Nexeed
    • Introduction
    • Getting started
      • Getting access
      • Login
      • Main screen
      • Welcome dashboard
      • Detecting process anomalies
      • Analyzing data and detecting event sequences
      • Analyzing KPIs
    • How-tos
      • Monitors on production lines
        • Configuring the automatic login in the Nexeed Industrial Application System
        • Configuring the automatic login to the identity provider with the Windows user
        • Setting cookies in the browser
        • Configuring the automatic logout in the Nexeed Industrial Application System
        • Configuring the command line parameters in the browser
        • Known limitations and troubleshooting
      • Try out the APIs
    • Integration guide
      • Underlying concepts
        • Underlying concepts
        • Onboarding
        • Security
        • Communication
      • Integration journey
      • Overview of APIs
    • Operations manual
      • Release
      • System architecture and interfaces
      • System requirements
        • Cluster requirements
        • Database requirements
        • Support for service meshes
      • Migration from previous Nexeed IAS versions
      • Setup and configuration
        • Deployment process
        • Deployment with Helm
        • Advanced configuration
        • Integrations with external secret management solutions
        • Context paths
        • Service accounts and authorizations
        • Validation tests
        • Setup click once
        • Database user setup and configuration
      • Start and shutdown
      • Regular operations
        • User management & authentication
        • How to add additional tenants
        • How to access the cluster and pods
        • Automatic module role assignments in customer tenants
        • User credentials rotation - database and messaging secrets
      • Failure handling
        • Failure handling guidelines
        • Ansible operator troubleshooting
        • How to reach BCI for unresolved issues
      • Backup and restore
      • Logging and monitoring
        • The concept and conventions
        • ELK stack
        • ELK configurations aspects for beats
        • Proxy setup for ELK
        • Health endpoints configurations
      • Known limitations
      • Supporting functions
      • Security recommendations
        • Kubernetes
        • Security Best Practices for Databases
        • Certificates
        • Threat detection tools
    • Infrastructure manual
      • Release
      • System architecture and interfaces
        • RabbitMQ version support
      • System requirements
      • Migration from previous Nexeed infrastructure versions
      • Setup and configuration
        • Deployment process of the Nexeed infrastructure Helm chart
        • Deployment with Helm
      • Start and shutdown
      • Regular operations
        • RabbitMQ
          • User management & authentication
          • Disk size change
          • Upgrade performance with high performant disk type
          • Pod management policy
      • Failure handling
        • Connection failures
        • Data safety on the RabbitMQ side
        • Fix RabbitMQ cluster partitions
        • Delete unsynchronized RabbitMQ queues
        • How to reach BCI for unresolved issues
      • Backup and restore
      • Logging and monitoring
      • Known limitations
    • Glossary
    • Further information and contact
Industrial Application System
  • Industrial Application System
  • Core Services
    • Block Management
    • Deviation Processor
    • ID Builder
    • Multitenant Access Control
    • Notification Service
    • Ticket Management
    • Web Portal
  • Shopfloor Management
    • Andon Live
    • Global Production Overview
    • KPI Reporting
    • Operational Routines
    • Shift Book
    • Shopfloor Management Administration
  • Product & Quality
    • Product Setup Management
    • Part Traceability
    • Process Quality
    • Setup Specs
  • Execution
    • Line Control
    • Material Management
    • Order Management
    • Packaging Control
    • Rework Control
  • Intralogistics
    • AGV Control Center
    • Stock Management
    • Transport Management
  • Machine & Equipment
    • Condition Monitoring
    • Device Portal
    • Maintenance Management
    • Tool Management
  • Enterprise & Shopfloor Integration
    • Archiving Bridge
    • Data Publisher
    • Direct Data Link
    • Engineering UI
    • ERP Connectivity
    • Gateway
    • Information Router
    • Master Data Management
    • Orchestrator

Nexeed Learning Portal
  • Industrial Application System
  • Operations manual
  • Security recommendations
  • Threat detection tools
preview 2025.03.00

Threat detection tools (e.g., Falco by Sysdig)

Introduction to Falco

Falco is an opensource runtime security tool originally created by Sysdig. It is designed to detect anomalous activity in your applications and containers. Falco monitors system calls and alerts on unexpected behavior, making it a powerful tool for threat detection and incident response.

