Loris Degioanni: Mission number one when you start a new open source project is definitely identify something that is clearly filling a gap and bringing real tangible value to a community of people. Eric Anderson: This is Contributor. A podcast telling the stories behind the best open source projects and the communities that make them. I'm Eric Anderson. Today we're joined by Loris Degioanni, who is the founder and CTO at Sysdig. He's also the co-creator of Wireshark, which many of you will know, and the creator of Falco. Loris, I am humbled to be on the call with you today. Thanks for coming. Loris Degioanni: Thanks for having me. Eric Anderson: We have lots to discuss and we always start with a brief explanation of the project at hand, Falco. What is Falco? How would you explain it when you're caught in an elevator with somebody? Loris Degioanni: Yeah. Falco is an open source project, which at this point is CNCF Cloud Native Computing Foundation project. It's a runtime security tool for modern cloud/cloud native infrastructures. When describing Wireshark, I typically compare it to a security camera for modern infrastructure. So similarly to what in a physical environment, you put security cameras in different rooms or in different areas. And then essentially you collect the data from the cameras in a centralized place and you're able to monitor to understand when something is wrong, to understand if there's something dangerous, and in general, to take action based on that. Falco is like a little software that you can plug into different places of your cloud infrastructure and it's able to see inside the workloads like containers, hosts, cloud instances and this kind of stuff. It's able to monitor cloud logs. It's able to monitor third particle services like GitHub and so on. And it's able to bring detections and all the signals in a centralized place where then you can monitor this, collect this information for threat detection and response reasons. And you can also use this data to then take action to protect your digital variables. Eric Anderson: Awesome. It's quite popular. I noticed here, there's almost 6,000 GitHub stars. CNCF has embraced the project into some level of... I know they have their incubation cycle. Congrats on doing something that people seem to love. Loris Degioanni: Yeah. The project is well embraced by the community. At this point, we're counting more than 60 million downloads, 40 plus integrations. We have hundreds of contributors. And the project is truly... It was started originally by me and other Sysdig people, but now it's truly a project that is owned and run by the community with more than 10 organizations that are sort of maintainers of this project, including AWS, IBM, Red Hat, and Sysdig. So it's like a successful project because it fills an important need in the modern stack. Eric Anderson: Well, I think the only way to truly understand Falco, Loris, is to understand you. And there's been a long story that's gotten us here. I'd like to go back to what your original inspiration and interest in all things monitoring. In particular, take us before... And Wireshark, how did that come about? Loris Degioanni: Yeah, actually Falco is, for me in particular, but in general is the culmination of over 20 years at this point of operating in this field. In particular, I started working actually on a little piece of Wireshark when I was at school in Italy. I was getting my degree at Politecnico di Torino around '99, 2000. And we started building a network analyzer for the school for the university mostly because our computer networking professor believed that the best way to learn a network is observe what's happening on the network. But network analyzers were way too expensive. Only commercial network analyzers, the sniffers of the world. And we just couldn't afford them. And the lab was running Windows, so we needed something running on Windows. And so my graduation project was essentially building a packet capture driver for Windows. So connect to the network and to the network card and extract the raw packets so that they can be fed to an application that can dissect them and show their content. It turns out that there was another person, Gerald Combs, who was still working with me, but I was in Italy. He was in Kansas City. And he had a similar need. He needed to build a network analyzer because he was working for an internet service provider and didn't have a way to troubleshoot the network. And they didn't have the budget to buy a network analyzer. So he built essentially the visual component. And so we put our projects together. Mine was collecting the data from the network. His was interpreting and showing this data. And that's how Ethereal originally was born. Ethereal was renamed into Wireshark in 2006 when Gerald and I actually started a company together with the goal of essentially providing commercial monetization and support for the community for Wireshark. Wireshark at the point was already exploding and used in many, many different places. So that's how we got to the Wireshark and packets part. Eric Anderson: Why did you call it Wireshark, just curious? Loris Degioanni: So yeah, as I was mentioning originally, the original name of the tool was called Ethereal. And you clearly are not old enough to remember those days. But pre 2006, it was already extremely popular and with a different name. And when we started our company, Case Technologies, the website domain name and assets like the trademark and so on for Ethereal were owned by Gerald's prior employer. And when both I left university and he left his company, it was essentially our first business. And we didn't have money to buy these assets. So we couldn't afford it. So what we did is we forked the project and just gave it a different name. That's the beauty of Open Source. Because you are not tied to a website domain or even to a tool name. The real value is the community and the community was mainly people contributing to the tools. So we told the community, "Look, we want to create a company and we want to support you even better. In order to do that, we need to change name." And the name that we picked was Wireshark. We were finding