From 3c3cf32d065af82895c1c324c3e2aa3055c8c222 Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Wed, 30 Oct 2024 16:51:31 +0100 Subject: [PATCH] chore: formatting and style For "cloud native" and "open source" style guide see https://www.cncf.io/blog/2018/09/04/the-cloud-native-computing-foundation-cncf-style-guide/ Signed-off-by: Leonardo Grasso --- .../en/about/case-studies/trendyol/index.md | 8 +-- .../en/blog/community-survey-2023/index.md | 6 +- content/en/blog/falco-mitre-attack/index.md | 4 +- ...-on-rke-bare-metal-cluster-with-rancher.md | 2 +- .../en/blog/giantswarm-app-platform-falco.md | 4 +- content/en/blog/gsoc2023/index.md | 2 +- content/en/blog/kernel-testing/index.md | 2 +- content/en/blog/nist-controls/index.md | 2 +- .../blog/sign-verify-plugins-rules/index.md | 2 +- content/en/blog/sysflow-falco-sidekick.md | 2 +- .../en/blog/tidal-registry-release/index.md | 2 +- .../index.md | 4 +- .../index.md | 4 +- content/en/blog/wireshark-to-falco/index.md | 16 ++--- .../en/docs/troubleshooting/start-up-error.md | 2 +- data/canonical-tags/community.yaml | 2 +- data/en/features.yaml | 36 ++++++------ layouts/community/falco-brand.html | 58 ++++++++++++++----- 18 files changed, 92 insertions(+), 66 deletions(-) diff --git a/content/en/about/case-studies/trendyol/index.md b/content/en/about/case-studies/trendyol/index.md index 8c3a40c8b..2a3301b6e 100644 --- a/content/en/about/case-studies/trendyol/index.md +++ b/content/en/about/case-studies/trendyol/index.md @@ -33,14 +33,14 @@ Trendyol aimed to create a system capable of identifying three specific anti-pat ## Journey to Falco -To tackle tracking activities in its production environment, Trendyol created a monitoring solution by leveraging two open-source projects: Falco and Fluent Bit. The team successfully developed an audit observability system and implemented alerting mechanisms by utilizing this architecture. These components work together to efficiently identify recurring patterns, enabling improved threat detection and enhanced visibility within the system. +To tackle tracking activities in its production environment, Trendyol created a monitoring solution by leveraging two open source projects: Falco and Fluent Bit. The team successfully developed an audit observability system and implemented alerting mechanisms by utilizing this architecture. These components work together to efficiently identify recurring patterns, enabling improved threat detection and enhanced visibility within the system. ### Learn about the Technology -[Fluent Bit](https://fluentbit.io) is an open-source tool that is lightweight and high-speed, serving as a data forwarder. It can collect, process, and forward logs and metrics from diverse sources to different destinations in real time. Unlike other popular open-source tools, Fluent Bit is specifically designed to be more efficient and consume fewer resources. It can be used as a standalone tool or as a lightweight substitute for Fluentd in larger logging infrastructures. +[Fluent Bit](https://fluentbit.io) is an open source tool that is lightweight and high-speed, serving as a data forwarder. It can collect, process, and forward logs and metrics from diverse sources to different destinations in real time. Unlike other popular open source tools, Fluent Bit is specifically designed to be more efficient and consume fewer resources. It can be used as a standalone tool or as a lightweight substitute for Fluentd in larger logging infrastructures. -[Falco](https://falco.org) is an open-source project focused on cloud-native runtime security. Its primary purpose is to monitor and identify unexpected behavior within cloud, host, and container-based environments, particularly in Kubernetes. By leveraging various event sources, such as Kubernetes audit logs and kernel system calls, Falco can promptly detect and raise alerts for potential security threats. It offers in-depth insights into the nature of these threats, empowering security teams to respond swiftly and efficiently to mitigate risks. +[Falco](https://falco.org) is an open source project focused on cloud-native runtime security. Its primary purpose is to monitor and identify unexpected behavior within cloud, host, and container-based environments, particularly in Kubernetes. By leveraging various event sources, such as Kubernetes audit logs and kernel system calls, Falco can promptly detect and raise alerts for potential security threats. It offers in-depth insights into the nature of these threats, empowering security teams to respond swiftly and efficiently to mitigate risks. Events related to the Kernel tell us most of what happens above. Leveraging syscalls and kernel events is essential for monitoring the system and detecting potential security threats, as they play a crucial role in providing essential information about the activities and behavior of processes within the system. @@ -110,6 +110,6 @@ By leveraging Fluent Bit's features and implementing a standardized configuratio The architecture implemented by Trendyol emphasizes optimal performance, scalability, fault tolerance, and vendor independence. The system collects and processes Kubernetes Audit Logs and Linux Kernel System Calls, using Falco and Fluent Bit to enrich and distribute the logs. Falco applies rule-based detection to evaluate the logs, generating alerts when specific behaviors or Indicators of Compromise (IoC) are detected. By forwarding alerts through Fluent Bit, Trendyol efficiently processes and stores them, ensuring comprehensive monitoring and long-term log storage for real-time threat detection and future analysis. -Overall, Trendyol's use of Falco and Fluent Bit has optimized resource utilization, streamlined configuration, and established a scalable monitoring system. The combination of these open-source projects has allowed Trendyol to enhance security, improve visibility, and efficiently track activities within its complex infrastructure. Moreover, Trendyol has achieved a repeatable configuration pattern that can be applied to new clusters, regardless of the region they are created in. This consistency in configuration allows for streamlined deployment and management of the monitoring system across different clusters, simplifying the operational processes and ensuring a consistent security monitoring approach. +Overall, Trendyol's use of Falco and Fluent Bit has optimized resource utilization, streamlined configuration, and established a scalable monitoring system. The combination of these open source projects has allowed Trendyol to enhance security, improve visibility, and efficiently track activities within its complex infrastructure. Moreover, Trendyol has achieved a repeatable configuration pattern that can be applied to new clusters, regardless of the region they are created in. This consistency in configuration allows for streamlined deployment and management of the monitoring system across different clusters, simplifying the operational processes and ensuring a consistent security monitoring approach. {{< /blocks/content >}} diff --git a/content/en/blog/community-survey-2023/index.md b/content/en/blog/community-survey-2023/index.md index d61879a88..4de6cedb1 100644 --- a/content/en/blog/community-survey-2023/index.md +++ b/content/en/blog/community-survey-2023/index.md @@ -19,7 +19,7 @@ slug: community-survey-2023 --- -Diving into the Falco community survey, this report unveils the fascinating world of Falco adoption and usage. As an open-source cloud-native