Why Falco works the best in distributed architectures
The cybersecurity landscape is sadly brimming with tools that address narrow, specific problems, leading to a phenomenon known as “Point Solutions.” While these tools can offer precise capabilities, they have significant drawbacks in the modern, cloud-native world. A glut of isolated tools contributes to operational complexity, wasted resources, and missed opportunities for cohesive, unified defense strategies.
The downfall of point solutions
Many organizations are bogged down by a mishmash of tools, each solving a single problem but often leaving gaps that attackers can exploit. As Rick Holland once put it, “The point solutions just need to die.” The issue with traditional Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), and Managed Detection and Response (MDR) tools is that they are focused primarily on endpoints — whether it’s a server, a workstation, or another device. In a world where cloud and cloud-native architectures dominate, these tools are insufficient for addressing threats across sprawling, complex infrastructures.
The siloed approach of traditional EDR/XDR vendors compounds complexity. Each new tool adds to the operational burden, with organizations struggling to manage and integrate the growing assortment of agents, dashboards, and configurations. This fragmented approach leads to more vulnerabilities as organizations juggle disjointed systems instead of working with a unified solution that scales across different layers of their infrastructure.
The Falco advantage: Flexibility through plugins
In contrast to these singular endpoint-focused tools, Falco, an open source runtime security project, offers a flexible, scalable approach designed to handle the complexity of cloud-native environments. One of the key innovations is its plugin-based architecture. Rather than locking users into a one-size-fits-all solution, Falco allows organizations to tailor it to their needs.
Plugins enable Falco to extend its capabilities by adding new event sources beyond just system calls. For instance, plugins can be created for cloud services, identity providers, or even CI/CD pipelines, allowing Falco to capture and analyze relevant events from across the entire environment. For example, plugins for Okta (identity services), GitHub (code pipelines), AWS CloudTrail, and GCP Audit Logging already exist, providing a seamless way to track security events across cloud and application layers.
This flexibility is particularly important in the context of Application Detection and Response (ADR), a term coined by security experts like Chris Hughes. Traditional point solutions, focused solely on endpoints or isolated services, fail to address the unique security challenges posed by applications in cloud-native architectures. In contrast, Falco’s ability to observe and enforce security policies across a variety of services and applications makes it a perfect fit for modern security needs.
Tailoring detection for application behavior through custom rules
Another crucial feature of Falco is the ability for users to create a Custom Ruleset. Developers and security teams who intimately understand their application’s expected behavior can write precise rules to detect anomalies that generic detection tools would miss. Unlike black-box solutions, which rely on broad or heuristic-based detection engines, Falco gives control back to users, allowing them to define what constitutes a real threat.
For instance, if your web application relies on a set of specific endpoints and services, you can build Falco rules that detect any deviation from normal communication patterns. These rules provide a level of specificity and confidence that broad detection rules simply cannot match. Whether you’re monitoring a legacy web app, a container, or a cloud-hosted microservice, Falco enables you to create meaningful security controls that go beyond generic threat signatures.
The plugin differentiator in cloud security
One of the most powerful aspects of Falco’s plugin system is its ability to extend detection capabilities beyond the endpoint. While traditional EDR/XDR tools monitor specific devices, Falco’s plugins can handle the intricacies of cloud-native architectures. Whether it’s Keycloak for Identity and Access Management (IAM) or Hashicorp Nomad for service orchestration, Falco’s plugin system provides a future-proof approach to security. As more services emerge within the CNCF ecosystem, the need for flexible and extensible security tools becomes even more apparent.
This extensibility sets Falco apart from proprietary endpoint agents that can only monitor predefined events or services. In the future, as cloud and container technologies continue to evolve, traditional EDR vendors that fail to embrace this flexibility will find themselves increasingly out of touch with real-world security needs.