something that would make you think about networks like wire, but would have good mascot properties. Like imagine a shark. It's been great because even now... And if you think about it, Falco is the same. Falco, which we'll get it in a second, but it's like just falcon in Italian. The language where I come from. So there's a little bit of a pattern in our team of finding animal names because then the marketing is great and you can do a bunch of cool stuff that is memorable. Eric Anderson: Good. And how did you run into Gerald? He was in the States; you were in Italy and working on university projects. Loris Degioanni: Yeah, exactly. When I launched, we pick up at university. Again, that was the project of my thesis in the network group of the Politecnico di Torino, my university. And after launching it, we also did a little part of tcpdump for Windows. So for the first time, people with a Windows laptop or desktop were able to essentially run well known networking tool tcpdump Windows. So immediately, this thing exploded in popularity. To the point that by the time I graduated, that little website was generating more traffic than the rest of the university combined. And that's, by the way, one of the reasons how I got a PhD offer from the university because they were like, if there are all of these people going and downloading this, there must be something interesting that this guy is doing. Among the people who find me, there was Gerald, which then found this and built essentially the Windows version of Ethereal based on that. So our first interaction was just a technical interaction on mailing list and stuff like that. We're talking about pre GitHub times and all this kind of stuff. So just exchanging emails and so on. And then actually the way we started working together is, I moved to the United States as a PhD student. And then short after that, I started the company, and Gerald reached out to me saying, "Okay, there's a clear need here because everybody's asking me to build a version of Wireshark that will support wireless networks." So the point, at least on Windows, it was very hard if not impossible to do wireless network analysis with Wireshark. So it was like, why don't we work together on building something. That was essentially our first commercial product called their pickup around Wireshark. And essentially I told Gerald, okay, we can build this together. Move to California and we'll do this together. And that's how we started doing business together. Eric Anderson: So you go to start this business presumably around Wireshark. But if I understand correctly today, Wireshark's a nonprofit org, or it's at least open source. And Sysdig doesn't start till 2013, right? Loris Degioanni: Yeah, exactly. So by the way, you're right. Wireshark, essentially last week we announced the Wireshark Foundation. So for the first time, Gerald is still working, is with Sysdig now, still working with us. But for the first time essentially, we got the Wireshark assets and put them in a separate, open source foundation. Because as you can see, we're starting all getting gray hair and Wireshark is still there and still thriving. So it's time for us to essentially find it a home that goes beyond us and really puts it in the hand of the community. Since it comes later essentially because the case technologies, the Wireshark company was acquired in 2010 by River Bed, a company based in San Francisco. Both Gerald and I went to work for River Bed. And while we were there, our product line grew very well in terms of revenues. And essentially, we were setting products that were offering visibility of applications and users based on network traffic. Essentially, we were connecting to the routers in a network. And we were collecting data like the net flow information coming from the router. So summarize network data coming from the router or just sitting on the SPAN port of the router. The SPAN port is the port in the router that you can use to mirror all of the traffic. And we were connecting our network analyzers there. And by looking at that, the network has a beautiful set of properties because we used to say packets never lie. Because if you're sitting there on the network and all of the traffic is mirrored to you, nothing can escape you. And you can do that in a way that is not invasive. So instead of having to install something on every single endpoint, you can just listen with something separate, zero overhead, zero cost, zero need to deploy something. So all great, all beautiful, business was growing. We were acquired, and our business unit in the new company was really thriving. But at the same time, I was starting realizing the world was changing, the cloud was really starting exploding. We were talking about 2010, 2011, 2012 when AWS was really starting to become a real thing, including in the enterprise. And containers and little company called DotCloud was renamed into Docker, and the container evolution was starting. And all of these new technologies were unfriendly, very unfriendly from the point of view of getting this kind of visibility and observability from the network point of view. Because in the cloud, you don't have access to the routers anymore and do the tricks that we're doing of mirroring all of the traffic and so on. And we containers, since they now routinely as customers that pack hundred and hundreds of containers on a single 96 core and 128 core machine. And there's a lot of stuff that happens in these machines without hitting the wire on the network. So it was not true anymore that packets never lie. And so essentially, with Sysdig originally, I started with the mission of, okay, how do we reinvent instrumentation and visibility in a way that reflects all of the beautiful properties of packets that will learned and we influenced during the prior years in our career, but we do it in a way that is really native for cloud, for containers, for orchestrated microservices applications like Kubernetes and so on? And so what is the right fundamental design for this? And this essentially is how Sysdig was born and how Falco came into existence. Eric Anderson: Along the way, you pointed out that these new things are happening in