Falco

The primary use case for Sysdig Falco  is to find vulnerabilities in real-time. It helps us find CVEs in the runtime part of a container environment, so not just scanning the code before it's deployed but also in runtime when it's actually executed.

We find vulnerabilities there and know from a security perspective for our clients that if they have a CVE published, they can rapidly see which deployed applications are using parts affected by that CVE. Runtime security is the main use case for us and our clients.

The runtime security part of Sysdig Falco  has been the most valuable over the years. They do extensive monitoring, and you can get many insights and an overview and drill down into connections, but it's the runtime security that sets them apart from the competition.

Sysdig Falco's real-time monitoring feature for anomaly detection is very high quality. They lean on the Falco project, which is an open-source project that is an excellent source of finding vulnerabilities. They have AI capabilities to set a baseline of the traffic that the client usually has, and then they find anomalies where things start to deviate from the baseline, and they do that exceptionally.

The flexibility of Sysdig Falco's rule-driven engine for meeting security policies for customers is very good because you can have the standard features that are already out-of-the-box ready, and then you can tailor your own rules freely and create any type of rules desired.

Sysdig Falco is probably the most complete security solution for container-type workloads today. One area for improvement would be having predefined security standards for measuring compliance reports. If there are requirements to be compliant with NIST or CIS or other regulations, there are other tools with better ready templates that you can pull out in real-time to show compliance with certain regulations. That's an area where Sysdig Falco could improve.

I have been working with Sysdig Falco for approximately four years.

Regarding stability and reliability, Sysdig Falco has proven very good, as we haven't had any major problems anywhere.

I would evaluate Sysdig Falco as very scalable. We have one client with a very large installation, and there are no issues scaling it up for that deployment.

My experience and what I've heard about Sysdig Falco's support is generally very good. They are very responsive and helpful in getting things sorted. I would rate them a nine out of ten.

Positive

From my experience, I consider it fairly straightforward to install and set up Sysdig Falco. The configuration afterwards can be a little bit more complex, but that depends on the client's use case and how they want to have it set up, so it's not really Sysdig Falco's issue. It's a fairly easy tool to install, and there's a lot of help available, as AI-assisted features can help establish baselines, making it fairly straightforward and easy to use.

I haven't personally participated in the initial setup and deployment of Sysdig Falco, but our consultants have handled these implementations.

The ROI side is complex with these security tools because it's when you have an incident that you save money by having the right tools in place. There's no real ROI case before you buy the product, as it becomes a theoretical discussion around how many problems this product can prevent.

We've had incidents with clients where high-impact CVEs were published, and I know comparisons where one client said if they didn't have Sysdig Falco in place, what took them about a day would have probably taken one or two months to resolve. This is a huge time saver and risk avoidance, as they know where they have the problem and can patch immediately. However, it's hard to quantify that into a traditional ROI case in terms of saved money or avoided costs.

I work with many different products in the open-source world relating to containers and Kubernetes , not just Prisma Cloud by Palo Alto Networks . We work with the big ones, such as Red Hat, VMware, and smaller, niche-specific ones such as Sysdig Falco, Armo, and ArmoSec.

I work with all three variants: Sysdig Falco, Sysdig Monitor , and Sysdig Open Source .

On a scale of 1-10, I rate Sysdig Falco a 10.

On-premises

Amazon Web Services  (AWS )

What do you like best about the product?

Ease of Integration: Falco integrates seamlessly with Kubernetes and container environments. Makes it easy to deploy as a DaemonSet across the cluster.

Customizable Rules: The ability to customize search rules helps teams tailor security reviews to their specific needs. Helps reduce false positives At the same time it guarantees that important events are recorded.

Detailed notifications: When Falco detects an issue, it provides a detailed notification with context about the event. Help security teams quickly understand and respond to potential threats.

Community Support: As an open source project, Falco benefits from a lively community that actively contributes to its development. It provides a wealth of resources, plugins, and shared experiences…

Extensive coverage: Review various aspects of the Kubernetes ecosystem, including network activity. File access and configuration changes Provides a holistic view of security within a cluster

What do you dislike about the product?

Configuration Complexity: Although Falco provides customizable rules, setting up and fine-tuning these rules can be complex, especially for organizations with specific or intricate security requirements. New users might find the initial configuration overwhelming.

Resource Consumption: As a DaemonSet running on each node, Falco can consume a noticeable amount of system resources, which might impact performance, especially in resource-constrained environments. This can be a concern for large clusters with many nodes.

What problems is the product solving and how is that benefiting you?

Runtime Threat Detection:

Problem: Traditional security measures often focus on vulnerabilities and compliance during development but may overlook runtime security issues.
Benefit: Falco continuously monitors the behavior of running containers, detecting anomalies or suspicious activities as they occur. This proactive approach allows for immediate response to potential threats, significantly reducing the risk of breaches.
Visibility into Container Behavior:

Problem: Containers are often treated as black boxes, making it challenging to understand what they are doing in real-time.
Benefit: Falco provides visibility into system calls and actions performed by containers, enabling security teams to identify unusual patterns and respond to potential risks. This enhanced visibility leads to better security management and oversight.
Alerting and Incident Response:

Problem: Many organizations struggle with timely detection and alerting of security incidents, leading to delayed responses.
Benefit: Falco generates real-time alerts for suspicious activities, allowing security teams to take swift action. This rapid response capability minimizes the potential impact of security incidents and improves overall incident management.

What do you like best about the product?

As a security analyst. I like its powerful intrusion detection feature that detects suspicious activities.
Also, its container and Kubernetes are a big support for organizations operating in cloud infrastructure.
It is open-source so can be used for free.

What do you dislike about the product?

Falcon sometimes releases unnecessary alerts due to its default settings.
Also, people with little knowledge in security field will find it hard to operate.

What problems is the product solving and how is that benefiting you?

It helps you to customize rules so that you can create rules for the threats that are relevant to your organization's environment.
Most of the security tools are expensive, so it's a good support for smaller organisation as it is free.

What do you like best about the product?

It is really good for linux systems and is a cloud native security tool so it is quite good at the scalability front. It is very good looking when it comes to UI and does house a lot of securty tools within it.

What do you dislike about the product?

The only issue I faced was to the integration of Falco using API. It is much difficult as it isn't REST API. Hence, there is a learning curve involved when it comes to using this tool.

What problems is the product solving and how is that benefiting you?

With the need for securing systems becoming more vitals, having a scalable and reliable solution when it comes to security is much need. This tool was perfect for my use case and it was easy to scale.