Going beyond quarantine with API-driven response actions
Traditional EDR and XDR tools are heavily focused on quarantining processes or killing them. While this may work for simple endpoint-level threats, cloud-native security is far more complex. Sysdig’s 5/5/5 benchmark demonstrates how quickly cloud attacks can unfold, with entire attack chains completing in under five minutes. In such a fast-moving landscape, response actions need to be API-driven and flexible.
Falco, in combination with tools like Falco Talon, takes a different approach by leveraging APIs to enforce response actions. For example, Falco Talon can connect to Cilium Network Policy APIs to enforce network restrictions in real time based on Falco detections. It can also trigger AWS Lambda functions to mitigate cloud-native threats automatically, preventing lateral movement or securing cloud resources in seconds. These API-driven response mechanisms are crucial in the cloud-native era, where traditional endpoint-based actions fall short.
The future: eBPF and the death of kernel modules
Another major shift in endpoint security is the move away from loading kernel modules directly into the host. With tools like eBPF (Extended Berkeley Packet Filter) gaining traction, it is becoming the standard way to safely interact with the kernel. AWS’s Bottlerocket Linux distribution, for instance, uses eBPF out of the box, avoiding the need for traditional kernel modules.
Falco and Sysdig have already embraced this change, using eBPF probes to capture kernel-level data in a safe and efficient manner. This shift is vital as more secure environments, such as those using gVisor for additional isolation, start to gain popularity. EDR vendors that continue relying on old methods of kernel interaction will struggle in these environments, as their kernel modules will be blocked by these modern security architectures.
Installation: Is it safe to run in production?
When it comes to installing these CDR or ADR-style, cloud-native tools in your ecosystem, there is no one-size-fits-all solution. Every organization’s infrastructure is different, and flexibility is key to addressing unique requirements and ensuring security across diverse environments.
For organizations seeking the most secure deployment, the recommended approach is to install Falco directly on the host system. This isolates Falco from potential compromises within Kubernetes, ensuring that the security monitoring tool itself remains secure. In this configuration, Falco can still send its alerts to read-only agents running inside Kubernetes, providing a clear separation of duties and reducing the risk of attack on the monitoring system.
Alternatively, Falco can be installed directly in Kubernetes as a DaemonSet using Helm, a package manager for Kubernetes. The Helm approach provides tremendous flexibility in configuring and managing the associated open source ecosystem components around Falco. Helm allows users to toggle features like the falcosidekick UI, manage Falco Talon response rules, and control database configurations, all from a single command.
This Helm-based installation method is particularly powerful for version control in cloud-native environments, where different clusters may follow distinct upgrade cadences. In contrast to legacy solutions that force agents to update automatically with each new release, Helm enables precise control over which versions of Falco or related components are deployed. This minimizes the risk of version conflicts or instability in production systems, offering businesses full autonomy over deployment lifecycles.
This flexibility is essential when dealing with production environments in cloud-native architectures, where multiple components and services must work together seamlessly. Rather than relying on manual installers that may not align with an organization’s update cadence, Helm empowers teams to maintain a stable and secure environment while keeping pace with evolving security requirements.
Conclusion: Adaptation is key in cloud-native security
By offering both host-based and Kubernetes-based deployment options, Falco provides the flexibility necessary to meet the varied needs of modern cloud-native environments. This approach contrasts sharply with traditional endpoint-focused EDR/XDR tools, which often lack the flexibility to integrate seamlessly into complex, dynamic infrastructures.
Organizations seeking to displace legacy vendors and adopt more effective detection and response strategies should look for solutions that offer this level of installation flexibility, configurability, and version control — features that are increasingly important as cloud-native architectures continue to evolve. The ability to install and manage tools like Falco in a way that suits your infrastructure is crucial to maintaining security while reducing operational overhead.
With plugins, custom rules, and API-driven response actions, Falco represents the future of cloud-native security, offering a truly scalable, flexible, and open solution to address modern security challenges. Organizations that embrace this approach will find themselves better equipped to protect against the growing complexities of the cloud-native world while moving away from rigid, single-point solutions.