parallel to you, cloud, containers. We haven't talked about it, but EBPF. Loris Degioanni: Yeah. Yeah. Eric Anderson: You're marching down a certain path. You have a vision for the future. You're building something. And these things show up alongside you. Are they surprises? Are you aware of their development? Loris Degioanni: Yes. So navigation in these environments is at the same time extremely exciting and super fun and very frustrating. It's really, we identified... And that's why entrepreneurs have opportunities to create successful companies. It's really like... I always say I didn't really invent something new, especially with Sysdig and with Falco and so on. We'll get to Falco in a little bit, but it's more like I took the lessons from the prior generation and just applied them to the new generation. And essentially the ever-changing IT landscape is what creates these opportunities, right? If we were still using physical servers or IBM mainframes or that kind of stuff, there would be no Sysdig and there wouldn't be many other companies. So I consider that of luck and opportunity that everything is always so in flux. But in particular, during those years in containers and cloud and Kubernetes, everything was so much changing every day. I don't know if you remember for a while during those times that we had orchestrator wars. So there was Kubernetes, there was Mesos, there was Docker Swarm. And no one really knew... Now, yes, it's Kubernetes. Everybody's using Kubernetes. But during those years, it was like no one had any idea. So you had to invest on all of them and go to all of their conferences to understand what they're doing, how they're moving, which one is getting an edge, which one is getting more community. And it's constant daily navigation. And even containers. When we started, they were so young that we started before essentially containers were actually there. And then at a certain point, it was early on, I remember going to San Francisco and see a little presentation at a meetup of Solomon Hykes, the founder of Docker. And I was with my team and we were like, "Okay, that." Eric Anderson: That's the one. Yeah. Loris Degioanni: And we decided to focus on that. But you are definitely taking more risk when you're doing that because you're betting on something that now is of course, but at the point it was absolutely not a given at all. Eric Anderson: Yeah, good. So at some point in 2013, you start Sysdig, which is interesting. You made a transition and maybe that seemed natural to you from network land to Linux Kernel land, which feels like a little different. That's impressive. Loris Degioanni: It's different. But Sysdig and the Sysdig commercial products and the Sysdig open-source projects like Falco, open-source Sysdig, are all based on kernel signal collection. In particular, an important source of data for us is system calls. For the audience, the system call is what the program that is running on the machine, physical or virtual, calls that the program makes to the kernel of the operating system. In practice, every time the program needs to do something with the external world, reading, opening, closing, reading, writing a file, executing a command, doing a conversation on the network, interacting with other programs, installing something on the machine, all of these are system calls. So calls that the program makes to the kernel of the operating system. These calls are something that can be essentially collected in a single point in the kernel of the operating system. And the beauty of, for example, containers and Kubernetes is that all of these containers share the same operating system. So you get something that creates a single collection point that goes back to the SPAN port, right? The same way we were able to connect to the router and to the SPAN port of the router to collect all of the network traffic in a single easy way, now we can use the kernel of the operating system through technologies like KBPF to collect the interactions, the granular interactions of all of these programs that are running in all of these containers from a single point in the operating system. So it's a different data source, but the philosophy and the way you approach it is very similar. And the properties and the benefits are also very similar. You don't need to install something or link a library in every single application. You can just sit in the operating system and see everything. And I used to say, "Packets never lie." Now I say, "System calls never lie." So again, it's not reinventing something, but it's taking a new data source that is more suitable for this new world and applying all of the things that we learned before to this new data source. Eric Anderson: Got it. And now that you describe that it is more networky than I realized. These are containers communicating with each other and they're operating systems over the system call network, the wire. Loris Degioanni: But before from the network, we couldn't see containers that are talking to each other in the single machine, while by sitting in the kernel of the operating system, they have to go through the kernel to talk to each other and so we can see them. So better visibility. Eric Anderson: And that I think maybe brings us to Falco. So you start Sysdig and maybe just a few words on Sysdig, was that... That's on your own? Or you had left Riverbed now and wanted to try something new? Loris Degioanni: Yeah. Exactly. So I had a company before. We did a successful acquisition. A great team at Riverbed, a lot of fun. But it's always like being an entrepreneur, and a company founder is something that when you do it once, it's hard to do something else in your life. So I was very happy at Riverbed, but counting the days to be able to start something from scratch by myself with a little group of friends and just be with a complete blank sheet of paper and they have to restart from the beginning. And that's what I did when I start Sysdig in 2014. Eric Anderson: Awesome. And then when does Falco emerge? Loris Degioanni: Falco emerged in 2016. So we spent a couple of years building the core instrumentation. And we also built an opensource store as I was mentioning. It's called