runtime security project, Falco has captured the attention of a diverse audience. This survey reached out to community members across various channels, including Slack, mailing lists, and social media platforms. +Diving into the Falco community survey, this report unveils the fascinating world of Falco adoption and usage. As an open source cloud-native runtime security project, Falco has captured the attention of a diverse audience. This survey reached out to community members across various channels, including Slack, mailing lists, and social media platforms. Delving into various aspects of Falco adoption, this report uncovers insights on user roles, cloud providers, adoption motivations, deployment strategies, rule sets, challenges, and integrations. It also highlights areas that need improvement, like documentation and support, to enhance the overall experience for newcomers. These valuable insights will help guide the evolution of Falco, making it an even more robust and user-friendly cloud-native runtime security solution. @@ -36,7 +36,7 @@ Of the 24 individuals who participated in the survey, 22 shared their profession ## Reasons for Adopting Falco -Security threat detection tops the list as the driving force behind Falco adoption, followed closely by auditing and compliance. Sandbox testing and incident response are also cited as compelling reasons to embrace Falco. Notably, one participant isn't using Falco, while a couple of others leverage its libraries and policy language within their unique open-source projects. These findings highlight Falco's versatility in catering to diverse security requirements across numerous domains. +Security threat detection tops the list as the driving force behind Falco adoption, followed closely by auditing and compliance. Sandbox testing and incident response are also cited as compelling reasons to embrace Falco. Notably, one participant isn't using Falco, while a couple of others leverage its libraries and policy language within their unique open source projects. These findings highlight Falco's versatility in catering to diverse security requirements across numerous domains. **2. Why are you adopting Falco?** @@ -160,7 +160,7 @@ Other recommendations included a contributing guide and templates, end-to-end tu ## Community support -The survey measured the quality of community support for Falco on a scale of 1-5, with an average rating of 4.2, indicating that the majority of respondents found it very helpful. This positive feedback reflects the strength of the Falco community's willingness to provide support to new members, highlighting the essential role of community support in the success of open-source projects. A small number of respondents rated Falco's community support as not helpful, with others rating it as somewhat helpful or neutral. Overall, the survey results suggest that the Falco community is a valuable resource for those seeking support and guidance. +The survey measured the quality of community support for Falco on a scale of 1-5, with an average rating of 4.2, indicating that the majority of respondents found it very helpful. This positive feedback reflects the strength of the Falco community's willingness to provide support to new members, highlighting the essential role of community support in the success of open source projects. A small number of respondents rated Falco's community support as not helpful, with others rating it as somewhat helpful or neutral. Overall, the survey results suggest that the Falco community is a valuable resource for those seeking support and guidance. **11. On a scale of 1 - 5, how would you rate Falco’s community support?** diff --git a/content/en/blog/falco-mitre-attack/index.md b/content/en/blog/falco-mitre-attack/index.md index d2db4e91c..3d0cd4d66 100644 --- a/content/en/blog/falco-mitre-attack/index.md +++ b/content/en/blog/falco-mitre-attack/index.md @@ -16,7 +16,7 @@ The landscape of cybersecurity attacks has witnessed a notable rise in sophistic The ATT&CK Framework serves as an extensive repository of documented tactics, techniques, and procedures (TTPs) commonly employed by cyber adversaries. By gaining a comprehensive understanding of these TTPs, organizations can enhance their defensive capabilities and fortify their cybersecurity posture. -Falco is a valuable open-source tool that provides runtime security for containers, virtual machines, and standalone Linux hosts. Organizations use Falco to monitor, detect, identify, and respond to suspicious activity. Falco detects suspicious activities and alerts security teams in real-time based on static rules provided in the rules file. +Falco is a valuable open source tool that provides runtime security for containers, virtual machines, and standalone Linux hosts. Organizations use Falco to monitor, detect, identify, and respond to suspicious activity. Falco detects suspicious activities and alerts security teams in real-time based on static rules provided in the rules file. Whether you are a security analyst, a DevOps engineer, or an avid container enthusiast, this blog offers invaluable insights on utilizing MITRE ATT&CK-focused Falco rules to bolster your environment against advanced adversarial attacks. @@ -32,7 +32,7 @@ In order to detect malicious activities using static rules, Falco relies heavily ### Bring in Falco -Falco uses a rule-based system to monitor application and container behavior in real-time. With predefined rules, Falco detects security threats like privilege escalation, file system manipulation, abnormal process execution, and many more. It continuously compares system activities against these rules, and either generates alerts or takes action when a match occurs. Since Falco is open-source, its flexibility allows customization of rules to fit an organization’s specific security requirements. By integrating with container orchestration platforms, Falco collects data from various sources and applies the rules in real-time, enabling proactive threat detection and prevention for cloud-native applications. +Falco uses a rule-based system to monitor application and container behavior in real-time. With predefined rules, Falco detects security threats like privilege escalation, file system manipulation, abnormal process execution, and many more. It continuously compares system activities against these rules, and either generates alerts or takes action when a match occurs. Since Falco is open source, its flexibility allows customization of rules to fit an organization’s specific security requirements. By integrating with container orchestration platforms, Falco collects data from various sources and applies the rules in real-time, enabling proactive threat detection and prevention for cloud-native applications. It is important to note that Falco will not identify a type of attack or malware. Rather, its strength lies in efficiently detecting common malicious system behaviors. Falco acts as a notifier, bringing your attention to specific system activities that have occurred. Once alerted, it becomes your responsibility to investigate the activity and take the appropriate steps to mitigate and prevent further malicious activities. diff --git a/content/en/blog/falco-security-and-monitoring-on-rke-bare-metal-cluster-with-rancher.md b/content/en/blog/falco-security-and-monitoring-on-rke-bare-metal-cluster-with-rancher.md index 6d439faf4..74bc34c29 100644 --- a/content/en/blog/falco-security-and-monitoring-on-rke-bare-metal-cluster-with-rancher.md +++ b/content/en/blog/falco-security-and-monitoring-on-rke-bare-metal-cluster-with-rancher.md @@ -22,7 +22,7 @@ For security, there is no tool that can do everything. So, we have different lay ### Falco -From many different sources I heard about the open-source project Falco. Falco describes itself as the *de facto Kubernetes threat detection engine.