• Complain

Jed Salazar - Security Observability with eBPF

Here you can read online Jed Salazar - Security Observability with eBPF full text of the book (entire story) in english for free. Download pdf and epub, get meaning, cover and reviews about this ebook. year: 2022, publisher: OReilly Media, Inc., genre: Computer. Description of the work, (preface) as well as reviews are available. Best literature library LitArk.com created for fans of good reading and offers a wide selection of genres:

Romance novel Science fiction Adventure Detective Science History Home and family Prose Art Politics Computer Non-fiction Religion Business Children Humor

Choose a favorite category and find really read worthwhile books. Enjoy immersion in the world of imagination, feel the emotions of the characters or learn something new for yourself, make an fascinating discovery.

Jed Salazar Security Observability with eBPF

Security Observability with eBPF: summary, description and annotation

We offer to read an annotation, description, summary or preface (depends on what the author of the book "Security Observability with eBPF" wrote himself). If you haven't found the necessary information about the book — write in the comments, we will try to find it.

While open source continues to dominate software development, many companies have been offering a mixture of free open source and closed proprietary softwarea combination known as open core. These companies hope to cement revenue sources while promoting their status in open source communities. But how does open core compare to open source?

Jed Salazar: author's other books


Who wrote Security Observability with eBPF? Find out the surname, the name of the author of the book and a list of all author's works by series.

Security Observability with eBPF — read online for free the complete book (whole text) full work

Below is the text of the book, divided by pages. System saving the place of the last page read, allows you to conveniently read the book "Security Observability with eBPF" online for free, without having to search again every time where you left off. Put a bookmark, and you can go to the page where you finished reading at any time.

Light

Font size:

Reset

Interval:

Bookmark:

Make
Isovalent Security Observability with eBPF by Jed Salazar and Natalia Reka - photo 1
Isovalent
Security Observability with eBPF by Jed Salazar and Natalia Reka Ivanko - photo 2
Security Observability with eBPF

by Jed Salazar and Natalia Reka Ivanko

Copyright 2022 OReilly Media Inc. All rights reserved.

Printed in the United States of America.

Published by OReilly Media, Inc. , 1005 Gravenstein Highway North, Sebastopol, CA 95472.

OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com.

  • Acquisitions Editor: John Devins
  • Development Editor: Shira Evans
  • Production Editor: Katherine Tozer
  • Copyeditor: nSight, Inc.
  • Interior Designer: David Futato
  • Cover Designer: Randy Comer
  • Illustrator: Kate Dullea
  • April 2022: First Edition
Revision History for the First Edition
  • 2022-04-05: First Release

The OReilly logo is a registered trademark of OReilly Media, Inc. Security Observability with eBPF, the cover image, and related trade dress are trademarks of OReilly Media, Inc.

The views expressed in this work are those of the authors and do not represent the publishers views. While the publisher and the authors have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the authors disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

This work is part of a collaboration between OReilly and Isovalent. See our statement of editorial independence.

978-1-098-13318-4

[LSI]

Chapter 1. The Lack of Visibility

Kubernetes has become the de facto cloud operating system, and every day more and more critical applications are containerized and shifted to a cloud native landscape. This means Kubernetes is quickly becoming a rich target for both passive and targeted attackers. Kubernetes does not provide a default security configuration and provides no observability to discern if your pods or cluster has been attacked or compromised.

Understanding your security posture isnt just about applying security configuration and hoping for the best. Hope isnt a strategy. Just like the site reliability engineering (SRE) principle of service level objectives (SLOs) that [identify] an objective metric to represent the property of a system,

With security observability, we can quickly answer:

  • How many pods are running with privileged Linux capabilities in my environment?

  • Have any workloads in my environment made a connection to known-bad.actorz.com?

  • Show me all local privilege escalation techniques detected in the last 30 days.

  • Have any workloads other than Fluentd used S3 credentials?

Achieving observability in a cloud native environment can be complicated. It often requires changes to applications or the management of yet another complex distributed system. However, eBPF provides a lightweight methodology to collect security observability natively in the kernel, without any changes to applications.

What Should We Monitor?

Kubernetes is constructed of several independent microservices that run the control plane (API server, controller manager, scheduler) and worker node components (kubelet, kube-proxy, container runtime). In a cloud native environment, there are a slew of additional components that make up a cloud native deployment, including continuous integration/continuous delivery (CI/CD), storage subsystems, container registries, observability (including eBPF), and many more.

Most of the systems that make up the For example, an internet-exposed pod that handles untrusted input is a much more likely attack vector than a control plane component on a private network with a hardened RBAC (role-based access control) configuration.

While container images are immutable, containers and pods are standard Linux processes that can have access to a set of binaries , package managers, interpreters, runtimes, etc. Pods can install packages , download tools, make internet connections, and cause all sorts of havoc in a Kubernetes environment, all without logging any of that behavior by default. Theres also the challenge of applying a least-privilege configuration for our workloads, by providing only the capabilities a container requires. Security observability monitors containers and can quickly identify and record all the capabilities a container requiresand nothing more. This means we should start by applying our security observability to pods.

Most organizations that have been around precloud native have existing security/detection tooling for their environments. So, why not just rely on those tools for cloud native security observability? Most legacy security tools dont support kernel namespaces to identify containerized processes. Existing network logs and firewalls are suboptimal for observability because pod IP addresses are ephemeral, which means that as pods come and go, IP addresses can be reused by entirely different apps by the time you investigate. eBPF security observability natively understands container attributes and provides process and network visibility thats closer to the pods that were monitoring, so we can detect events, including pre-NAT (network address translation), to retain the IP of the pod and understand the container or pod that initiated an action.

High-Fidelity Observability

When investigating a threat, the closer to the event the data is, the higher fidelity the data provides. A compromised pod that escalates its privileges and laterally moves through the network wont show up in our Kubernetes audit logs. If the pods are on the same host, the lateral movement wont even show up in our network logs. If our greatest attack surface is pods, well want our security observability as close to pods as possible. The further out we place our observability, the less critical security context were afforded. For example, firewall or network intrusion detection logs from the network generally map to the source IP address of the node that the offending pod resides on due to packet encapsulation that renders the identity of the source meaningless.

The same lateral movement event can be measured at the virtual ethernet (veth) interface of the pod or the physical network interface of the node. Measuring from the network includes the pre-NAT pod IP address and, with the help of eBPF, we can retrieve Kubernetes labels, namespaces, pod names, etc. We are improving our event fidelity.

But if we wanted to get even closer to pods, eBPF operates in-kernel where process requests are captured. We can assert a more meaningful identity of lateral movement than a network packet at the ), which includes the process that invoked the connection, any arguments, and the capabilities its running with. Or we can collect process events that never create a packet at all.

Next page
Light

Font size:

Reset

Interval:

Bookmark:

Make

Similar books «Security Observability with eBPF»

Look at similar books to Security Observability with eBPF. We have selected literature similar in name and meaning in the hope of providing readers with more options to find new, interesting, not yet read works.


Reviews about «Security Observability with eBPF»

Discussion, reviews of the book Security Observability with eBPF and just readers' own opinions. Leave your comments, write what you think about the work, its meaning or the main characters. Specify what exactly you liked and what you didn't like, and why you think so.