Sysdig. It's still very popular open-source tool in the community. So open-source Sysdig is... You remember when I talked about the beginning of my story, I talked about the fact that when I was at the university in Italy, I first I built a packet capture driver and then I ported tcpdump, the famous command line tool to Windows. And that caused that thing to become popular. So with open-source Sysdig, we did something similar. So we spent a bit of time building a stack to capture system call, and then we built a little command line tool that would be something like tcpdump for your system calls and for your containers. So something that you can run on the command line. You can use it to take captures. But instead of taking a capture of the network traffic of a network segment, you take a capture of a container running on the machine. Very similar concept and Falco, similarly, when you look at the network, there's a class of security tools in the network called network intrusion detection systems. Snort, for example, is a very popular open source network intrusion detection system. And these tools work by listening on the network and applying essentially a set of rules, some automating, some based on automatic detection machine learning based on this traffic and essentially tell you if there's something wrong with this traffic, typically if there are attacks in this traffic. And they do that by dissecting and interpreting the network traffic and understanding what's inside these packets and looking if it's something dangerous. A network intrusion detection system is a tool that most companies deploy on their network and it's also a class of tools that are normally required for compliance. You need to have an ideas if you want to adhere to most of the modern security compliance standards. What we need with Falco is, okay, take the concept of the network intrusion detection system, which is based on packets, and apply to system calls. So take the stream of system calls that we are able to capture and then reach and put a decision engine, a rule engine on top of it so that you can write rules that can be something like, "Okay, let me know every time somebody executes something different from Redis server in the Redis container. Or let me know every time somebody modifies a binary file." So a file in slash bin in my container. "Or let me know every time establishes a container to a well known minor IP address." These are all things that you can specify. Or with cloud logs, let me know, for example, every time somebody's logging in my cloud infrastructure from Asia without multifactor authentication. These are conditions that you can craft. And then Falco takes care of consuming all of this data and letting you know when one of these conditions sit. So it's a new data source, but it was just created originally by taking something that is well known to work well, be very important in terms of the way you need it in the networking world and applying it to system calls, containers, cloud, and so on. Eric Anderson: Amazing. And you're right. You would do them for the purpose of observability, security. Nobody's writing rules to actually change the functionality of applications for the purpose of development. Loris Degioanni: Let's say Falco is something that you use more like in production environments largely to detect. So as I was saying, I compare Falco to a security camera. So it's more like a detection tool that you put in your house when the house is built. That doesn't mean that you cannot use it during the CSD. There are also benefits in the detecting stuff early. But Falco is more like detection and typically the kind of actions that you take as a consequence of a Falco detection are more like runtime actions. I don't know, kill this container, or go and block this network connection. This kind of stuff, rather than a developer action. Eric Anderson: Yep, yep. Observe and intervene or remediate in some cases. Loris Degioanni: Correct. Eric Anderson: Awesome. And maybe say a word... You said something earlier about these open-source projects, anybody can put code out in the open, but it's not always picked up by people. And you've noted that there are certain things that kind of make these projects go viral or get people excited. And in the first, it was this tcpdump for windows that was a missing command, I guess. Does that hold true for Sysdig open-source and Falco? Were there kind of key small tasks that really caught what caught on with folks? Loris Degioanni: Yeah. I would say, at least the lesson that I learned is that, number one, when you do open-source, it's really like a real product. Yeah, it's free. But that doesn't mean that you will have users and substantial adoption only by putting something out for free. So rule number one is it needs to be something valuable with a tangible value for somebody who installs it. Otherwise, you will never overcome the barrier of somebody just spending time to deploy end user software. So mission number one when you start a new open-source project is definitely identify something that is clearly filling a gap and bringing real tangible value to a community of people. That said, as in a real product, there's also the marketing component. And without the right marketing, the right word of mouth, you will never be able to reach a certain level of adoption. So from the beginning, especially after starting Sysdig, we also focused on features and properties in our tools that are designed, let's put it this way, for coolness. So somebody is incentivized to go there and be okay, this is a cool way to spend an evening or to heck around with it for a day or two. Eric Anderson: Totally, yeah. There's stuff that's very high utility but maybe not as cool and you make sure to include some coolness in the project to get people's attention and enjoy the utility. Loris Degioanni: When we launched open-source Sysdig, one little thing that we did was we made it programmable through Lua. It's an embedded programming language. So people could not only use this command line tool with this functionality from the command line, but could also write their little programs to extend it and do other cool stuff. We