Leveraging eBPF for DevSecOps

By Denise Ashur

May 17, 2024

eBPF is a revolutionary technology, originating from the Linux kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring changing the kernel source code or loading kernel modules/extensions.

Today, eBPF is used extensively to:

  • Provide high-performance networking and security in modern data centers and cloud-native environments
  • Extract fine-grained security observability data at low overhead
  • Provide insights for performance troubleshooting
  • Provide preventive application and container runtime security enforcement

eBPF-Enriched Context 

eBPF is the base data layer that is needed in runtime cloud security. eBPF gives you information at a high level on layers 3, 4 and 7 – allowing you to see all network communication and correlate it with processes and specific applications that are communicating on those ports. 

In order to leverage eBPF to its full potential, you need to pair this raw data with additional cloud infrastructure context in order to gain a full understanding of which resources and services are in use. 

For example, by leveraging eBPF you can determine if you have 10 different applications all communicating on port 443, whereas a traditional network monitoring tool would tell you that you have a certain amount of traffic on this port but wouldn’t be able to segment this traffic and show how much of that traffic is coming from each individual application. 

Having this knowledge of which application is coming from an individual application gives you increased visibility, allowing you to know what your applications are doing in real time and identifying signs of compromise or decreased performance. 

Increasing Observability with eBPF

eBPF provides users with intrinsic, comprehensive insight into communication flows across the entire system. The applications for enhancing security observability with eBPF are vast, ranging from enabling highly detailed process visibility to facilitating end-to-end observation of processes and flows. 

When dealing with Layer 4 to Layer 7 traffic involving multiple protocols, eBPF emerges as an optimal solution. Through eBPF, TLS traffic traversing pods, nodes, and cloud platforms can now be uniformly instrumented across layers.

In other words, with eBPF you can observe your application and your node and gain a vast amount of raw data, which with the right tools, you can correlate to understand your entire network topology. 

Going Beyond eBPF Raw Data to Context and Correlation – To Layer 7 & Beyond.

Specifically for observability, you can use eBPF to apply filters directly in the kernel, which reduces the overhead and allows you to ingest significantly more raw data. eBPF’s architecture allows you to do all of this, observe network traffic and Layers 3,4, and 7, without compromising your security or performance.

With eBPF, you are able to understand the execution events, system call events and all of the network ingress and egress. But it’s not always enough.

You will need to correlate it with Cloud APIs, Kubernetes identities, pods and namespaces to understand the actual identities and relationships between the individual workloads, all the way down to the application layer. By doing so, you are able to understand application-level identity and use this context to understand your application behavior as well as your most critical risks and threats.

Leveraging eBPF for Threat Detection & Response

Security and networking observability are inherently interconnected. eBPF helps you to gain insights such as abrupt shifts in behaviors, spikes in activity within specific processes indicating potential exploitation or attacks, service-to-service communication trends, and more. These projects enable users to examine network transactions, identifying the pods, processes, and system calls involved. 

With eBPF, you can see OS-level runtime threats. eBPF gives you the ability to listen to system calls, but also to go one step further and block or terminate any process, PID (process identifier), system call or network packet. This allows for a more granular approach to automated threat detection and response, without damaging your system or hurting your infrastructure.

You can also use eBPF to implement prevention rules, meaning you can instruct eBPF to automatically block any malicious processes or pre-designated system calls or network packets, going beyond traditional uses of eBPF for monitoring and security, to become a more proactive, preventative tool for securing your infrastructure and applications. 

Real-World Benefits of eBPF 

eBPF presents a number of real-world benefits, going beyond traditional monitoring, observability and security to help with overall alert noise reduction and improved forensic analysis.

How eBPF Contributes to Noise Reduction

By itself, eBPF does not reduce noise. In fact, it increases it because of the influx of raw data from every system call. However, with the right tools, you can leverage this raw data and correlate it with additional context to understand your infrastructure and application behavior. This effectively reduces the alert noise that you would otherwise receive, because you are able to view more detailed insights into resource behavior. 

By filtering and aggregating this data, you receive more insights about applications, overall giving you less noise because you’re focusing on what actually matters. 

By having this eBPF raw data at runtime, you can apply intelligent filters to filter through the most important data and use it accordingly, resulting in better prioritization, more focused efforts and increased operational efficiency. 

Forensic Analysis

Another important real-world use case for eBPF is conducting forensic analysis. By leveraging eBPF’s raw runtime data and applying intelligent filters, you can quickly pinpoint problem origins and conduct forensic analysis at the application level. 

By leveraging eBPF’s raw data from layer 7, you gain a granular understanding of applications and the process-level communication within an application, allowing you to foresee the potential blast radius if an application were compromised, in terms of who it could interact with and what damage could occur. 

Conclusion

In summary, eBPF is a powerful technology that can be effectively leveraged for monitoring, observability and security purposes. However, when eBPF’s raw data is combined with context from Cloud APIs, it can be leveraged even further with intelligent filters to provide unparalleled cloud infrastructure and application context, allowing you to understand application-layer identity, provide real-time security, pinpoint problem origins and stop threats with surgical, active response.

Leveraging eBPF for DevSecOps

Further Reading

White Paper

eBPF versus Kernel Extensions

By Lavi Ferdman

Jul 26, 2024

Recent events in the world of cybersecurity have brought an influx of attention to a technology known as kernel extensions, and the serious risks that can arise when third-party programs that utilize this technology experience bugs and incompatibilities. So today, we thought it would be useful to dive into the two main approaches for building “agents” or […]

Shift Right Security
White Paper

What is Shift-Right Security?

By Tomer Hadassi

Sep 01, 2023

A look at the need for a shift-right security approach that includes runtime detection and response.

Evolution of EDR and CWPP
White Paper

The Evolution of EDR and CWPP

By Lavi Ferdman

Sep 01, 2023

An in-depth look at the evolution of EDR, CWPP and CDR and their role in security organizations, evolving from endpoint detection and response to the more recent need for cloud workload protection and real-time response.

Stay in touch

Product

CNAPP
Vulnerability Management
CSPM
Container Security
CWPP
CDR
API Security
Identity Security

General

About
Contact
Careers
Feed
Events
Case Studies
Get A Demo

Social

Twitter
LinkedIn
Facebook

Resources

Documentation

Privacy Policy
Terms of Use

© 2024, Upwind Security