Google Distributed Cloud Virtual Now Supports Virtual Machines

Recently Google announced the general availability of virtual machine (VM) support in Anthos for bare metal, also known as Google Distributed Cloud Virtual (GDC), which will allow customers to run VMs alongside containers on a single, unified, Google Cloud-connected platform in their data center or at the edge.

Google Cloud Spanner Introduces Free Trial Instances and Fine-Grained Access Control

Google Cloud recently announced different improvements to their managed databases. The cloud provider introduced free trial instances and fine-grained access control for Spanner to let developers try the managed service and configure access to data at the table and column level.

Kubernetes Control Plane Metrics Now Available in Google Kubernetes Engine

Google has announced the general availability of Kubernetes control plane metrics in Google Kubernetes Engine (GKE). These metrics are directly integrated with Google Cloud Monitoring providing a single solution for troubleshooting issues with GKE. Integration with third-party observability tooling is also possible via the Cloud Monitoring API.

Open-Source Threat Detection Tool Falco Adds Support for Google gVisor

The latest version of Falco introduces support for gVisor, Google’s application kernel providing an additional isolation layer between applications and the host OS. Using Falco 0.32.1 users can monitor security events from gVisor to detect threats and audit containers.

Google Open-Sources Natural Language Robot Control Method SayCan

Researchers from Google’s Robotics team have open-sourced SayCan, a robot control method that uses a large language model (LLM) to plan a sequence of robotic actions to achieve a user-specified goal. In experiments, SayCan generated the correct action sequence 84% of the time.

GCP Announces MITRE ATT&CK Mappings to Implement Security Controls

Google Cloud Platform (GCP) recently announced the MITRE ATT&CK Mappings to improve security controls across the Google Cloud workloads. The MITRE ATT&CK framework is a globally-accessible knowledge base of adversary tactics & techniques based on real-world observations. The mappings will empower Google Cloud users to assess the GCP controls against adversary tactics, techniques and procedures(TTPs).

This release introduces a new plugin system for defining additional event sources and event extractors to Falco. The plugin system includes SDKs to simplify development and this release ships with a new AWS CloudTrail plugin, explains InfoQ.

The new plugin system aims to standardize how additional event sources, known as source plugins, can be added to the Falco engine. In fact, extractor plugins can be written that focus on field extraction from events generated either by the core libraries or other plugins. Plugins can be written in nearly any language as long as they export the required functions. The preferred language for plugin development is Go followed by C++ with SDKs released for both languages to simplify plugin development.

Falco’s rules engine is able to detect abnormal activity within applications, containers, hosts, and the container platform. It makes use of Linux kernel instrumentation to monitor system calls from the kernel.

Source plugins define a new event source and are able to extract information from events based on fields. After being extracted, the plugin returns a set of supported fields upon which filtering expressions or Falco rule conditions can be used in combination with relational or logical operators.

Source plugins must also provide a plugin ID, which is a globally unique value and must be registered within the Falco repository. A new plugin can be registered by opening a pull request with details on the plugin against the plugin registry file. If no set is provided, the plugin will be presented with all generated events. It is the plugin’s responsibility to detect values it does not support and react accordingly.

The AWS Cloudtrail plugin is able to catch log files containing Cloudtrail events, parse these files, and emit events for each log entry. Logs can be obtained from a S3 bucket, a SQS queue that emits SNS notifications, or a local filesystem path. Exported fields include the event time, AWS region, and resource instance name. In addition to the plugin, new rules have been added to monitor for suspicious activity within Cloudtrail logs. For example, this rule detects console access without multi-factor authentication:

The changelog contains more detail on these changes and additional improvements within the release. Falco is open-source and can be downloaded under the Apache 2.0 license.