GVisor and Falco team up to improve container security

Falco is an open-source intrusion detection system for containers and cloud-native applications, created by Sysdig. It monitors runtime system calls against defined rules to generate security alerts, detecting risk and threats across Kubernetes, containers, and the cloud. Falco protects against data theft, configuration changes, intrusions, and other unexpected behavior in real time.

“The Falco-gVisor interface is great for any gVisor user looking for a multi-layer defense. gVisor’s runtime monitoring infrastructure allows Falco to see what’s happening inside the gVisor sandbox without the user having to do anything different. The integration is seamless as the same rules and configurations apply equally to containers running with gVisor,” said Fabricio Voznika, staff software engineer at Google.

Integrating these two projects will enable users to detect and respond to threats better. By combining the strong isolation capabilities of gVisor with the deep visibility of Falco, users can monitor workloads for unusual behavior more effectively.

“GVisor provides secure isolation between the container applications and the host operating system. This prevented us from monitoring gVisor with Falco, which uses host kernel system calls as a data source,” said Hiroki Suezawa, a senior security engineer at Mercari Inc. “Mercari has been using Falco for threat detection and container activity logging and has seen the power and flexibility of Falco’s rules engine. The collaboration between gVisor and Falco teams allows us to simultaneously use the enhanced isolation in gVisor, and threat detection and container activity audit in Falco. This drastically improves container security.”

The Falco open source community engineered the solution, with significant contributions from Sysdig and the gVisor team at Google. The Falco-gVisor interface is now available to users looking for a multi-layer defense.

“Today’s security threats come from many directions. Falco and gVisor are a great combination, reducing the system surface exposed to containers, and providing visibility into what’s happening at the workload level,” said Edd Wilder-James, vice president of Open Source Ecosystem at Sysdig.

Although gVisor protects applications through kernel isolation, this isolation could also stop tools from monitoring security events. According to the companies, the new Falco-gVisor integration solves this problem. For example, users from Mercari now take advantage of the dual protection that comes with container sandboxing and threat detection for workloads.

Article Topics

container  |  Falco  |  Google  |  GVisor  |  IDS  |  open source  |  Sysdig