Finding the Needles in a Haystack: Identifying Suspicious Behaviors with eBPF

EBPF is a lightweight and portable option for threat detection that can capture events from the kernel and provide additional context. When combined with the power of the cloud, it can be used to find the root cause of a security incident.

• EBPF can capture events from the kernel and enrich data to provide additional context
• EBPF is lightweight, portable, and doesn't require changes to the kernel
• EBPF is good for threat detection applications such as guardDuty
• EBPF combined with the cloud can be used to find the root cause of a security incident

EBPF is an attractive option for threat detection because it can capture events from the kernel and the data can also be enriched to provide additional context. It's really good for threat detection applications such as guardDuty because it's lightweight, portable, and doesn't require changes to the kernel. When it's combined with the power of the cloud, it can be used to find the proverbial needles in the haystack that allow you to focus on the root cause of a security incident.

As the popularity of Kubernetes has grown, so has its appeal as a target. In an increasingly hostile environment, the ability to quickly flag suspicious behaviors and investigate and identify their source is becoming crucial. In this talk you will learn how AWS is using eBPF to identify a variety of security risks, e.g. communication with known command and control systems, Tor clients, cryptocurrency miners, and other malicious activity. You will also hear why AWS put eBPF above other options and the lessons they learned along the way.