Intro to Falco - Intrusion Detection for Containers
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Explore runtime monitoring and intrusion detection for containers in this 36-minute talk from Shane Lawrence of Shopify. Learn how to protect Kubernetes clusters from malicious behavior using Falco, an open-source tool that combines kernel-level visibility with cluster-level awareness. Discover how to implement security policies, detect violations, and monitor containers in high-volume cloud environments. Gain insights on deploying Falco at scale, implementing and modifying rulesets, avoiding common pitfalls with eBPF probes and kernel modules, and managing alert volume. Understand real-world use cases, including detecting suspicious shell access in containers and addressing CVE-2020-8557.
Syllabus
Intro
Intro to "Intro to Intro to Falco"
The case for Falco
Deploying Falco
Modifying rules
Normalization
Suspicious shell access in container
Use case: instance metadata service (privileged)
Use case: CVE-2020-8557
Managing alerts
Taught by
CNCF [Cloud Native Computing Foundation]