The presentation discusses the importance of observability in detecting and responding to attacks on Kubernetes clusters, and how eBPF technology can provide unique visibility into the system.
- Observability is crucial in detecting issues and improving the stability and security of a system
- Data-driven security using observability can help detect and respond to attacks in real-time
- eBPF technology provides unique visibility into Kubernetes pods, allowing for network and process-level visibility to detect and respond to sophisticated attacks
- Immutability enables the declaration of patterns to understand the behavior of an object, allowing for the detection of tactics, techniques, and procedures (TTPs) used in attacks
- Collecting the right data is key to detecting sophisticated attacks in a system
The presenters demonstrate how eBPF technology can be used to detect a live sophisticated attack on a Kubernetes cluster, and how immutability can be used to identify suspicious behavior such as the execution of a binary that is not part of the container image.
As Kubernetes adoption continues to explode, the threat actors working on attacks are growing in sophistication. Simple mitigations and security best practices are no longer sufficient alone to protect production workloads. While tools like vulnerability scanning, signed container images, and distroless containers help, constant monitoring must take place in a running environment to ensure it remains safe from compromise. eBPF, an emerging Linux kernel technology, provides us unique visibility directly into any Kubernetes pod. Because pods on a node share a single kernel, a single eBPF program has full visibility to the entire node’s workloads. We’ll show how using such a program gives us the network and process-level visibility to detect and a live sophisticated attack on our cluster. We’ll finish by showcasing how security teams can easily put these same tools to use to protect their critical Kubernetes environments from threats.