all InfoSec news
Pitfalls of relying on eBPF for security monitoring (and some solutions)
Malware Analysis, News and Indicators - Latest topics malware.news
By Artem Dinaburg
eBPF (extended Berkeley Packet Filter) has emerged as the de facto Linux standard for security monitoring and endpoint observability. It is used by technologies such as BPFTrace, Cilium, Pixie, Sysdig, and Falco due to its low overhead and its versatility.
There is, however, a dark (but open) secret: eBPF was never intended for security monitoring. It is first and foremost a networking and debugging tool. As Brendan Gregg observed:
eBPF has many uses in improving …
berkeley packet filter cilium dark ebpf endpoint extended berkeley packet filter falco filter linux low monitoring observability packet security security monitoring solutions standard sysdig technologies