Security observability is an essential tool in your security arsenal. Without it, you can’t quantify a metric to represent the objective security properties of a system. Security investigations depend on retroactive data, and the only way to have data is to proactively collect it. Security observability is the only record you have.
But what core security events should you monitor? What events translate into actionable signals for your security team?
The Four Golden Signals of Security Observability
SRE defines four golden signals for monitoring distributed systems.1 Similarly, we define the four golden signals of container security observability as process execution, network sockets (TCP, UDP, and Unix), file access, and layer 7 network identity. Collectively, these data points provide crucial information of what occurred during the lifecycle of containers to detect a breach, identify compromised systems, understand the impact of the breach, and remediate affected systems.2 As shown in Figure 3-1, eBPF provides full insights into the four golden signals of security observability.
Figure 3-1. eBPF collection points for a process, correlated by the exec_id value
With the help of the open source eBPF-based tool Cilium Tetragon, each of the security observability signals can be observed and exported to user-space as JSON events.
Cilium Tetragon ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month, and much more.
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.
Julian F.
Head of Cybersecurity
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.
Addison B.
Field Engineer
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.
Amir M.
Data Platform Tech Lead
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.
