Sysdig’s open-source Falco draws on AIOps, data security to fight ransomware

Analysis: Falco, the open-source threat detection engine used by Sysdig, has extensibilty to AIOps and data security and could help combine them for better ransomware threat detection.

Sysdig is a cloud-native app security supplier monitoring and managing containerized app security from development through to run-time, and based on its open-source sysdig tool code created by the founders. This uses the Falco container build and run-time monitor to feed a threat event detection engine. This analyses container system events and patterns, and could be used to monitor network and storage environments to detect bad actor activity.

An IT Press Tour was briefed by Sysdig at its San Francisco HQ and given an introduction to its software’s capabilities, based around software sensors detecting system calls at Linux kernel level. There is no agent in each container, analyzing them locally and then working with a central threat detection engine.

CEO Suresh Vasudevan said: “We extended the technology to cover the containerized app lifecycle from build through to run-time threats to apps in the cloud.”

But it does more. A book, Practical Cloud Native Security with Falco, states: ”You can absolutely use [Falco] as a host security tool. … Falco also has good support for network detection, allowing you to inspect the activity of connections, IP addresses, ports, clients and servers and receive alerts when they show unwanted/atypical behaviour.”

Its upper-level logic is event type-agnostic in principle and so the engine’s applicability can be extended. An logical extension would be into system-wide AIOps and data security.

But Sysdig is not a general AIOps-type company. It is, in Vasudevan’s term, opinionated, and so would be inclined to partner with network and storage security suppliers to do this. It does not want to move into the general AIOps or ransomware data protection spaces. Nevertheless, the idea of having a single and open-source threat-detection platform underlying cloud-native and virtual machine app build-run security, AIOps and data security is attractive. It’s an obvious platform consolidation concept which would enable the  app, system and data security products and services to work better and work together.

The threat-detection engine uses machine learning technology in its processing, and so the extension to AIOps is logical in that sense.

We could imagine sensor feeds into Falco from network devices and storage devices and Sysdig-type SW evaluating the feeds and declaring bad actor events such as ransomware attacks from the patterns of activity. Then the network security and/or storage security supplier could interact with the analysis engine to improve the way they operate.

The more benevolent forces can work together to manage and monitor systems and counter the plague of ransomware and other malware the better, and uniting around the Falco sensor stream monitoring and analysis engine might be a good way to encourage this to happen.