* It uses system calls, kernel events, and additional sources like Kubernetes Audit Events to monitor the runtime behavior of an entire cluster on different levels like sensitive access on nodes or single containers. It uses YAML files to define its detection rules. So, we don't have to learn any additional configuration language. Falco ships with a large set of predefined rules, provided by and maintained by the open-source community, which covers a large part of our needs. Beyond our requirement furthermore, it brings support for detecting scenarios like insecure use of configmaps for credentials. +From many different sources I heard about the open source project Falco. Falco describes itself as the *de facto Kubernetes threat detection engine.* It uses system calls, kernel events, and additional sources like Kubernetes Audit Events to monitor the runtime behavior of an entire cluster on different levels like sensitive access on nodes or single containers. It uses YAML files to define its detection rules. So, we don't have to learn any additional configuration language. Falco ships with a large set of predefined rules, provided by and maintained by the open source community, which covers a large part of our needs. Beyond our requirement furthermore, it brings support for detecting scenarios like insecure use of configmaps for credentials. ### Decisions diff --git a/content/en/blog/giantswarm-app-platform-falco.md b/content/en/blog/giantswarm-app-platform-falco.md index 07e601ef8..1416d8cb3 100644 --- a/content/en/blog/giantswarm-app-platform-falco.md +++ b/content/en/blog/giantswarm-app-platform-falco.md @@ -14,7 +14,7 @@ In this article, you will learn how Giant Swarm simplifies the maintenance of th Having CoreOS, Fleet, and Docker as base technologies, [Giant Swarm](https://www.giantswarm.io/about) was founded in 2014. In 2016, it chose Kubernetes to reinvent itself. And just a year later, in 2017, it became part of the founding members of the [Kubernetes Certified Service Providers](https://linuxfoundation.org/press-release/cloud-native-computing-foundation-announces-first-kubernetes-certified-service-providers/). Customers like [Adidas](https://www.giantswarm.io/customers/adidas) or [Vodafone](https://www.giantswarm.io/customers/vodafone) backup a company that, supported by a [fully remote team](https://www.giantswarm.io/blog/surviving-and-thriving-how-to-really-work-emotely), has been able to foresee the trends of technology and working lifestyle. -As a managed Kubernetes company, its services and infrastructure enable enterprises to run resilient distributed systems at scale while removing the burden of Day 2 operations. Giant Swarm takes pride in delivering a fully open-source platform that's carefully curated and opinionated. +As a managed Kubernetes company, its services and infrastructure enable enterprises to run resilient distributed systems at scale while removing the burden of Day 2 operations. Giant Swarm takes pride in delivering a fully open source platform that's carefully curated and opinionated. #### Security and simplicity @@ -407,7 +407,7 @@ _“I think Falco's superpower is in the flexibility of the policies. I'm also r #### Security Pack -Giant Swarm's [Security Pack](https://docs.giantswarm.io/app-platform/apps/security/) is a collection of open-source security tools offered by Giant Swarm, which not only contains Falco but also a plethora of other open-source projects, including *Kyverno* for policy enforcement, *Trivy* for image scanning, and *Cosign* for image signature verification. +Giant Swarm's [Security Pack](https://docs.giantswarm.io/app-platform/apps/security/) is a collection of open source security tools offered by Giant Swarm, which not only contains Falco but also a plethora of other open source projects, including *Kyverno* for policy enforcement, *Trivy* for image scanning, and *Cosign* for image signature verification. Security does not apply to a single level and, therefore, Security Pack consists of multiple applications, each one independently installable and configurable, available via their App Platform. _“Falco will be the cornerstone of our node-level security capabilities,”_ affirmed Stone, _“the biggest opportunity for API plug-ins I see is to get feedback from the node level back into the Security Pack so that we can further contextualize events in the ecosystem.”_ diff --git a/content/en/blog/gsoc2023/index.md b/content/en/blog/gsoc2023/index.md index e35b4f859..6ba96b388 100644 --- a/content/en/blog/gsoc2023/index.md +++ b/content/en/blog/gsoc2023/index.md @@ -10,7 +10,7 @@ images: Hello Folks!, my name is [Rohith](https://github.com/Rohith-Raju), and I am thrilled to share my experiences and reflections on the first week of the Google Summer of Code (GSoC) period. -This is an exhilarating time for participants like myself as we embark on our coding journey and dive into the world of open-source development. +This is an exhilarating time for participants like myself as we embark on our coding journey and dive into the world of open source development. A huge thank you! to all the community members accepting me as one of them ❤️. diff --git a/content/en/blog/kernel-testing/index.md b/content/en/blog/kernel-testing/index.md index d711593cb..21572eb0d 100644 --- a/content/en/blog/kernel-testing/index.md +++ b/content/en/blog/kernel-testing/index.md @@ -33,7 +33,7 @@ With these objectives in mind, our approach should fulfill the following require #### Ignite a Firecracker microVM -[Weave Ignite](https://https://github.com/weaveworks/ignite) is used to provision the [firecracker](https://github.com/firecracker-microvm/firecracker) microVMs. Weave Ignite is an open-source tool designed for lightweight and fast virtual machine management. It enables users to effortlessly create and manage virtual machines (VMs) for various purposes, such as development, testing, and experimentation. +[Weave Ignite](https://https://github.com/weaveworks/ignite) is used to provision the [firecracker](https://github.com/firecracker-microvm/firecracker) microVMs. Weave Ignite is an open source tool designed for lightweight and fast virtual machine management. It enables users to effortlessly create and manage virtual machines (VMs) for various purposes, such as development, testing, and experimentation. One of the main reasons why we chose to use this tool was its capability to create firecracker microVMs from kernels and rootfs packed as OCI images. Currently, we are using a patched version located at [a forked repository](https://github.com/therealbobo/ignite). These patches were essential to enable the booting of kernels that necessitated the use of an initrd (initial ramdisk). diff --git a/content/en/blog/nist-controls/index.md b/content/en/blog/nist-controls/index.md index f6d0db7d5..0b15c9d8d 100644 --- a/content/en/blog/nist-controls/index.md +++ b/content/en/blog/nist-controls/index.md @@ -18,7 +18,7 @@ The inception of NIST 800-171 can be traced back to [Executive Order 13556](http In the wake of significant breaches in government systems, most notably the [2020 United States federal