Multi-messenger Security - Adaptive Kubernetes SOC From Disparate eBPF Tools

Learn how to build an adaptive Kubernetes Security Operations Center using disparate eBPF tools in this 25-minute conference talk from OpenSSF. Discover how the Linux kernel's eBPF capabilities can unify security and observability through shared data structures, creating a comprehensive SOC organically composed of established eBPF projects including CNCF Kubescape, Pixie, and Tetragon. Explore how these combined tools can detect signals that individual components cannot identify on their own. Understand the methodology for establishing a comprehensive security baseline while using independent signals to dynamically adjust coverage based on suspicious indicators. Examine how mutual independence of signals across processes, file system, and network activity achieves high signal-to-noise ratios, enabling manageable data volumes and selective forensic storage. Watch a live demonstration of an io_uring root-kit detection scenario that proves challenging for syscall-based security tools in default configurations but becomes trivial to detect with the adaptive setup presented. Learn about the node-local SOC architecture that ensures data sovereignty by keeping all information within the cluster, maintaining complete control over your security data without external dependencies.