed to work at the edge and move as little data as possible. Falco traditionally works for containers and virtual machines and sits on every single endpoint and is able to capture the data from multiple containers by sitting in the kernel of the operating system. And these are some examples of detections, of rules, that you have with Falco. A shell is running in a container. Somebody is modifying a system binary. Somebody is trying to escape a container, and so on and so forth. So very granular real time detection. That's why I call it a security camera. What we've done recently as Falco community is with extended Falco. This diagram shows essentially the flow of information from Falco and typically historically Falco is capturing system calls using either a kernel module or an EBPF probe. We've extended it through a plugin system so that it's essentially possible now to collect it to arbitrary sources. And we've created, for example, a plugin for CloudTrail. And now, thanks to this plugin, you can very easily take Falco connected automatically to your source of logs in CloudTrail without having to copy the data, without having to put them in a same tool or in a login tool and so on. Falco, in real time, can just see at the stream of events that CloudTrail is producing. And this is an example, for example, of a rule. I'm not trying to teach you the Falco syntax. It's not hard, but this is not the scope here. But as you can see, this is a rule that detects a console again without multi-factor authentication. And as you can see, the condition is typically like the rule, the actual filter that Falco looks in the events. And as you can see, it's pretty readable and allows you to express, essentially, Falco rules using CloudTrail events. Of course, you can write your own CloudTrail events. You don't have to because Falco comes equipped with a nice set of default rules that allow you to detect a bunch of stuff, including configuration changes, unusual behavior from users, data exfiltration, for example, from S3 buckets, somebody maybe making an S3 bucket public, or somebody accessing sensitive data on the bucket. All of this kind of stuff is already part of the default rules that you get when you deploy Falco for CloudTrail security. To summarize, we have something that compared to maybe the traditional way of doing things. First of all, leverage is a tool that is a CNCF tool that is free as a free beer and free speech. It's real time and responsive, so it doesn't need to index the data. It doesn't need to treat the data before it generates the alerts, but is able to infuse seconds, essentially, to notify you when there's something wrong going in your Cloud infrastructure. And this is a very good complement to Cloud security posture management tools that maybe look at APIs and do this kind of stuff, because the use of real time security and runtime security with Falco is very instantaneous and immediate. Provides full coverage, and it's very interesting because now with Falco, you have protection both for the workloads, for the containers, and with the same tool, with the same syntax, with the same deployment, you also have coverage for the Cloud infrastructure, where very often your Kubernetes, your containers, your virtual machines run. Falco is efficient, therefore, it's very cheap. Doesn't store data, requires very little CPU because it's very optimized for like EBPF system called treatment. It's scalable, so it's designed to work at scale in big infrastructures. And of course, it allows to avoid expensive copies and data movements, so it's also very affordable. I could keep talking about that, but I think I just concluding by giving you some pointers. The first one is the Falco website. The second one is the community, where myself and all of the other Falco contributors and maintainers get together. We have a Slack channel, we have a weekly Zoom call, and we're always welcome to see both new contributors but also new users that give us feedback. So these are the links. Thank you for listening, and happy security.