government data breach](https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach) that involved the exploitation of U.S. supply chain firms such as Microsoft, SolarWinds, and VMware to gain unauthorized access to federal systems, has exemplified the importance of strong cybersecurity controls at the federal level. -While delving into the extensive history of the NIST framework is beyond the scope of this article, we will focus on explaining the requirements of NIST 800-171 and explore how the open-source tool Falco can be utilized to detect potential control failures in cloud-native systems. +While delving into the extensive history of the NIST framework is beyond the scope of this article, we will focus on explaining the requirements of NIST 800-171 and explore how the open source tool Falco can be utilized to detect potential control failures in cloud-native systems. ## Listing the Requirements diff --git a/content/en/blog/sign-verify-plugins-rules/index.md b/content/en/blog/sign-verify-plugins-rules/index.md index 860197985..071a5b93a 100644 --- a/content/en/blog/sign-verify-plugins-rules/index.md +++ b/content/en/blog/sign-verify-plugins-rules/index.md @@ -155,7 +155,7 @@ The following checks were performed on each of these signatures: [...] ``` -This is one of the main advantages of relying on widely adopted container artifacts signing technologies of the cloud-native world. Authentication of the artifacts is decoupled from the producer, and consumers can always choose the method they prefer. +This is one of the main advantages of relying on widely adopted container artifacts signing technologies of the cloud native world. Authentication of the artifacts is decoupled from the producer, and consumers can always choose the method they prefer. ### Security Analysis diff --git a/content/en/blog/sysflow-falco-sidekick.md b/content/en/blog/sysflow-falco-sidekick.md index dc6ec2d62..2e022ed1d 100644 --- a/content/en/blog/sysflow-falco-sidekick.md +++ b/content/en/blog/sysflow-falco-sidekick.md @@ -39,7 +39,7 @@ The following are the key reasons that set SysFlow apart: The SysFlow format is supported by an [edge processing pipeline](https://github.com/sysflow-telemetry/sf-processor) that aggregates event provenance information and supports real-time enrichment of the telemetry stream with attack TTP labels, environment metadata, and Kubernetes log data. -As a benefit of using the Sysflow format, users go from managing individual events generated from different sources to obtaining an enhanced dataset to work with, enabling them to focus on writing and sharing analytics on a scalable, common open-source platform. +As a benefit of using the Sysflow format, users go from managing individual events generated from different sources to obtaining an enhanced dataset to work with, enabling them to focus on writing and sharing analytics on a scalable, common open source platform. The framework builds on [Falco libs](https://github.com/falcosecurity/libs) and the [Falco rules language](https://falco.org/docs/rules/) to create the plumbing required for system telemetry as shown in the diagram below. diff --git a/content/en/blog/tidal-registry-release/index.md b/content/en/blog/tidal-registry-release/index.md index d319b3e2b..b814616d7 100644 --- a/content/en/blog/tidal-registry-release/index.md +++ b/content/en/blog/tidal-registry-release/index.md @@ -14,7 +14,7 @@ What sets this attack apart from others is its elevated level of sophistication. **Alignment of Falco and MITRE ATT&CK** -This sophisticated attack underscores the imperative of aligning with MITRE ATT&CK principles for containers and the cloud. By embracing these principles, organizations can gain a better understanding of the intricate security challenges faced by cloud-native systems. The CNCF Falco project, with its extensive collection of preconfigured rules, offers a valuable resource for addressing the insecure behaviors associated with such attacks. +This sophisticated attack underscores the imperative of aligning with MITRE ATT&CK principles for containers and the cloud. By embracing these principles, organizations can gain a better understanding of the intricate security challenges faced by cloud native systems. The CNCF Falco project, with its extensive collection of preconfigured rules, offers a valuable resource for addressing the insecure behaviors associated with such attacks. Falco's workload/host-based capabilities were recently added to the Tidal Cyber [Product Registry](https://app.tidalcyber.com/vendors). The community now has a greater ability to operationalize the rules while implementing threat-informed defense using Tidal Cyber's Community Edition, a freely-available platform that makes threat and adversary behavior research easy. A summary of the capabilities can be found [here](https://app.tidalcyber.com/products/b3a86cef-804b-5176-ba70-9570350f4e8f-Falco). A Technique Set summarizing & visualizing the ATT&CK-mapped SCARLETEEL techniques described here was also added to the Community Edition Community Spotlight [here](https://app.tidalcyber.com/share/be828b0d-2c95-4e30-b93b-f15de00a9606): diff --git a/content/en/blog/tracing-system-calls-using-ebpf-part-1/index.md b/content/en/blog/tracing-system-calls-using-ebpf-part-1/index.md index ff5d722ca..8efffea9d 100644 --- a/content/en/blog/tracing-system-calls-using-ebpf-part-1/index.md +++ b/content/en/blog/tracing-system-calls-using-ebpf-part-1/index.md @@ -41,7 +41,7 @@ By accessing the kernel's internal data structures and functions, the module can ## So why does Falco use eBPF? The integration of eBPF brings significant advantages to projects like Falco, empowering them to securely and efficiently monitor and analyze system calls in real-time. You might be wondering why eBPF is necessary when Falco already has real-time detection capabilities through its kprobe (kernel probe) that handles syscall events. -One compelling reason for incorporating eBPF support is to enable Falco to seamlessly operate in modern cloud-native environments, where the traditional kernel probe may encounter limitations or face restrictions imposed by the control plane nodes. +One compelling reason for incorporating eBPF support is to enable Falco to seamlessly operate in modern cloud native environments, where the traditional kernel probe may encounter limitations or face restrictions imposed by the control plane nodes. By embracing eBPF, Falco ensures the continuity of its real-time detection capabilities in a secure manner, allowing for the prompt and accurate identification of security incidents, regardless of the underlying environment. @@ -270,7 +270,7 @@ Great, we were able to recover the process name as well as the PID! In conclusion, this article has provided a comprehensive overview of eBPF (extended Berkeley Packet Filter) and its significance in tracing system calls. We have explored the evolution from BPF to eBPF, discussed why Falco uses this technology, and delved into the process of working with eBPF programs and ring buffers for efficient data communication between the kernel and user-space applications. -As we journeyed through the capabilities of eBPF in this first part, we uncovered its benefits in terms of safety, performance, and observability when compared to traditional kernel modules. eBPF empowers us to securely and efficiently monitor and analyze system calls in real-time, making it a valuable tool in modern cloud-native environments. +As we journeyed through