Detecting Anomalous Activity in Rancher with Falco

Kubernetes Security Master Class | April 20, 2020




Vicente Herrera Garcia

Cloud Native Security Advocate




Pawan Shankar

Technical Solutions Architect




Matthew Scheer

Marketing Manager


Securing Kubernetes requires putting controls in place to detect unexpected behavior that could be malicious, such as:

  • Exploits of unpatched and new vulnerabilities
  • Insecure configurations
  • Leaked or weak credentials
  • Insider threats

Even when processes are in place for vulnerability scanning and implementing pod security and network policies, not every risk will be addressed. You still need mechanisms to confirm these security barriers are effective and provide a last line of defense when they fail.

In order to keep up with threats at runtime, an open-source based approach can help you stay up to date.

In this Kubernetes Master Class, you will learn how to manage security risk at runtime in your RKE environments using Falco, a CNCF project for runtime security. Falco efficiently leverages Extended Berkeley Packet Filter (eBPF), a secure mechanism, to capture system calls and gain deep visibility. By adding Kubernetes application context and Kubernetes API audit events, teams can understand exactly who did what.

At the end of the session, we will also cover how Sysdig Secure extends the Falco detection engine and eases the burden of creating and updating Falco rules. It can also generate fewer false positives by tuning Falco-based policies for your own environment.


  • Why Runtime Security? Examples and use-cases of anomalous, malicious activity in your clusters
  • Understanding and implementing threat detection in Rancher using Falco
  • Exploring how to extend runtime security in Rancher using Sysdig Secure


Date: Monday, April 20, 2020

Time: 11 AM US Eastern Time