Visibility and eBPF
The first computer technology to provide a raw interface for network traffic analysis in kernel space was the Berkeley Packet Filter (BPF). An extended iteration of this technology (eBPF) – available since Linux 4.x – now works like a sandboxed virtual machine inside the Linux kernel. While eBPF applications are broad in monitoring hardware performance, the potential value of eBPF for network observability is revolutionary.
Modern applications are seperated by microservices and deployed across clusters of servers, often hosted in containers. With applications abstracted from their host operating systems, observing the system as a whole becomes a patchwork process of collecting and matching network operations data from individual servers and containers – the latter of which generally do not log or persist network data. By enabling kernel-level programs, eBPF elegantly solves this problem by capturing network operations on servers and containers in real-time.
eBPF and AuditD
For Linux users, talk of a kernel-level tool with implications for incident investigation likely sounds reminiscent of Linux’s native activity capturing feature, AuditD. eBPF and AuditD do share some common capabilities such as monitoring for system calls, file access, and other configurable events. Nevertheless, AuditD falls far short of eBPF for system-level visibility into modern cloud and multi-cloud environments. In particular, AuditD:
- Creates excessive userspace syscall overhead
- Often shows invocations such as execveat with revealing what they were called on
- Is inherently container-unaware
In contrast, eBPF is lightweight on the system and able to connect processes across servers and containers in complex, ephemeral architectures.
Transforming eBPF into Actionable Information with Spyderbat
Spyderbat offers an industry-first eBPF-based security solution for cloud runtime environments. Using a lightweight nano agent that probes eBPF, Spyderbat captures real-time stateful observability within and across hosts and containers, without needing to collect and process data from other disparate log sources. With Spyderbat, engineers don’t have to spend countless hours manually reconstructing event narratives after the fact from incomplete records. Instead, Spyderbat stitches together causal sequences of activities as they occur from eBPF data, including connecting incoming/outgoing network connections from hosts and containers to their respective processes. Engineers use Spyderbat to observe activities live and in granular causal context, enabling automated root cause identification and early attack detection.
To schedule a live demo attack tracing and intercept, contact Spyderbat today.