the capabilities of eBPF in this first part, we uncovered its benefits in terms of safety, performance, and observability when compared to traditional kernel modules. eBPF empowers us to securely and efficiently monitor and analyze system calls in real-time, making it a valuable tool in modern cloud native environments. In the upcoming second part of this blog series, we will further expand our exploration by delving into the realm of probes and additional advanced topics. We will dive deeper into how eBPF probes can be leveraged for enhanced system tracing, performance analysis, and security monitoring. Stay tuned for more insights and practical guidance on harnessing the power of eBPF. diff --git a/content/en/blog/tracing-system-calls-using-ebpf-part-2/index.md b/content/en/blog/tracing-system-calls-using-ebpf-part-2/index.md index 95e8bdbde..e86044167 100644 --- a/content/en/blog/tracing-system-calls-using-ebpf-part-2/index.md +++ b/content/en/blog/tracing-system-calls-using-ebpf-part-2/index.md @@ -12,7 +12,7 @@ tags: ["eBPF", "Falco", "Syscalls", "Probes"] ## Introduction -In [Tracing System Calls Using eBPF Part 1](https://falco.org/blog/tracing-syscalls-using-ebpf-part-1/), we lay the groundwork, introducing you to the fundamentals of `eBPF` and its predecessor, `BPF (Berkeley Packet Filter)`. We delve into the evolution of this technology, its safety, performance, and observability advantages over traditional kernel modules, and its pivotal role in securing modern cloud-native environments. We guide you through the intricate process of working with eBPF programs, from compilation to execution, highlighting its power in tracing system calls. +In [Tracing System Calls Using eBPF Part 1](https://falco.org/blog/tracing-syscalls-using-ebpf-part-1/), we lay the groundwork, introducing you to the fundamentals of `eBPF` and its predecessor, `BPF (Berkeley Packet Filter)`. We delve into the evolution of this technology, its safety, performance, and observability advantages over traditional kernel modules, and its pivotal role in securing modern cloud native environments. We guide you through the intricate process of working with eBPF programs, from compilation to execution, highlighting its power in tracing system calls. In the second installment, `Tracing System Calls Using eBPF Part 2`, we elevate our understanding of eBPF's capabilities. We unravel the world of `Uprobes` and `Uretprobes`, demonstrating how these features empower developers to instrument and monitor user-space applications seamlessly. We then venture into `Kprobes` and `Kretprobes`, unlocking the potential to dynamically trace and debug kernel functions, offering insights into system behavior and performance analysis. @@ -83,7 +83,7 @@ Here is a Makefile for compiling the eBPF program and the loader ## Conclusion -In this two-part exploration of **Tracing System Calls Using eBPF**, we've embarked on a fascinating journey through the inner workings of this powerful technology. `Part 1` laid the foundation by introducing us to the fundamentals of eBPF and its predecessor, BPF, shedding light on their evolution and significance in modern cloud-native environments. We uncovered how eBPF's safety, performance, and observability advantages empower us to trace system calls with unmatched efficiency. +In this two-part exploration of **Tracing System Calls Using eBPF**, we've embarked on a fascinating journey through the inner workings of this powerful technology. `Part 1` laid the foundation by introducing us to the fundamentals of eBPF and its predecessor, BPF, shedding light on their evolution and significance in modern cloud native environments. We uncovered how eBPF's safety, performance, and observability advantages empower us to trace system calls with unmatched efficiency. In `Part 2`, we took our understanding to new heights. We delved into the world of `Uprobes` and `Uretprobes`, showcasing how they enable seamless instrumentation and monitoring of user-space applications. We then ventured into `Kprobes` and `Kretprobes`, unlocking the ability to dynamically trace and debug kernel functions. Armed with these advanced techniques, we gained valuable insights into system behavior, performance analysis, and even the detection of potential malicious activity. diff --git a/content/en/blog/wireshark-to-falco/index.md b/content/en/blog/wireshark-to-falco/index.md index d5748c5e9..5fbe379c2 100644 --- a/content/en/blog/wireshark-to-falco/index.md +++ b/content/en/blog/wireshark-to-falco/index.md @@ -15,11 +15,11 @@ Nevertheless, it's important to recognize that Falco and Wireshark represent dis ### The Need for Modern System Introspection -Part of this journey has been the emergence of cloud-native apps. From the early days of BPF (Berkley Packet Filter) and libpcap (a portable C/C++ library for network traffic capture), which laid the foundation for network packet analysis, to the familiar graphical user interface of Wireshark, our understanding of network data has undergone profound changes. This article embarks on a journey through this transformation, shedding light on how tcpdump and libpcap sparked an explosion of packet-based analysis and runtime security tools exemplified by Wireshark and Snort. +Part of this journey has been the emergence of cloud native apps. From the early days of BPF (Berkley Packet Filter) and libpcap (a portable C/C++ library for network traffic capture), which laid the foundation for network packet analysis, to the familiar graphical user interface of Wireshark, our understanding of network data has undergone profound changes. This article embarks on a journey through this transformation, shedding light on how tcpdump and libpcap sparked an explosion of packet-based analysis and runtime security tools exemplified by Wireshark and Snort. Wireshark, Snort, Nmap, Kismet, ngrep, and a bunch of other tools started at around the same time and are all evolutionary branches of tcpdump and libpcap. -However, as cloud computing continues to reshape the technological landscape, traditional network packet analysis tools have found themselves grappling with an evolving challenge: the cloud itself. Cloud-native applications have ushered in a new era of complexity and dynamism, rendering many existing visibility solutions obsolete. This shift necessitated a fresh perspective on network monitoring, leading to the birth of Falco, a tool poised to be the [Snort](https://www.snort.org/) of the cloud. +However, as cloud computing continues to reshape the technological landscape, traditional network packet analysis tools have found themselves grappling with an evolving challenge: the cloud itself. Cloud native applications have ushered in a new era of complexity and dynamism, rendering many existing visibility solutions obsolete. This shift necessitated a fresh perspective on network monitoring, leading to the birth of Falco, a tool poised to be the [Snort](https://www.snort.org/) of the cloud. ### Starting the story with Network Packet Analysis @@ -38,7 +38,7 @@ What unites 'tcpdump,' Wireshark, and numerous other popular networking tools is ### The evolution of Packet-Based Intrusion Detection Systems -Introspection tools, such as tcpdump and Wireshark, naturally emerged as the initial applications harnessing the capabilities of the BPF packet capture stack. However, as time progressed, innovative applications for packet data began to surface. Enter Snort, an open source, packet-based runtime security tool that