Triaging Real-time Security Threats with eBPF-powered Observability

Time is of the essence for Incident Commanders when they are working to resolve a security threat. Unfortunately, valuable time can be wasted manually aggregating and querying logs in different sources and formats as data becomes increasingly siloed in large, complex systems. Without proper observability, security teams are handicapped, not being able to fully contextualize the impact of the security threat.

In this talk, you will learn how observability-first principles can be adopted to triage ongoing security threats leveraging Pixie, a CNCF sandbox observability project. Pixie uses eBPF to leverage the Linux Kernel to extract observability data into a single source of truth, providing end-to-end traces and performance insights. With Pixie, engineers no longer have to hunt for data across multiple layers of the OSI model from raw DNS queries down to process stats. Being able to analyze data flow from high-level user space down to low-level system calls across an entire environment can help pinpoint the root cause of an attack.