FloCon 2022 has ended
Back To Schedule
Thursday, January 13 • 1:00pm - 1:30pm
Self-Modulating Endpoint Observability

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Modern micro-services leverage native cloud capabilities to automatically manage workload deployment and scalability. In this model, end-to-end visibility becomes more complex, endpoint-centric, and difficult to execute, especially when deployment and upgrades are continuous. Endpoint monitors, therefore, need to adapt to unpredictable workloads without jeopardizing the performance and stability of the production environment.

Typically, these monitors collect system telemetry data, such as application logs or system calls. Collecting system call data is advantageous because it can provide a detailed view of each process running on a host. Unfortunately, this data is often too large to store and analyze in any meaningful way, forcing practitioners to write complex filtering rules to make the telemetry footprint more manageable. Such filters require constant tuning as new applications and updates are deployed, and often result in important contextual attack data being filtered out needlessly. Telemetry formats such as SysFlow make data collection more palatable by lifting raw system call information into a more semantic summarization of system behaviors. However, SysFlow does not maintain enough system state to further reduce away noisy, redundant process behaviors that can occlude security analyses and create long-term storage headaches.

In this talk, we describe a new system graph data model that encodes process behaviors into hierarchical summarized views of system activity and demonstrate how such data structure can be used to implement a self-modulating telemetry stream that adapts to the monitored environment, and drastically reduces event fatigue, optimizes storage, and provides important contextual information for security investigations.

Attendees Will Learn:
- Challenges in system telemetry for distributed cloud endpoints
- A data modeling approach to address event fatigue in system call monitoring
- Design principles for cloud-native observability

avatar for Frederico Araujo

Frederico Araujo

Research Scientist, IBM Research
Dr. Frederico Araujo is a Research Scientist at IBM Research, where he leads the team's efforts on cloud-native security. He's an active contributor to open source and a maintainer of the SysFlow project. He's also a contributor to CNCF's Falco project. His work has been featured... Read More →
avatar for Teryl Taylor

Teryl Taylor

Research Staff Member, IBM Research
Dr. Teryl Taylor is a Research Staff Member in the Cognitive Cybersecurity Intelligence Group at IBM Research. He has ten years of experience in cybersecurity-related research, including NetFlow based analytics, system telemetry and analytics, security visualization and cyber deception... Read More →

Thursday January 13, 2022 1:00pm - 1:30pm EST