Tutorial: Getting Familiar with Security Observability Using eBPF and Cilium Tetragon

Tetragon is a security observability tool that can be used to detect and prevent malicious behavior in a Kubernetes cluster.

• Tetragon is a daemon set that can run on virtual machines or other external entities directly
• It instruments the Linux kernel on every node in a cluster to detect events such as process executions, file access, TCP patterns, namespace escapes, and privileged escalations
• Tetragon can also expose metrics for HTTP, DNS, and TLS, making it easy to audit compliance controls
• Context is king in security observability, and Tetragon provides a lot of context by giving detailed information about the events it detects

The speaker gave an example of how Tetragon can be used to audit TLS Cipher Suites in a cluster, which is a common compliance control. With Tetragon, it is relatively easy to detect which workloads are using prohibited Cipher Suites and take action to prevent it.

There are many people who are interested in observability but don't understand what data matters or even where to start. There are others who do understand these things, yet have no idea how to spot certain activities (malicious or otherwise!) This is where Security Observability comes into play. Security Observability in general is about providing more context into events involving an incident. However, researching those events does not have to be confusing or difficult. In this session, we will help overcome these doubts by learning more about a good kind of S.O.R.E.ness - the Security Observability and Runtime Enforcement kind! In four steps we will: 1. Introduce the fundamentals of Cilium Tetragon and the basics of Security Observability 2. Discuss the layers where Tetragon can extract data from and provide enforcement 3. Determine exactly what activities to care about and to monitor, and how to spot those activities 4. Walk through a brief deep dive into network connections and the associated events. The audience will walk away with a better understanding of the types of data and activity that should be monitored in order to prevent malicious events, and the ability to detect a container escape step-by-step.