Detecting Data Exfiltration on the Edge with Pixie

•

0 likes•99 views

Zain Asgar

Software

Detecting Data Exﬁltration on the Edge with Pixie
Zain Asgar - GM/GVP - Pixie & Open Source - New Relic
Omid Azizi - Principal Engineer - Pixie & Open Source - New Relic

@oazizi
Principal engineer at New Relic.
Founding engineer at Pixie Labs (@pixie_run)
Hi
@zainasgar
GVP & GM at New relic
Co founder/CEO of Pixie Labs (@pixie_run) &
Adjunct Professor of CS @ Stanford

Disclaimer
We are not security experts.
The contents of this talk are not meant for use in production.
Our goal is to demonstrate some ideas and start discussions.

Data Exﬁltration Risks
Data exﬁltration is a huge risk.
● Leaks of information like credit cards, SSNs, phone numbers lead to theft.
● Costs $$$ (data?)
Wouldn’t it be great if we could know if sensitive data is leaving your K8s cluster?
● It all starts with observability.

Pixie: eBPF-based Observability for K8s
Auto-Telemetry
(eBPF)
Edge
Compute
Scriptable
Interfaces

Pixie’s Edge Architecture
● Cloud: Control plane for serving API/UI and
managing metadata
● Vizier: Data plane for collecting and
processing data
○ Deployed to each cluster
○ All data stored in-memory in-cluster
○ All outgoing data is E2E encrypted

Pixie is scriptable
● Valid
● Valid
● Built for data analysis and ML
import px
def http_data():
df = px.DataFrame(table='http_events', start_time='-30s')
df.pod = df.ctx['pod']
return df[['pod', 'http_req_path', 'http_resp_latency_ns']]
px.display(http_data())

PEM Architecture
PEM: Pixie Edge Module.
● The agent that runs on each host.
Stirling: The PEM’s data collector.
● Contains the eBPF collectors.

Stirling: Pixie’s Data Collector
Focus for this talk

$An eBPF probe is like a breakpoint in a debugger. ● Interrupts execution when breakpoint is reached. Unlike a breakpoint, a small program is run: ● Inspects and collects any relevant state. ● Then immediately resumes the execution. In BPF terminology, this is called a probe. ● Results in minimized overhead to the execution. // Small probe // counts number of // calls to SendPong() int ProbeSendPong() { pong_count++; } void ProcessReq(Req r) { if (r.body == "ping") { SendPong(); } ... } probe Application Code eBPF Code What is eBPF? An Analogy.$

Protocol Tracing
Snoop messages at the kernel syscall.
● Covers all traﬃc → reduce blind spots.

How observability can catch data leaks
Step 1: Use Pixie to trace traﬃc on K8s.
Step 2: Run a script to ﬁnd messages that have sensitive information.
● Look for common patterns:
○ Credit Cards: xxxx-xxxx-xxxx-xxxx
○ SSNs: xxx-xx-xxxx
○ More: Emails, MAC addresses, IP addresses, …
● Filter to traﬃc egressing K8s
Step 3: Scrutinize the egress of sensitive traﬃc to see if it is legitimate

Thank you!...Questions?
Website: px.dev
Github: pixie-io/pixie

Similar to Detecting Data Exfiltration on the Edge with Pixie

Who pulls the strings?

Ronny

Hardware hacking hit the news quite often in 2017, and a lot of pentesters tried to jump into the band wagon and discover the joy of hacking things rather than servers or applications. But most of them are only looking for rootz shellz and p0wning embedded Linux operating systems rather than doing what we really call "hardware hacking". In this talk, we are going to hack a Bluetooth Low Energy smartlock, from its printed circuit board to a fully working exploit, as well as its (wait for it) associated mobile application you need to install to operate this thing. This talk is not only an introduction into the field of hardware hacking, but also a good way to dive into electronics and its specific protocols, and of course into microcontrollers and System-on-chip reverse engineering. We will cover some electronics basic knowledge as well as tools and classic methodologies when it comes at analyzing an IoT device and will provide tips and tricks based on our experience but our failures too.

