Presented at
BSidesSF 2017,
Feb. 12, 2017, 4:10 p.m.
(30 minutes).
The latest Linux kernels have implemented a Berkeley Packet Filter (BPF) virtual machine which can provide safe and efficient syscall hooking. There are many logging systems in Linux that provide security relevant data, and several excellent open source tools that sit on top of these. These existing options provide many features that are useful during response, but at scale we focus on lightweight alerting across the fleet, to be followed up with heavy scrutiny of a subset for a limited time. We landed on the need for three basic monitoring capabilities - process execution, network connections and file integrity. Our goal is to provide meaningful security monitoring at under 1% overhead.
Presenters:
-
Alex Maestretti
Alex Maestretti leads the Security Intelligence and Response Team at Netflix, with previous gigs at Apple and the US Government. Our SIRT reflects Netflix's culture and technology stack. We are a small team rather than a multi-tiered SOC. We don't do large volume alerts and instead focus on high ROI activities. Our technology stack allows us to be agile in responding to security incidents, and recover quickly, which in turn allows smart risk taking. Overall our goal is to understand threats to Netflix equities through proactive intelligence, and buy down risk across a broad range of threats through Incident Response.
-
Brendan Gregg
Brendan Gregg is a senior performance architect at Netflix, where he does large scale computer performance design, evaluation, analysis, and tuning. He is the author of Systems Performance published by Prentice Hall, and has created performance analysis tools included in multiple operating systems. He has previously worked as a kernel engineer and as a security consultant. As an eBPF expert, he has developed and published BPF tools for the open source bcc project, for performance, debugging, and security observability.
Links:
Similar Presentations: