October 21, 2022

KubeCon + CloudNativeCon 2022 Q&A: Sysdig Will Showcase Cloud and Container Security with the Sysdig Platform. And Threat Detection with Falco

Written by

Ready for KubeCon + CloudNativeCon 2022?  Attending the show?  Make sure to visit with Sysdig.

KubeCon + CloudNativeCon takes place October 24 - 28, 2022 in Detroit, Michigan.

Read this exclusive interview between VMblog and Loris Degioanni, CTO and Founder of Sysdig.  The company pioneered cloud-native runtime threat detection and response by creating Falco and Sysdig Open Source as open source standards and key building blocks of the Sysdig platform. With the platform, teams can find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions, and compliance. 

Sysdig logo 


VMblog:  Can you give VMblog readers a quick overview of your company?

Loris Degioanni:  Sysdig is driving the standard for cloud and container security. We pioneered cloud-native runtime threat detection and response by creating Falco, the open source standard for runtime security and key building block of the Sysdig platform.  With our platform, teams can not only detect and rapidly respond to threats, we use those runtime insights to prioritize vulnerabilities and aggregate security findings by root cause. From containers and Kubernetes to cloud services, teams get a single view of risk from source to run, with no blind spots, no guesswork, no wasted time.

VMblog:  Can you double click on your company's technologies?  And talk about the types of problems you solve for a KubeCon + CloudNativeCon attendee.

Loris Degioanni:  Sysdig offers two products, Sysdig Secure and Sysdig Monitor, with the Sysdig platform architecture underpinning both solutions. Sysdig Secure closes the visibility gap created by cloud service sprawl and containerized workloads, so teams can immediately detect breaches and rapidly respond. The endless list of software vulnerabilities and misconfigurations causes developer fatigue, which Sysdig relieves by prioritizing vulnerabilities and configuration fixes. Customers can reduce the vulnerabilities developers need to fix immediately by up to 95% using runtime insights.

VMblog readers may be most interested in Sysdig's threat detection across hybrid environments. Originally developed for Linux threat detection, Sysdig supports bare metal, VM, containers, Kubernetes, and cloud workloads. Sysdig offers the industry's most comprehensive detection with deep visibility into workloads and cloud services, that includes user behavior, process, network, file access, and cloud activity.

Sysdig Monitor provides cloud and Kubernetes monitoring that is fully open source Prometheus compatible. The insight into Kubernetes and containers allows teams to troubleshoot issues ten times faster. Sysdig Monitor also helps customers optimize cloud environments, saving an average of 40%. The Cost Advisor feature shows customers where they have wasted resources, how much they are spending on those environments, and the amount of potential savings they could get if they rightsized those environments.

VMblog: Speaking about the technology now, what are the major components of the Sysdig platform?

Loris Degioanni:  As I mentioned, Sysdig Secure and Sysdig Monitor are based on the Sysdig platform architecture. The platform is instrumented using eBPF to capture Linux system calls, Falco libraries for stream detection in cloud logs, and scraping Prometheus metrics for monitoring. This detailed record of user behavior, process, network, file access, cloud activity is used for threat detection and response, monitoring and troubleshooting, and to inform shift-left security. This record is enriched with Kubernetes and cloud context and correlated to accelerate incident response, prioritize vulnerabilities, and aggregate security findings by root cause. 

A few specifics on our technology:

System calls don't lie. Sysdig has unique visibility into activity based on access to Linux system calls instrumented with eBPF. This gives teams a clear view into highly detailed container and host activity for incident response, especially important with the dynamic nature of containerized microservices.

Curated rules for threat detection allow teams to get started immediately and are easy to customize. Open source Falco, the CNCF runtime security project, is the de facto Kubernetes threat detection engine. Falco provides a straightforward, consistent rules language to ask specific questions against the syscalls, Kubernetes audit logs, and cloud logs. Sysdig detects malicious activity, misconfigurations, and compliance issues through curated rules. The Sysdig Threat Research Team meticulously maintains these rules and adds new rules as new attack techniques are discovered.

Machine learning algorithms provide high-fidelity detections. Another layer of detection is enabled by machine learning models tuned for specific use cases, such as cryptojacking.

Framework mapping simplifies threat investigations. Events are mapped to common security frameworks like MITRE ATT&CK and SOC2 for quick triage. All activity within any application or service by any user across the cloud account, containers and hosts, is presented with the detail you need to quickly understand exactly what happened.