From printed circuit boards to exploits

virtualabs

breed_python_tx_redacted

Ryan Breed

Financial services organizations are prime targets for cyber criminals. They must take extreme care to protect customer data, while also ensuring high levels of network availability to allow for 24/7 access to critical financial information. Additionally, industry consolidation has created large, heterogeneous network environments within large financial institutions, making it difficult to ensure that networks have the necessary visibility and protection to prevent a devastating security breach. By leveraging NetFlow from existing network infrastructure, financial services organizations can achieve comprehensive visibility across even the largest, most complex networks. The ability to quickly detect a wide range of potentially malicious activity helps prevent damaging data breaches and network disruptions. Attend this informational webinar, conducted by Lancope’s Director of Security Research, Tom Cross, to learn: How NetFlow can help quickly uncover both internal and external threats How pervasive network insight can accelerate incident response and forensic investigations How to substantially decrease enterprise risks

Protecting Financial Networks from Cyber Crime

Lancope, Inc.

Drilling Cyber Security Data With Apache Drill

Charles Givre

Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla

Raffael Marty

«Что такое serverless-архитектура и как с ней жить?» Николай Марков, Aligned ...

it-people

How to teach your data scientist to leverage an analytics cluster with Presto...

Alluxio, Inc.

In the framework of the Intel Parallel Computing Centre at the Research Campus Garching in Munich, our group at LRZ presents recent results on performance optimization of Gadget-3, a widely used community code for computational astrophysics. We identify and isolate a sample code kernel, which is representative of a typical Smoothed Particle Hydrodynamics (SPH) algorithm and focus on threading parallelism optimization, change of the data layout into Structure of Arrays (SoA), compiler auto-vectorization and algorithmic improvements in the particle sorting. We measure lower execution time and improved threading scalability both on Intel Xeon (2.6× on Ivy Bridge) and Xeon Phi (13.7× on Knights Corner) systems. First tests on second generation Xeon Phi (Knights Landing) demonstrate the portability of the devised optimization solutions to upcoming architectures.

Performance Optimization of SPH Algorithms for Multi/Many-Core Architectures

Dr. Fabio Baruffa

In order to resolve huge amount of anomaly information generated by Intrusion Detection System (IDS), this paper presents and evaluates a log analysis system for IDS based on Cloud Computing technique, named IDS Cloud Analysis System (ICAS). To achieve this, there are two basic components have to be designed. First is the regular parser, which normalizes the raw log files. The other is the Analysis Procedure, which contains Data Mapper and Data Reducer. The Data Mapper is designed to anatomize alert messages and the Data Reducer is used to aggregates and merges. As a result, this paper will show that the performance of ICAS is suitable for analyzing and reducing large alerts.

Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection

Wei-Yu Chen

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2dXUUTG. Nathan Taylor provides an introduction to the dynamic analysis research space, suggesting integrating these techniques into various internal tools. Filmed at qconnewyork.com. Nathan Taylor is a software developer currently employed at Fastly, where he works on making the Web faster through high performance content delivery. Previous gigs have included hacking on low-level systems software such as Java runtimes at Twitter and, prior to that, the Xen virtual machine monitor in grad school.

Beyond Breakpoints: A Tour of Dynamic Analysis

C4Media

How does ping_work_style_1_gv

vgy_a

Student Spring 2021

Denis Zakharov

Rsockets ofa12

trustitrusti

Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...

Daniel Czerwonk

Big data made easy with a Spark

Jean-Georges Perrin

Penetrating Windows 8 with syringe utility

IOSR Journals

EclipseOMRBuildingBlocks4Polyglot_TURBO18

Xiaoli Liang

Model driven telemetry

Cisco Canada

Nonamecon 2021 presentation. Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year. The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations. Presentation topics: - Netflow Mitre Matrix view - Full packet captures vs Netflow - Zeek - Zeek packages - RDP initial comprometation - Empire Powershell and CobaltStrike or what to expect after initial loader execution. - Empire powershell initial connection - Beaconing. RITA - Scanning detection - Internal enumeration detection - Lateral movement techniques widely used - Kerberos attacks - PSExec and fileless ways of delivering payloads in the network - Zerologon detection - Data exfiltration - Data exfiltration over C2 channel - Data exfiltration using time size limits (data chunks) - DNS exfiltration - Detecting ransomware in your network - Real incident investigation Authors: Oleh Levytskyi (https://twitter.com/LeOleg97) Bogdan Vennyk (https://twitter.com/bogdanvennyk)

Hunting for APT in network logs workshop presentation

OlehLevytskyi1

Similar to Detecting Data Exfiltration on the Edge with Pixie (20)

Who pulls the strings?