shares common ground with Falco. Much like Falco, Snort operates as a rule engine, processing packets acquired from network traffic. Like its cloud-native counterpart, Snort boasts an extensive library of pre-configured rules designed to identify threats and unwarranted activities by scrutinizing packet content, protocols, and payload data. The success of Snort served as a catalyst for the development of similar tools, including Suricata and Zeek. +Introspection tools, such as tcpdump and Wireshark, naturally emerged as the initial applications harnessing the capabilities of the BPF packet capture stack. However, as time progressed, innovative applications for packet data began to surface. Enter Snort, an open source, packet-based runtime security tool that shares common ground with Falco. Much like Falco, Snort operates as a rule engine, processing packets acquired from network traffic. Like its cloud native counterpart, Snort boasts an extensive library of pre-configured rules designed to identify threats and unwarranted activities by scrutinizing packet content, protocols, and payload data. The success of Snort served as a catalyst for the development of similar tools, including Suricata and Zeek. What truly empowers tools like Snort is their proficiency in assessing the security of networks and applications in real time, even as these applications run. This real-time focus proves invaluable by delivering immediate protection with a unique emphasis on runtime behavior, enabling the detection of threats rooted in vulnerabilities that may remain undisclosed. @@ -54,22 +54,22 @@ Once again, a dynamic new ecosystem was unfolding, yet the means to effectively ### System Calls are the New Network Packets -Before the emergence of Falco, an open source tool known as 'Sysdig Inspect' was crafted with a primary focus on the collection of packet data within cloud-native ecosystems. This was achieved through the capture of system calls, often referred to as syscalls, originating from the kernel of the operating system. +Before the emergence of Falco, an open source tool known as 'Sysdig Inspect' was crafted with a primary focus on the collection of packet data within cloud native ecosystems. This was achieved through the capture of system calls, often referred to as syscalls, originating from the kernel of the operating system. -Syscalls, as a data source, offer a richness that surpasses that of mere network packets. They encompass a wide spectrum of activities, extending beyond network data to encompass file I/O operations, command executions, interprocess communication, and more. Syscalls stand out as an ideal data source for cloud-native environments as they can be harnessed from the kernel, catering to both containerized environments and cloud instances. Moreover, the process of collecting syscalls is characterized by its simplicity, efficiency, and non-invasiveness. +Syscalls, as a data source, offer a richness that surpasses that of mere network packets. They encompass a wide spectrum of activities, extending beyond network data to encompass file I/O operations, command executions, interprocess communication, and more. Syscalls stand out as an ideal data source for cloud native environments as they can be harnessed from the kernel, catering to both containerized environments and cloud instances. Moreover, the process of collecting syscalls is characterized by its simplicity, efficiency, and non-invasiveness. -The architecture of Sysdig comprised a kernel capture probe, making use of either the default, loadable kernel module or leveraging eBPF. To facilitate the development of capture programs, Sysdig offered a suite of libraries, enabling seamless integration with modern cloud-native technologies such as Kubernetes and various orchestrators. This versatility addressed the shortcomings observed in environments where traditional solutions like Snort and Wireshark fell short. Additionally, Sysdig provided a command-line tool replete with decoding and filtering functionalities, tailored to accommodate the prevalent network packet workflows essential in cloud environments, where the ease of filtering and scriptability of trace files is paramount. +The architecture of Sysdig comprised a kernel capture probe, making use of either the default, loadable kernel module or leveraging eBPF. To facilitate the development of capture programs, Sysdig offered a suite of libraries, enabling seamless integration with modern cloud native technologies such as Kubernetes and various orchestrators. This versatility addressed the shortcomings observed in environments where traditional solutions like Snort and Wireshark fell short. Additionally, Sysdig provided a command-line tool replete with decoding and filtering functionalities, tailored to accommodate the prevalent network packet workflows essential in cloud environments, where the ease of filtering and scriptability of trace files is paramount. ### Falco - the evolution of Wireshark to the Cloud -Drawing from our comprehension of how Snort introduced a rule-based engine for scrutinizing network traffic to identify suspicious activity, an evolution that implemented Wireshark's network introspection, and how Sysdig expanded the scope of visibility within cloud-native environments by delving into system calls, effectively departing from sole reliance on Wireshark's libpcap framework. It logically followed that an Intrusion Detection System (IDS) solution would emerge, featuring a sophisticated rule-based engine tailored for cloud-native workloads while harnessing the capabilities of eBPF and the kernel's system call architecture. +Drawing from our comprehension of how Snort introduced a rule-based engine for scrutinizing network traffic to identify suspicious activity, an evolution that implemented Wireshark's network introspection, and how Sysdig expanded the scope of visibility within cloud native environments by delving into system calls, effectively departing from sole reliance on Wireshark's libpcap framework. It logically followed that an Intrusion Detection System (IDS) solution would emerge, featuring a sophisticated rule-based engine tailored for cloud native workloads while harnessing the capabilities of eBPF and the kernel's system call architecture. Falco's rule engine drew inspiration from Snort's design but operated within a far more expansive and versatile dataset, seamlessly integrated with the Sysdig libraries. While its default ruleset may be more concise than Snort's, Falco empowers users to craft intricate rules that trigger in real-time based on arbitrary contextual factors. These factors encompass a wide array of scenarios, including access to sensitive data, mode transitions, unexpected network connections, socket alterations, compliance breaches, and more. Given its capacity to monitor all activities on a server or node through system calls, Falco functions as a real-time intrusion detection tool, mirroring Wireshark's role in providing real-time network analysis for endpoints. ### Falco for Cloud Native Security -In the journey from the early days of BPF to the widespread adoption of Wireshark, we've witnessed the remarkable evolution of system introspection tools, each one contributing to the ever-expanding landscape of cybersecurity. However, as cloud-native computing and microservices architectures become the new norm, a new champion has emerged: Falco. Falco represents the cutting edge of intrusion detection, specifically designed