Runtime insights are a game changer for vulnerability management. Risk Spotlight, a feature within Sysdig Secure, determines if vulnerabilities found with image scanning are impacting packages loaded at runtime. Prioritization also considers if an exploit is available. By filtering for these factors, you can reduce the vulnerabilities developers need to address immediately by up to 95%.

Security policies to validate posture, regarding compliance requirements, benchmarks, and internal security mandates are available in the Sysdig platform. Embracing a policy-as-code approach based on a shared OPA policy model makes it possible to define and enforce security requirements consistently at all stages of the application lifecycle. Policies can be applied through the pipeline, creating a unified toolset, and avoiding tool sprawl and duplicated tasks. The policy model can be used to align security with business and compliance requirements.

VMblog: When it comes to the cloud, what are the biggest challenges companies face?

Loris Degioanni:  Legacy security tools have blind spots and cannot adequately protect you in the cloud. Companies are adopting containerized microservices, CI/CD, and on-demand cloud services to speed innovations. Traditional tools cannot keep up with cloud-native due to rapid application deployment cycles and dynamic container environments. Unless security is automated and embedded into the development lifecycle it slows down innovation. Securing the cloud requires a security stack built on open standards that automates security within the development lifecycle, from source to run. 

VMblog:  How can attendees of the event find you?  What do you have planned at your booth this year?  What type of things will attendees be able to do at your booth?

Loris Degioanni:  KubeCon attendees can find us at booth P16. Stop by to talk about your organization's risk exposure and learn what it takes to effectively secure hybrid environments. We will also have swag, including the infamous kraken shirt, the the new Falco O'Reilly book, along with other giveaways. We've partnered on a few parties, and we will also be the coffee station sponsor, so after a late night/early morning, stop by for a cup of joe! 

VMblog:  What kind of message will an attendee hear from you this year?  What will they take back to help sell their management team and decision makers?

Loris Degioanni:  This year, we see the evolving threat landscape in the cloud, along with threat detection and response as major themes of KubeCon. And rightfully so! As the cloud matures, it's apparent that companies need to adopt multiple layers of detection to continually monitor their multi-cloud environments and automatically detect suspicious activity. We will be talking to teams about their threat profile and how they are detecting and responding to threats.

Another challenge we hear from prospects is never ending alerts. We will be speaking with attendees about how they are prioritizing software vulnerabilities. Sysdig's Risk Spotlight, which I touched on earlier, reduces vulnerabilities by 95% by automatically prioritizing vulnerabilities tied to packages running in production. It gives a short "to-do" list of the vulnerabilities developers need to fix immediately. This is critical because developers should spend their time developing software, not just fixing vulnerabilities.

Perhaps one of the biggest challenges in the cloud is the talent shortage. There are not enough DevOps engineers and cloud security specialists. Sysdig saves time by shortening the time to find and fix threats and troubleshoot performance issues, so you can do more with the people you have.

VMblog:  If someone wants to learn more about Sysdig, do you have any speaking sessions during the event?  If so, can you give us the details?

Loris Degioanni:  Yes, we have a few at both SecurityCon and Prometheus Day!


  • Tuesday, October 25 at 9:15am: Keynote: Detecting Threats in GitHub with Falco- Loris Degioanni, Sysdig
  • Tuesday, October 25 at  3:40pm: The Eye of Falco: You Can Escape but Not Hide - Stefano Chierici & Lorenzo Susini, Sysdig

Prometheus Day:

  • Tuesday, October 25 at 10:30am: Boost Your Logs with Prometheus! From Logs to Metrics - Jaime Yera Hidalgo, Sysdig
  • Tuesday, October 25 at 1:45pm: Keda with Prometheus: Scaling Your Kubernetes Application with Custom Metrics - David Lorite Solanas & Jesus Angel Samitier, Sysdig

VMblog:  While thinking about your company's solutions, can you give readers a few examples of how your offerings are unique?  What are your differentiators?  What sets you apart from the competition?

Loris Degioanni:  We hear from customers they value:

  • Our accuracy in threat detection using Sysdig's managed policies based on Falco and curated by the Sysdig Threat Research Team.
  • The ability to reduce vulnerabilities that developers need to address immediately by up to 95% with a single click using Risk Spotlight because they know what vulnerabilities are exposed at runtime. 
  • How Sysdig improves the signals that go into the SOC and speeds detection and response in the cloud, because they get a detailed record of security events with context to correlate events across workloads and cloud services.
  • Their attention being drawn to the highest impact actions with ToDo, along with a guided remediation workflow to fix configuration mistakes across multiple resources at once via a pull request.
  • The ability to use Sysdig across multiple clouds and their on premises Linux environments, as many customers operate in a hybrid mode.

