As more and more organizations migrate their applications to the cloud, cloud native computing has become the dominant way to approach software development and execution. In the meantime, security threats are growing more sophisticated and widespread every day. Protecting your applications from these threats requires the ability to defend them at runtime, when they're most vulnerable to attacks.

This practical guide introduces you to Falco, the open source standard for continuous risk and threat detection across Kubernetes, containers, and the cloud. Falco creator Loris Degioanni and core maintainer Leonardo Grasso bring you up to speed on cloud native threat detection basics and show you how to get Falco up and running. You'll then dive into advanced topics such as deploying Falco in production and writing your own security rules.

You'll learn how to:

  • Leverage runtime security in cloud native environments
  • Detect configuration changes and unexpected behavior in the cloud
  • Protect containers, Kubernetes, and cloud applications using Falco
  • Run, deploy, and customize Falco using advanced concepts
  • Deploy, configure, and maintain Falco in a production environment
  • Improve your organization's ability to pass compliance audits
  • Implement threat detection for containers, Kubernetes, and cloud apps

Table of Contents

  1. 1. Introducing Falco
    1. Falco in a Nutshell
    2. Sensors
    3. Data Sources
    4. Rules
    5. Data Enrichment
    6. Outputs
    7. Containers and More
    8. Falco’s Design Principles
    9. Specialized for Runtime
    10. Suitable for Production
    11. Optimized to Run at the Edge
    12. Avoids Moving and Storing a Ton of Data
    13. Scalable
    14. Truthful
    15. Sane Defaults, Richly Extensible
    16. Simple
    17. What You Can Do with Falco
    18. What You Cannot Do with Falco
    19. Background and History
    20. Network Packets: BPF, libpcap, tcpdump, and Wireshark
    21. Snort and Packet-Based Runtime Security
    22. The Network Packets Crisis
    23. System Calls as a Data Source: sysdig
    24. Falco
  2. 2. Getting Started with Falco on Your Local Machine
    1. Running Falco on Your Local Machine
    2. Downloading and Installing the Binary Package
    3. Installing the Driver
    4. Starting Falco
    5. Generating Events
    6. Interpreting the Falco Output
    7. Customizing Your Falco Instance
    8. Rules Files
    9. Output Channels
    10. Conclusion
  3. 3. Prospective Table of Contents (Subject to Change)