Extended protections for cloud using CNCF open source security tools

cloud-images-blog-headers-07_(1).jpg

In today's rapidly evolving cloud landscape, robust security measures are more critical than ever. At Elastic Security, we're excited to introduce our extended protections for cloud — a key component of our cloud detection and response (CDR) use case. This initiative seamlessly integrates open source security tools from the Cloud Native Computing Foundation (CNCF) ecosystem with Elastic Security's powerful analytics platform.

Embracing the CNCF open source security landscape

The CNCF has fostered a rich ecosystem of open source security tools designed specifically for cloud-native architectures. These tools offer unparalleled flexibility, cost efficiency, and vendor neutrality, making them ideal for modern cloud infrastructures. By integrating these tools with Elastic Security, we're combining specialized security capabilities with a robust, centralized analytics platform.

Our initial focus is on cloud workload protection and runtime security tools, starting with the integration of Falco. In future releases, we plan to expand our integrations to include other powerful CNCF tools, such as Tetragon and KubeArmor.

Falco: A powerful ally in cloud workload protection

Falco — an open source cloud native runtime security project — excels at detecting and alerting on suspicious behavior at the edge, whether in Kubernetes clusters, Linux virtual machines, or bare metal servers. By integrating Falco with Elastic Security, we're addressing several critical challenges faced by security teams.

Key benefits of integration

  1. Edge detection: Falco provides an additional layer of security close to your workloads.

  2. Centralized analysis: Security analysts can triage Falco alerts alongside other security data sources in a familiar, centralized environment.

  3. Enhanced contextualization: Correlation of Falco alerts with other security data provides richer context for faster threat response.

  4. Scalability: Your expanding infrastructure gains consistent security coverage.

Flexible integration options: Seamless data ingestion

We understand that every organization has unique needs and existing infrastructure. That's why we've developed two flexible methods for integrating Falco with Elastic Security.

1. Falcosidekick forwarding: We've collaborated with the Falco community to improve Falcosidekick, optimizing its capabilities for writing security alert data directly into Elasticsearch. This method is ideal for environments already using Falco and looking to seamlessly integrate with Elastic Security.

falco push flowchart

2. Elastic Agent integration: For customers already using the Elastic Agent in their environment, we've built an out-of-the-box Falco integration following our native Elastic Agent deployment method. This option allows for easy adoption within existing Elastic ecosystems.

falco integration page

Both methods ensure that Falco data is normalized into the Elastic Common Schema (ECS) format using Elasticsearch ingest pipelines. This facilitates effective correlation with other security data sources and integrates into existing security analyst triage workflows within Elastic Security to ensure a consistent and efficient analysis process.

The power of open source

It's worth highlighting that both CNCF security tools and Elastic Security are open source projects. This commitment to openness not only fosters innovation but also allows for greater customization and community driven improvements. By combining these two powerful open source ecosystems, we're creating a solution that's flexible, transparent, and continuously evolving to meet the complex security needs of modern cloud environments.

Building your CDR strategy with Elastic Security

Integrating Falco with Elastic Security is just one example of how we're reimagining CDR. By centralizing diverse security data streams, we're enabling security teams to:

  1. Quickly piece together the entire story of an attack

  2. Correlate events across different cloud services and environments

  3. Automatically build attack chains for more effective incident response

  4. Reduce alert fatigue by providing contextualized high-fidelity alerts

Take your cloud security to the next level

We've made it easy to get started with ingesting Falco data into Elastic Security. Visit our documentation for step-by-step instructions on setting up this integration.

Falco's edge detection capabilities are now combined with Elastic Security's powerful analysis and correlation features, so you get a comprehensive solution for cloud workload protection. For an in-depth technical dive, take a look at how to set up Falco, understand its rule-based detection system, and more. This integration represents our commitment to providing the tools you need to safeguard digital assets in today’s complex cloud environments.

Stay tuned for more updates as we continue to expand our integrations and enhance our security offerings. Together, we're building a more secure digital future.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.