BSidesSF 2017 has ended
Back To Schedule
Sunday, February 12 • 4:10pm - 4:40pm
Linux Monitoring at Scale with eBPF

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

The latest Linux kernels have implemented a Berkeley Packet Filter (BPF) virtual machine which can provide safe and efficient syscall hooking. There are many logging systems in Linux that provide security relevant data, and several excellent open source tools that sit on top of these. These existing options provide many features that are useful during response, but at scale we focus on lightweight alerting across the fleet, to be followed up with heavy scrutiny of a subset for a limited time. We landed on the need for three basic monitoring capabilities - process execution, network connections and file integrity. Our goal is to provide meaningful security monitoring at under 1% overhead. 


Brendan Gregg

Brendan Gregg is a senior performance architect at Netflix, where he does large scale computer performance design, evaluation, analysis, and tuning. He is the author of Systems Performance published by Prentice Hall, and has created performance analysis tools included in multiple... Read More →

Alex Maestretti

Alex Maestretti leads the Security Intelligence and Response Team at Netflix, with previous gigs at Apple and the US Government. Our SIRT reflects Netflix’s culture and technology stack. We are a small team rather than a multi-tiered SOC. We don’t do large volume alerts and instead... Read More →

Sunday February 12, 2017 4:10pm - 4:40pm PST
DNA Lounge