06-09, 11:00–11:50 (EST5EDT), AlmaLinux (BallroomC)
eBPF is a robust, efficient and safe method for running compiled or interpreted programs in kernel space.
This talk will show how eBPF programs can be used with osquery event system to send data to a security information and event management (SIEM) data lake for processing.
The de-facto way to perform deep kernel operations is to either modify the kernel code or build a module which then has to be maintained. eBPF has emerged as a robust way to provide those same capabilities. The problem is how to obtain the resulting data feed in a structured way for troubleshooting, application debugging or security analytics? One way to extract the data is to use the osquery eBPF event mechanism to do so. This talk's demo will show how the event data can be used effectively to enhance Linux security operations.
David was born in Guyana, South America. After moving to the US, David enrolled at Georgia State University for a degree in computer science. After graduating, David worked professionally as an embedded Linux programmer, web developer, network engineer and security analyst. David enjoys camping, hiking and biking.