call these little programs chisels because with Sysdig, you're digging in the system. So with this script, you were able to precisely chisel inside the system. And it was one way to incentivize people to come, try it, play with it, have fun with it, and also potentially contribute something back which increases the adoption there. Eric Anderson: Maybe tell us, Loris, how you spend your time today. So Sysdig's taken off, Falco's doing well. What gets you excited in the morning? Loris Degioanni: Yeah, so number one, Sysdig went way beyond my expectations when I started using my backyard. Actually outside here, I have a window in front of me. At this point, Sysdig is an organization with, I think, close to 800 people. So there's definitely delegation going on at this point. And many people way smarter than me doing a bunch of things that maybe I was doing before. But there's also complexity and the need to just devote focus to participating to the management and the growth of this organization. And it's fun because it's a never-changing job. At the same time, I was originally the CEO of Sysdig, and then at a certain point, I believe three or four years, probably four or five years ago, we brought on board Suresh, our current CEO, to replace me. First of all, number one, because he's so much better than me in doing the job of the CEO, but also because I felt like a itch to go back and spend more time on technical stuff. So now I tend to focus more on the bleeding edge technical projects at Sysdig, and also I spend quite a bit of time on open-source. And so both Falco and open-source Sysdig and Wireshark are essentially a part of my team, of my organization at Sysdig. And I still proudly routinely introduce bugs in several of these tools. Eric Anderson: Programming is basically debugging, it's been said, right? You just introduce bugs and then remove them and that's how you get work done. Loris Degioanni: Yeah, exactly. Eric Anderson: Falco has a lot of contributors I saw. And in some of these kind of corporate sponsored projects can get by on their own teams. Do people from the outside contribute to Falco. And is that part of your work is navigating community contributions? Loris Degioanni: Yes. So at this point, the Falco community is pretty well structured and pretty sizeable. So one of the reasons why we donated Falco to the Cloud Native Computing Foundation in 2018 was exactly this. So Falco started as a project at Sysdig, but Falco is extremely embedded in the modern cloud computing stack that revolves around Kubernetes. It was clear to us that it would've been much more beneficial for the community, but also for us, the Falco developers, if there was a true blessed integration and if the project could really be embraced by a bunch of community players, not only Sysdig, but also other security companies. The cloud providers like Amazon and Microsoft and Google and so on. So we consciously decided to focus on expanding the ownership of the project so that it could really become the defacto tool for detection and response in modern environments. So that started by putting the project in a sandbox in the cognitive computer foundation. And when you do that actually, the copyright of the source code is a cognitive computer foundation. So it's not copyright to Sysdig anymore. Of course, Sysdig still devotes a lot of resources to Falco and we are still the company that has by far the highest number of daily code contributors to the tool. And we have several maintainers in the project. But now, the project has many maintainers including from other industry players, but also end users. Like for example, there are maintainers from Apple and from other companies. It's definitely a little bit more complicated to manage a project that has truly many owners, but it's also in the long term extreme beneficial from the head of the project and from the growth and success point of view. Eric Anderson: Awesome. As we wind down here, Loris, I wanted to ask you, you've observed a lot of tech changes over the years and you've had to navigate them sometimes in frustration as you mentioned. Anything you're seeing today that feels reminiscent of that meetup where you saw Docker demo for the first time, for example? Loris Degioanni: Well, I think you're going to find my answer not very, let's say, creative or unique because you've probably received this answer 20 times in the last couple of months. But I think that their modern recently released large language models from companies like OpenAI, ChatGPT and so on are something that will have an impact on pretty much everything on the planet, including the world of IT, including the world of cybersecurity. So if I have to pick something that will be disruptive in the next months and years and will change the workflows and will create opportunities for somebody to generate substantial disruptions, I think it's the application of artificial intelligence to our fields. And this includes DevOps and includes cybersecurity and cloud security for sure as well. Eric Anderson: Yeah. Good. What can folks do to get involved with any of these projects You've mentioned? Loris Degioanni: All of our projects have open communities with a thriving set of not only contributors, but people that can help you get involved and get up to speed. Wireshark has a multiple mailing list that you can join. Falco has a Github, has a Slack channel under the CNCF, actually under the Kubernetes Slack. You can just come check out the project on falco.org. In there, you find all of the links to join the community and be involved with the project. Eric Anderson: Loris, again, super excited you could join us today and thank you for all your contributions: Wireshark and Sysdig and now Falco. These are staples to any developer. Appreciate it. Loris Degioanni: Yeah, I appreciate the community that gave a chance to some of the software that I've written. Eric Anderson: You can subscribe to the podcast and check out our community Slack and newsletter at contributor.fyi. If you like the show, please leave a rating and review on Apple Podcasts, Spotify, or wherever you get your podcasts. Until next time, I'm Eric Anderson, and this has been Contributor.