Falco adds threat analysis features with Stratoshark integration

Sysdig has announced new open source threat investigation and analysis features for its security tool Falco. The enhancements are intended to strengthen Falco's integration with Stratoshark, allowing users to act more quickly on security incidents in cloud environments.

Integration capabilities

Falco, a widely used cloud threat detection tool, now records system capture (SCAP) files when certain rules trigger. These SCAP files can be directly accessed by Stratoshark, a tool that shares lineage with the Wireshark packet analysis utility. This move enables security teams to pivot seamlessly from initial threat detection to post-incident analysis using open source tools.

Enhancements have also been made to several Falco plug-ins such as k8saudit and gcpaudit. These updates enable Stratoshark to extract more context from events, which can help teams make use of raw security data during investigations. The improved workflow combines detection with detailed forensic analysis, reducing the friction previously encountered between different security stages.

"Falco has cemented itself as the gold standard for runtime cloud threat detection, and Stratoshark is quickly becoming the industry's tool of choice for deep cloud system analysis. Enhancing the integration between these powerful tools brings the open source community closer to a unified, platform-like experience for complete life-cycle detection and response in the cloud," said Loris Degioanni, Founder and CTO, Sysdig.

Platform approach

The expansion of Falco and Stratoshark's interoperability reflects wider changes in how cloud security is managed. As cloud environments grow more complex, security teams are seeking tightly integrated toolsets that address the entire detection and response cycle. The joint capability allows users to identify active threats and subsequently examine related data in detail, all within an open source ecosystem.

The system's unified workflow ensures that when Falco detects suspicious behaviour, teams can instantly access supporting network data and logs within Stratoshark. This provides a single workflow for alerting, collection, and investigation. Falco and Stratoshark both operate on open standards and rely on input from a broad user community to adapt to new security challenges. This approach enables smaller teams to gain access to security features commonly found in commercial offerings, without licensing barriers.

"With Falco now producing Stratoshark-consumable SCAP files and enriched cloud log metadata, we're bridging the open source gap between real-time threat detection and granular forensics," said Gerald Combs, Director of Open Source Projects, Sysdig. "The future of security is built on open source, and the future of open source is built on a platform approach that enables security teams to work faster and more efficiently."

Open source community

Sysdig has extended its efforts to build a cohesive open source security community by launching the Sysdig Open Source Community. This initiative brings together a variety of professionals, from developers and analysts to students, who use Falco, Wireshark, Stratoshark, and sysdig OSS. The group aims to foster collaboration and knowledge sharing among users with different backgrounds and needs.

Sysdig reports that Falco has surpassed 175 million downloads and is adopted by over 60% of the Fortune 500. The company also highlights that the move towards a collaborative, platform-based open source approach is aimed at making advanced cloud security capabilities more accessible to a global user base.