Falco Research Spike (Twistlock Feature Comparison)

Related to #930 (closed).

This spike should evaluate Twistlock as an alternative to Falco - what features are missing, added, etc.

Open Source

Currently, BigBang core only supports Twistlock for runtime defense. Since Twistlock is a commercial product, this effort will explore Falco as an alternative.

Twistlock

Twistlock currently has several deficiencies

• Operator issues &115 (closed)
• Operator can't install policies
• Operator can't install defenders pointing to external Twistlock console.

Assessment

This effort will assess Falco's ability to:

• Identify container vulnerabilities
• Whitelist images coming from IronBank from container scans
• Identification of processes that are known hacks (e.g. reverse shell)
• Blocking of processes doing known hacks
• <Insert more things>

This list needs to be populated by Cyber and PartyBus as we assess the current capabilities being leveraged by Twistlock. Essentially we are looking to evaluate whether Falco covers the same, less, more features as Twistlock

changed the description

mentioned in issue #930 (closed)

added priority5 teamcore/security labels

assigned to @micah.nagel

added to epic &138 (closed)

changed milestone to %1.22.0

changed iteration to Big Bang Iterations Nov 16, 2021 - Nov 29, 2021

set weight to 3

unassigned @micah.nagel

assigned to @micah.nagel

added statusdoing label

In terms of the given list:

• Identify container vulnerabilities
• Whitelist images coming from IronBank from container scans
• Identification of processes that are known hacks (e.g. reverse shell)
• Blocking of processes doing known hacks

Only one of these use cases is supported by Falco - it provides identification of known malicious linux system calls (fully configurable to what is considered malicious for the specific environment). Falco will "alert" on these things and send those alerts almost anywhere you want. It does not allow you to block the actions, and doesn't provide any CVE scanning / registry whitelisting.

Going to include a quick evaluation of sysdig secure so we can see what features there may help us mimic twistlock.

Started a trial and played around with the SaaS sysdig secure. Going to try and explore on prem tomorrow.

Sysdig Secure offers most of what is missing from Falco (when compared to Twistlock):

• Ability to scan container images for CVEs, both ones running in cluster and via a cli tool for CI/CD (breaks down source of vulnerabilities, very similar to Twistlock) - it seems to just use anchore under the hood
• Offers ability to make rules with an if not matching criteria, effectively allows whitelisting of Ironbank containers (and may be a more efficient way to do this too)
• Allows blocking of malicious processes based on preset rules
• A UI for monitoring events, vulnerabilities, etc + modifying rules, policies, and more

Unfortunately the free trial only allows me to access the SaaS edition. Regardless it doesn't seem like sysdig secure fits into what we'd want for Big Bang. For one its another paid product and closed source. More importantly though, on prem installs would not fit into the way we do BB (you have to request an installer binary) and I don't believe there are any alternatives methods (no helm chart, no set of manifests). Will spend a bit more time just to make sure I'm not missing anything but I don't think Sysdig Secure will fit into what we want for a runtime security alternative.

Quick summary so that this can be moved to review:

• Falco only provides identification of malicious processes/activity (can customize rules based on any linux system call) + alerting. There is no support for CVE scans or blocking of malicious activity.
• Sysdig Secure (the enterprise offering tied to Falco) offers other Twistlock like capabilities but will not fit into the Big Bang ecosystem due to the way it is deployed.

added statusreview label and removed statusdoing label

marked the checklist item Identification of processes that are known hacks (e.g. reverse shell) as completed

closed

Reviewed and agree with your findings.

removed statusreview label

Kessel Run uses Sysdig for their runtime security. As you identified, the issue will probably be the inability for the images needed for Sysdig to go through IronBank since they're not publicly available.

mentioned in epic &351 (closed)