to tackle the intricacies and challenges posed by cloud-native hosts and workloads. With its real-time behavioral monitoring, container awareness, and comprehensive rule sets, Falco stands as a testament to the adaptability and innovation in the world of cybersecurity. As the digital landscape continues to evolve, Falco is the tool of choice for those who prioritize the security and integrity of their cloud-native environments. It's not just a system introspection tool; it's the future of protecting what matters most in this rapidly changing world of technology. +In the journey from the early days of BPF to the widespread adoption of Wireshark, we've witnessed the remarkable evolution of system introspection tools, each one contributing to the ever-expanding landscape of cybersecurity. However, as cloud native computing and microservices architectures become the new norm, a new champion has emerged: Falco. Falco represents the cutting edge of intrusion detection, specifically designed to tackle the intricacies and challenges posed by cloud native hosts and workloads. With its real-time behavioral monitoring, container awareness, and comprehensive rule sets, Falco stands as a testament to the adaptability and innovation in the world of cybersecurity. As the digital landscape continues to evolve, Falco is the tool of choice for those who prioritize the security and integrity of their cloud native environments. It's not just a system introspection tool; it's the future of protecting what matters most in this rapidly changing world of technology. If you want to try out Falco, check out our [Getting Started](https://falco.org/docs/getting-started/) documentation. Join our community at [#falco channel within Kubernetes Slack](https://communityinviter.com/apps/kubernetes/community). diff --git a/content/en/docs/troubleshooting/start-up-error.md b/content/en/docs/troubleshooting/start-up-error.md index cd651c98a..fdb1a692a 100644 --- a/content/en/docs/troubleshooting/start-up-error.md +++ b/content/en/docs/troubleshooting/start-up-error.md @@ -35,7 +35,7 @@ Here are a few tips to demystify what can go wrong with respect to Falco's kerne - Ensure the DKMS package is installed for the `kmod` driver, and your system may require custom-signed kernel modules. Also, verify the availability of the host `/dev` mount (e.g. `/dev:/host/dev` when running Falco over a container). - In general, check that Falco has all host mounts when running from a container or as a daemonset in Kubernetes. Critical mounts for running Falco, assuming the kernel driver is available, include: `/etc:/host/etc`, `/proc:/host/proc`, `/boot:/host/boot`, `/dev:/host/dev`. - For `ebpf` and `kmod` drivers, the kernel object code needs to be available for the exact kernel release (`uname -r`) of your system. This invites a wide range of possible issues: - - If you use the Falco open-source binary on Linux distributions such as stock Ubuntu, Fedora, Debian, Arch Linux, Oracle Linux, Rocky Linux, AlmaLinux, etc., you may encounter an issue if the pre-built kernel driver from The Falco Project is not available for download. Verify on the [Driver Index](https://download.falco.org/driver/site/index.html) page if the driver is available for your specific OS and kernel. + - If you use the Falco open source binary on Linux distributions such as stock Ubuntu, Fedora, Debian, Arch Linux, Oracle Linux, Rocky Linux, AlmaLinux, etc., you may encounter an issue if the pre-built kernel driver from The Falco Project is not available for download. Verify on the [Driver Index](https://download.falco.org/driver/site/index.html) page if the driver is available for your specific OS and kernel. - Your network ACLs may be blocking the download. - In case the download fails, building the driver on the fly (over the init container in Kubernetes, for example) can fail for many reasons. - Lastly, if you run a custom kernel, you'll need to build your own drivers (`ebpf` or `kmod` only) or explore the option of using the `modern_ebpf` driver if applicable. diff --git a/data/canonical-tags/community.yaml b/data/canonical-tags/community.yaml index 63bc2921b..63cb53d7a 100644 --- a/data/canonical-tags/community.yaml +++ b/data/canonical-tags/community.yaml @@ -1,3 +1,3 @@ id: community name: Community -description: Related to Falco open-source development. +description: Related to Falco open source development. diff --git a/data/en/features.yaml b/data/en/features.yaml index 55c5768d4..9f0771fb5 100644 --- a/data/en/features.yaml +++ b/data/en/features.yaml @@ -1,30 +1,30 @@ - title: Cloud Native description: Falco detects threats across containers, Kubernetes, hosts and cloud services. icon: /icons/cloud-fill.svg - features: - - Uses eBPF to monitor system activity for adverse behavior. - - Integrated with Kubernetes. - - Use plugins to monitor cloud services such as GitHub, Okta, or AWS Cloudtrail. + features: + - Uses eBPF to monitor system activity for adverse behavior. + - Integrated with Kubernetes. + - Use plugins to monitor cloud services such as GitHub, Okta, or AWS Cloudtrail. - title: Real Time Detection description: Falco provides streaming detection of unexpected behavior, configuration changes, and attacks. icon: /icons/shield-fill.svg - features: - - Runtime detection is a fundamental layer of defense against security blind spots and zero-day bugs in your software supply chain. - - Streaming approach enables real-time response while minimizing storage costs and complexity. - - Ready out-of-the-box with rules, which you can customize for your environment. + features: + - Runtime detection is a fundamental layer of defense against security blind spots and zero-day bugs in your software supply chain. + - Streaming approach enables real-time response while minimizing storage costs and complexity. + - Ready out-of-the-box with rules, which you can customize for your environment. - title: Integration with 50+ Systems description: "[Forward Falco alerts](/docs/outputs/forwarding/) to any off-host SIEM and data lake system for analysis, storage, or reaction." icon: /icons/arrow-right.svg - features: - - Falco alerts can easily be forwarded to more than 50+ third parties. - - The JSON format for alerts allows for storing, analysis, or triggering reactions easily. + features: + - Falco alerts can easily be forwarded to more than 50+ third parties. + - The JSON format for alerts allows for storing, analysis, or triggering reactions easily. - title: Open Source description: A multi-vendor and widely adopted solution that you can rely on. icon: /icons/pentagon-fill.svg - features: - - Created cloud-native in the same community as Kubernetes, Prometheus, and OPA. - - Powered by eBPF technology. - - Runs on x64 & ARM CPUs. - - Deployable in Kubernetes with an official Helm chart. - - Run on many platforms like GKE, EKS, AKS, gVisor and others. - - Zero cost to start, and easy to audit, extend, and integrate. + features: + - Created cloud native in the same community as Kubernetes, Prometheus, and OPA. + - Powered by eBPF technology. + - Runs on x64 & ARM CPUs. + - Deployable in Kubernetes with an official Helm chart. + - Run on many platforms like GKE, EKS, AKS, gVisor and others. + - Zero cost to start, and easy to audit, extend, and integrate. diff --git a/layouts/community/falco-brand.html b/layouts/community/falco-brand.html index 77e197190..caf168e7f 100644 --- a/layouts/community/falco-brand.html +++ b/layouts/community/falco-brand.html @@ -7,8 +7,10 @@

