Relational Observability for Cloud-Native Security and Data Science
Abstract
SysFlow is a runtime observability framework that lifts system call events collected via eBPF into process behaviors. Its core is an open telemetry format that records how processes, containers, and Kubernetes pods interact with their environment, including the network, filesystem, and other processes. Its compact format enables the creation of stateful system behavioral graphs from streaming data, providing important context for security analysis. SysFlow overcomes perennial issues associated with system call data collection, including the lack of security semantics in system call events and the generation of large volumes of data that often result in crucial contextual attack data being filtered out needlessly. This talk will introduce the framework and unveil a full suite of open-source tools to collect and process SysFlow, including a self-contained library for creating SysFlow consumers, Python APIs, and an interactive Jupyter environment to enable security data science tasks. Specifically, we will showcase an application to security monitoring on Kubernetes using SysFlow, where declarative security policies identify attack behaviors and perform threat investigations over connected graph structures, using process-level provenance tracking in interactive playbooks.