Triaging Real-time Security Threats with eBPF-powered Observability

Tuesday, March 15, 2022 - 2:45 pm3:30 pm

Daniel Kim and Robert Prast, New Relic


Time is of the essence for Incident Commanders when they are working to resolve a security threat. Unfortunately, valuable time can be wasted manually aggregating and querying logs in different sources and formats as data becomes increasingly siloed in large, complex systems. Without proper observability, security teams are handicapped, not being able to fully contextualize the impact of the security threat.

In this talk, you will learn how observability-first principles can be adopted to triage ongoing security threats leveraging Pixie, a CNCF sandbox observability project. Pixie uses eBPF to leverage the Linux Kernel to extract observability data into a single source of truth, providing end-to-end traces and performance insights. With Pixie, engineers no longer have to hunt for data across multiple layers of the OSI model from raw DNS queries down to process stats. Being able to analyze data flow from high-level user space down to low-level system calls across an entire environment can help pinpoint the root cause of an attack.

Daniel Kim, New Relic

Daniel Kim (He/Him) is a Senior Developer Relations Engineer at New Relic and the founder of Bit Project, a 501(c)(3) nonprofit dedicated make tech accessible to underserved communities. He wants to inspire generations of students in tech to be the best they can be through inclusive, accessible developer education. He is passionate about diversity & inclusion in tech, good food, and dad jokes.

Robert Prast, New Relic

Robert Prast is on the Application Security team at New Relic. As an AppSec engineer, he works with developers to write secure code and review New Relic's security posture across all products. He is a huge security nerd who tried to hack video games as a kid to make sure he won against his brother.

SREcon22 Americas Open Access Sponsored by Blameless

@conference {278146,
author = {Daniel Kim and Robert Prast},
title = {Triaging Real-time Security Threats with {eBPF-powered} Observability},
year = {2022},
address = {San Francisco, CA},
publisher = {USENIX Association},
month = mar,

Presentation Video