Community Brand & Identity Guidelines

-

Looking for our logo? Want to reference The Falco Project correctly? Below you will find information on logos and typography, as well as some facts on the Falco project you can use in your public facing content.

-

Falco is an open source security project whose brand and identity are governed by the Cloud Native Computing Foundation.

+

Looking for our logo? Want to reference The Falco Project correctly? Below you will find information on logos + and typography, as well as some facts on the Falco project you can use in your public facing content.

+

Falco is an open source security project whose brand and identity are governed by the Cloud Native Computing Foundation.

@@ -22,13 +24,15 @@

Visual content

Project Mark

Wherever possible, the horizontal teal logo is the preferred logo. If you need all the logos, download the logo pack. + href="https://drive.google.com/drive/folders/11BwquocBGO4aOcaa7enBvqECwHCX_3yh?usp=share_link">download the + logo pack.

{{ partial "brand-logos.html" }}

Project Font & Typestyle

-

Falco prefers Ubuntu font. When you reference us, please capitalize the first letter of our name, just as you would your own.

+

Falco prefers Ubuntu font. When you reference us, please capitalize the first letter of our name, just as you + would your own.

@@ -53,7 +57,7 @@
falco, the falco project, the Falco project

Project Colors

- {{ partial "colors.html" }} + {{ partial "colors.html" }}
@@ -65,7 +69,8 @@

Project Colors

Project Slide Templates

-

Want to speak about Falco at a meetup or conference? Make it easier by using these templates and/or scripted slides. You can even watch this video as a training tool.

+

Want to speak about Falco at a meetup or conference? Make it easier by using these templates and/or scripted + slides. You can even watch this video as a training tool.

{{ partial "slide-templates.html" (dict "start" 0 "end" 2) }}
@@ -107,7 +112,9 @@

Project Origin

-

Falco was created as a cloud native runtime security project by Sysdig. The project was contributed to the CNCF in October 2018. Falco is a CNCF graduated project with more than 170 individual contributors around the world.

+

Falco was created as a cloud native runtime security project by Sysdig. The project was contributed to + the CNCF in October 2018. Falco is a CNCF graduated project with more than 170 individual contributors + around the world.

@@ -142,7 +149,8 @@

Project Blurbs

25-word description
-

Falco is a cloud-native runtime security tool to detect threats and provide alerts in real-time. It employs custom rules on kernel events, which are enriched with container and Kubernetes metadata.

+

Falco is a cloud native runtime security tool to detect threats and provide alerts in real-time. It + employs custom rules on kernel events, which are enriched with container and Kubernetes metadata.

@@ -150,7 +158,10 @@
25-word description
50-word description
-

Falco is a cloud-native runtime security tool that lets you detect threats and provide alerts in real-time. It uses custom rules on kernel events, which are enriched with container and Kubernetes metadata. Visibility is a significant challenge: with Falco, you can see abnormal behavior, potential security threats, and compliance violations, contributing to comprehensive runtime security.

+

Falco is a cloud native runtime security tool that lets you detect threats and provide alerts in + real-time. It uses custom rules on kernel events, which are enriched with container and Kubernetes + metadata. Visibility is a significant challenge: with Falco, you can see abnormal behavior, potential + security threats, and compliance violations, contributing to comprehensive runtime security.

@@ -158,7 +169,14 @@
50-word description
100-word description
-

Falco is a cloud-native runtime security tool to detect threats and provide alerts in real-time. Acting like a security camera, Falco can monitor the cloud-native environment, employing custom rules on kernel events, which are enriched with container and Kubernetes metadata. This allows users to see abnormal behavior, potential security threats, and compliance violations, contributing to comprehensive runtime security. Falco uses state-of-the-art eBPF technology to deliver deep visibility, but is also lightweight, efficient, and scalable, making it ideal to use in both development and production. Falco is supported by a global multi-vendor ecosystem, and is hosted by the CNCF, home of the Kubernetes project.

+

Falco is a cloud native runtime security tool to detect threats and provide alerts in real-time. Acting + like a security camera, Falco can monitor the cloud native environment, employing custom rules on kernel + events, which are enriched with container and Kubernetes metadata. This allows users to see abnormal + behavior, potential security threats, and compliance violations, contributing to comprehensive runtime + security. Falco uses state-of-the-art eBPF technology to deliver deep visibility, but is also + lightweight, efficient, and scalable, making it ideal to use in both development and production. Falco + is supported by a global multi-vendor ecosystem, and is hosted by the CNCF, home of the Kubernetes + project.

@@ -172,13 +190,16 @@
100-word description

Project Encouraged Phrasing

-

The phrases below are effective ways of messaging Falco's value add. Use them when writing or speaking publicly about Falco. You can also reference language in the About Falco section.

+

The phrases below are effective ways of messaging Falco's value add. Use them when writing or speaking + publicly about Falco. You can also reference language in the About Falco section. +

Falco is a popular open source tool for runtime threat detection
-

This statement refers to Falco as a CNCF graduated project with widespread adoption and broad community leadership.

+

This statement refers to Falco as a CNCF graduated project with widespread adoption and broad + community leadership.

@@ -186,7 +207,9 @@
Falco is a popular open source tool for runtime threat detection
Falco is a rules engine that powers runtime security
-

This term refers to the concept that Falco is a stateless processing engine. A large amount of data comes into the engine, but meticulously crafted security alerts come out. It reasons about signals coming from a system at runtime, and can alert if a threat is detected.

+

This term refers to the concept that Falco is a stateless processing engine. A large amount of data + comes into the engine, but meticulously crafted security alerts come out. It reasons about signals + coming from a system at runtime, and can alert if a threat is detected.

@@ -194,7 +217,9 @@
Falco is a rules engine that powers runtime security
Falco provides real time threat detection
-

Falco provides streaming detection of unexpected behavior, configuration changes, and attacks. With this streaming approach, Falco enables real-time response while minimizing storage costs and complexity.

+

Falco provides streaming detection of unexpected behavior, configuration changes, and attacks. With + this streaming approach, Falco enables real-time response while minimizing storage costs and + complexity.

@@ -202,7 +227,8 @@
Falco provides real time threat detection
Falco delivers detection tooling and alerts
-

Falco does not prevent unwanted behavior, rather it alerts when unusual behavior, config changes, intrusions and data theft occurs. This is commonly referred to as detection or forensics.

+

Falco does not prevent unwanted behavior, rather it alerts when unusual behavior, config changes, + intrusions and data theft occurs. This is commonly referred to as detection or forensics.

@@ -212,4 +238,4 @@
Falco delivers detection tooling and alerts
-{{ end }} +{{ end }} \ No newline at end of file