At CloudNativeSecurityCon 2023 in Seattle, WA, Jeremy Cowan and Wasiq Muhammad, both engineers at AWS, presented on identifying suspicious behaviors with eBPF, its use cases, and how AWS is using it for threat detection and protection.
Cowan started the talk by highlighting the challenges information security practitioners face today regarding threat detection and how monitoring runtime events can impact stability or performance. Also, the ability to separate signals from noise.
After covering the different approaches to overcome those challenges, he introduced eBPF and why it’s versatile for networking, security, and observability use cases.
He continued with the advantages and disadvantages and how eBPF is used in some AWS products, such as Lambda, VPC CNI, and GuardDuty.
eBPF was among the trending topics covered in six breakout sessions in this event, in addition to the keynote by Liz Rice, chief open source officer at Isovalent, who presented how to solve security problems visually with eBPF.
InfoQ sat with Liz and talked about eBPF, the event, and the state of cloud native security.
I've been interested in eBPF since it started in 2017. At that time, you needed a cutting-edge kernel. I thought at some point this will become an interesting and useful technology platform.
Now, everybody is running a kernel that can take advantage of eBPF. We have all these incredible eBPF-based tools and able to extract information from the kernel's perspective of what is happening in the user space.
It can be so performant, and it can get powerful data. Whether that's helping people understand how to operate their platform, diagnose problems, or build security tooling. I think we are at the beginning of a rich theme of great tools to build on.
Next, Muhammad illustrated how system calls tracing works with eBPF and the ability to capture data about the system call arguments and processes.
He underscored that eBPF could provide rich container and process context, as customers demand container-level details for monitoring and threat detection. For example, eBPF can detect events related to container creation, filesystem access, networking communications, and interactions with other containers.
Furthermore, he pointed out that they decided at AWS to process events at the backend rather than on the host because it provides high flexibility to apply threat intel and use machine learning on the data in the future.
Muhammad ended by going over an example scenario in which a crypto miner downloaded inside a container and then executed to connect to a mining pool and how eBPF-based monitoring and detection can provide protection.
Cowan wrapped up the session by highlighting the benefits of using eBPF for threat detection and how combined with the power of the cloud and AI/ML, it can help find the needle in the haystack.
eBPF is a mechanism to safely run sandboxed applications in the operating system kernel without changes to the kernel source code.
The breakout session recording is available on the CNCF Youtube channel. The presentation slides are on the event’s webpage.