Installation and configuration

Install Falco

Using Helm: Helm is a package manager for Kubernetes that simplifies the deployment of applications. You can deploy Falco using Helm with the following commands:

helm repo add falcosecurity https://falcosecurity.github.io/charts
helm repo update
helm install falco falcosecurity/falco

Using Kubernetes Manifests: Alternatively, you can deploy Falco using Kubernetes manifests. Download the manifests from the Falco GitHub repository and apply them to your cluster:

kubectl apply -f https://raw.githubusercontent.com/falcosecurity/falco/master/integrations/k8susingdaemonset/falcodaemonset.yaml

Configure Falco rules

Default Rules: Falco comes with a set of default rules that cover common security scenarios. These rules can be found in the rules directory of the Falco installation.

Custom Rules: Customize Falco rules to match your security policies and environment. You can add, modify, or remove rules as needed. Example of a custom rule:

rule:
  desc: Detect any write below /etc
  condition: evt.type = write and fd.name startswith /etc
  output: "File below /etc opened for writing (user=%user.name command=%proc.cmdline file=%fd.name)"
  priority: WARNING

Authentication and authorization

Secure Access to Falco

RoleBased Access Control (RBAC): Ensure that access to Falco’s configuration and logs is restricted to authorized users only. Use Kubernetes RBAC to manage permissions. Example of Kubernetes RBAC for Falco:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: falcorole
rules:
   apiGroups: [""]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]

Data encryption

Encrypt Data in Transit

TLS/SSL: Ensure that data transmitted between Falco and other systems (e.g., logging or alerting systems) is encrypted using TLS/SSL. Configure Falco to use secure communication protocols for all interactions.

Audit and monitoring

Enable Audit Logging

Audit Logging: Enable audit logging to track access and modifications to Falco’s configuration and rules. Regularly review audit logs to detect and respond to suspicious activities.

Monitor Falco Alerts

Integration with Monitoring Systems: Integrate Falco with monitoring and alerting systems such as Prometheus, Grafana, or ELK stack to visualize and respond to security events. Example of integrating Falco with Prometheus:

falco:
  prometheus:
    enabled: true

Regular updates and patching

Keep Falco Up to Date

Regular Updates: Regularly update Falco to the latest version to benefit from security patches and new features. Monitor security advisories and apply patches promptly to address vulnerabilities.

Backup and recovery

Implement Regular Backups

Regular Backups: Perform regular backups of Falco’s configuration and custom rules. Ensure that backups are encrypted and stored securely.

Test Recovery Procedures

Recovery Testing: Regularly test backup and recovery procedures to ensure data integrity and availability in case of a disaster.

Access policies and controls

Define Access Policies

Access Policies: Use policies to define who can access and modify Falco’s configuration and rules. Implement finegrained access controls to limit exposure. Regularly review and update access policies to align with security requirements.

Security headers and rate limiting

Set Security Headers

Security Headers: Configure Falco to set security headers such as ContentSecurityPolicy, XContentTypeOptions, XFrameOptions, and XXSSProtection. Use these headers to protect against common web vulnerabilities.

Implement Rate Limiting

Rate Limiting: Use rate limiting to protect against brute force attacks and denialofservice (DoS) attacks. Configure rate limiting policies to control the number of requests to Falco.

Advanced threat detection

Behavioral Analysis

System Call Monitoring: Falco monitors system calls to detect anomalous behavior. Customize rules to detect specific threats such as unauthorized file access, process execution, and network activity.

Container Security: Use Falco to monitor container activity and detect deviations from expected behavior. This includes detecting container escapes, privilege escalations, and unauthorized network connections.

Integration with SIEM

Security Information and Event Management (SIEM): Integrate Falco with SIEM solutions to centralize and correlate security events. This enhances visibility and enables more effective threat detection and response.

For detailed information on Falco security best practices, please refer to the official documentation: https://falco.org/docs/

For detailed information on CIS benchmarks for various components, please go through the following https://www.cisecurity.org/cis-benchmarks/

Contents

© Robert Bosch Manufacturing Solutions GmbH 2023-2025, all rights reserved

Changelog Corporate information Legal notice Data protection notice Third party licenses