Leveraging eBPF for Runtime Security

eBPF for Cloud Security and Visibility

eBPF provides a new level of observability and control for applications, by essentially extending access to the what the operating system is doing, or can do, at runtime.  The potential uses for eBPF are well and truly staggering, so for the purposes of this quick overview, we'll focus on some of the networking and runtime process-related aspects of eBPF.

Modern applications are, by design, abstracted from their host hardware and related operating systems. App code is typically containerized, separated by microservices, and deployed across clusters of servers. This level of abstraction has many benefits for scale, software development, and more, but observing the system as a whole becomes a patchwork process of collecting and matching network operations data from individual servers and containers – the latter of which generally do not log or persist network data. By enabling kernel-level programs, eBPF elegantly solves this problem by capturing network operations on servers and containers in real-time.

eBPF and AuditD

For Linux users, talk of a kernel-level tool with implications for incident investigation likely sounds reminiscent of Linux’s native activity capturing feature, AuditD. eBPF and AuditD do share some common capabilities such as monitoring for system calls, file access, and other configurable events. Nevertheless, AuditD falls far short of eBPF for system-level visibility into modern cloud and multi-cloud environments. In particular, AuditD:

• Creates excessive userspace syscall overhead
• Often shows invocations such as execveat without revealing what they were called on
• Is inherently container-unaware

Transforming eBPF into Actionable Insights with Spyderbat

Spyderbat offers an industry-first eBPF-based security solution for cloud native runtime environments. Using a lightweight nano agent that probes eBPF, Spyderbat captures real-time stateful observability within and across hosts and containers, without needing to collect and process data from other disparate log sources.

With Spyderbat, engineers don’t have to spend countless hours manually reconstructing event narratives after the fact from incomplete records. Instead, Spyderbat automaticaly stitches together causal sequences of activities as they occur from eBPF data. This includes connecting incoming/outgoing network connections from hosts and containers to their respective processes. Spyderbat both visualizes these causal sequences of activities as Spydertrace, as well as assesses a risk score for every Spydertrace with new activities.

Platform and Security teams use Spyderbat to observe activities live and in granular causal context, enabling automated root cause identification, early problem recognition, and attack detection.