VMblog:  Earlier you mentioned Falco, an Incubating CNCF project, what is Falco?

Loris Degioanni:  Falco is an open source tool for runtime security across Kubernetes, containers, and cloud.  Like a security camera, it monitors runtime system calls against set rules to trigger security alerts. Falco was created by Sysdig and contributed to the CNCF. Because it is a widely adopted open standard, companies including AWS, Google and Red Hat are using Falco for data collection and threat detection. It now has more than 45 million downloads and contributions from a broad base of organizations. Falco detects unexpected behavior, configuration changes, intrusions, and data theft in real time. KubeCon will be a great place to learn more!

VMblog: How can someone learn more about Falco at the show?

Loris Degioanni:  

Tuesday, October 25

The Falco community and maintainers are heavily involved CloudNativeSecurityCon. Two of the sessions will cover Falco: The Eye of Falco: You Can Escape but Not Hide and  Detecting Threats in GitHub with Falco. They are two don't miss talks.

Tuesday will also be the Falco Project Meeting, which is open to anyone, from 1:00 pm - 5:00 pm ET (Room 335, LEVEL 300). Additionally, if you just want to learn more, kick off KubeCon with the Falco at the Firebird party from 7:00pm -10:00pm at Firebird Tavern, 419 Monroe St, Detroit, MI.

Kubecon NA Days 1 - 3

During the main days of Kubecon, Falco will be part of the maintainers track - join to get an overview of Falco, plus get the opportunity to talk directly to the core maintainers and contributors of the project. Stop by the project pavilion too! See the details below: 

Maintainers track

Project pavilion

  • Falco Project Kiosk
    • Booth number 10
    • Expo days: Oct 26, 2022 - Oct 28, 2022
    • Expo hours: 10:00 am - 5:00 pm

Interested in learning more about Falco-more information here!

VMblog:  Are companies going all in for the cloud?  Or do you see a return back to on-premises?  Are there roadblocks in place keeping companies from going all cloud? 

Loris Degioanni:  Some companies are slower to move workloads to the cloud, but I believe we will only continue to see more companies continue to make the move. They cannot afford not to. The cloud enables companies to stay relevant - they can move faster and gives them agility. We have a customer that pushes 17,000 deployments per day. Legacy on-premises vendors cannot keep up with that.

Covid is the perfect example of companies having to change their applications overnight. Banking, food delivery, and streaming services are three services that immediately come to mind. The agility gained from the cloud enabled companies to scale rapidly or pivot offerings to address new opportunities. Being able to rapidly adapt to deliver new capabilities and features to customers is table stakes now.

We do see that hybrid environments are typical unless a company was ‘born in the cloud' era. That is why Sysdig provides teams the ability to manage security and monitoring across the cloud and on premises deployments. 

VMblog:  One last KubeCon question - the keynote stage will be covering a number of big topics, but what big changes or trends does your company see taking shape as we head into 2023?

Loris Degioanni:  Cloud security has gone through waves of adoption. First there was CASB to secure SaaS apps, then CSPM to get an inventory of cloud services and their configurations. ‘Shift left' is commonly where organizations start when they first deploy cloud workloads. Now that critical workloads are deployed in to the cloud, 2023 will be the year that companies get serious about runtime security, as they recognize that traditional approaches based on network segmentation can only go so far. We see it already; companies are waking up to the need for cloud-native detection and response.

David Marshall

David Marshall has been involved in the technology industry for over 19 years, and he's been working with virtualization software since 1999. He was able to become an industry expert in virtualization by becoming a pioneer in that field - one of the few people in the industry allowed to work with Alpha stage server virtualization software from industry leaders: VMware (ESX Server), Connectix and Microsoft (Virtual Server).

Through the years, he has invented, marketed and helped launch a number of successful virtualization software companies and products. David holds a BS degree in Finance, an Information Technology Certification, and a number of vendor certifications from Microsoft, CompTia and others. He's also co-authored two published books: "VMware ESX Essentials in the Virtual Data Center" and "Advanced Server Virtualization: VMware and Microsoft Platforms in the Virtual Data Center" and acted as technical editor for two popular Virtualization "For Dummies" books. With his remaining spare time, David founded and operates one of the oldest independent virtualization news blogs, VMblog.com. And co-founded CloudCow.com, a publication dedicated to Cloud Computing. Starting in 2009 and continuing all the way to 2016, David has been honored with the vExpert distinction by VMware for his virtualization evangelism.


Ambassador Labs










Latest Tweets

Latest Videos