11-06, 11:00–12:00 (Europe/Vienna), Palais Sachsen Coburg I-III
Falco, a CNCF project, is the de facto solution for runtime threat detection in Linux and Kubernetes environments. It offers complete kernel-level visibility by capturing Syscalls via eBPF, analyzing this flow with a powerful rules engine and alerting when a rule is triggered.
Over time, the Falco ecosystem has grown to include the ability to retrieve events from different sources, such as SaaS or Cloud provider audit logs, and to integrate with dozens of tools for notification, analysis and reaction. The last born in its ecosystem is Falco Talon, a tailor made no-code response engine, which react to the Falco events with out of the box actions, such as terminating a pod, or triggering a tcpdump.
In this talk, listeners will learn the basics of Falco, and will be treated to a real-time demonstration of remediation action against intrusions, with a big focus on the capacity to trigger a tcpdump, to observe what the attacker did following the raised alert.
Thomas is Senior Developer Advocate at Sysdig, the company which created and open-sourced Falco, the Security Runtime Engine for Kubernetes and Cloud-Native technologies. Thomas worked for Qonto, a modern banking for SMEs and freelancers, where he managed their Kubernetes clusters and the enthusiastic tools around, like ArgoCD, Traefik, Prometheus. He also assisted for many years pure-players and e-business companies for a large managed service provider, as an AWS expert and FinOps. He's one of the longest tenured members of the Falco community, and creator of Falcosidekick and Falcosidekick-UI, two major components of the Falco ecosystem.