From printed circuit boards to exploits

breed_python_tx_redacted

Protecting Financial Networks from Cyber Crime

Drilling Cyber Security Data With Apache Drill

Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla

«Что такое serverless-архитектура и как с ней жить?» Николай Марков, Aligned ...

How to teach your data scientist to leverage an analytics cluster with Presto...

Performance Optimization of SPH Algorithms for Multi/Many-Core Architectures

Cloudslam09:Building a Cloud Computing Analysis System for Intrusion Detection

Beyond Breakpoints: A Tour of Dynamic Analysis

How does ping_work_style_1_gv

Student Spring 2021

Rsockets ofa12

Open source tools for optimizing your peering infrastructure @ DE-CIX TechMee...

Big data made easy with a Spark

Penetrating Windows 8 with syringe utility

EclipseOMRBuildingBlocks4Polyglot_TURBO18

Model driven telemetry

Hunting for APT in network logs workshop presentation

Recently uploaded

WSO2CON 2024 - Building a Digital Government in Uganda

WSO2

WSO2Con2024 - Software Delivery in Hybrid Environments

WSO2

WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...

WSO2

WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...

WSO2

WSO2CON 2024 Slides - Unlocking Value with AI

WSO2

WSO2CON 2024 - How to Run a Security Program

WSO2

Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in Boksburg ● Abortion Pills For Sale in Boksburg/Boksburg 🏥🚑!! Abortion Clinic Near Me Cost, Price, Women's Clinic Near Me, Abortion Clinic Near, Abortion Doctors Near me, Abortion Services Near Me, Abortion Pills Over The Counter, Abortion Pill Doctors' Offices, Abortion Clinics, Abortion Places Near Me, Cheap Abortion Places Near Me, Medical Abortion & Surgical Abortion, approved cyctotec pills and womb cleaning pills too plus all the instructions needed This Discrete women’s Termination Clinic offers same day services that are safe and pain free, we use approved pills and we clean the womb so that no side effects are present. Our main goal is that of preventing unintended pregnancies and unwanted births every day to enable more women to have children by choice, not chance. We offer Terminations by Pill and The Morning After Pill.” Our Private VIP Abortion Service offers the ultimate in privacy, efficiency and discretion. we do safe and same day termination and we do also womb cleaning as well its done from 1 week up to 28 weeks. We do delivery of our services world wide SAFE ABORTION CLINICS/PILLS ON SALE WE DO DELIVERY OF PILLS ALSO Abortion clinic at very low costs, 100% Guaranteed and it’s safe, pain free and a same day service. It Is A 45 Minutes Procedure, we use tested abortion pills and we do womb cleaning as well. Alternatively the medical abortion pill and womb cleansing !!!

Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...

Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

WSO2

WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...

WSO2

Driving Innovation: Scania's API Revolution with WSO2

WSO2

WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...

WSO2

Evolving Data Governance for the Real-time Streaming and AI Era

confluent

WSO2CON2024 - It's time to go Platformless

WSO2

WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration

WSO2

WSO2Con204 - Hard Rock Presentation - Keynote

WSO2

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

WSO2

Novo Nordisk: When Knowledge Graphs meet LLMs

Neo4j

Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in Tembisa ● Abortion Pills For Sale in Tembisa ● Tembisa 🏥🚑!! Abortion Clinic Near Me Cost, Price, Women's Clinic Near Me, Abortion Clinic Near, Abortion Doctors Near me, Abortion Services Near Me, Abortion Pills Over The Counter, Abortion Pill Doctors' Offices, Abortion Clinics, Abortion Places Near Me, Cheap Abortion Places Near Me, Medical Abortion & Surgical Abortion, approved cyctotec pills and womb cleaning pills too plus all the instructions needed This Discrete women’s Termination Clinic offers same day services that are safe and pain free, we use approved pills and we clean the womb so that no side effects are present. Our main goal is that of preventing unintended pregnancies and unwanted births every day to enable more women to have children by choice, not chance. We offer Terminations by Pill and The Morning After Pill.” Our Private VIP Abortion Service offers the ultimate in privacy, efficiency and discretion. we do safe and same day termination and we do also womb cleaning as well its done from 1 week up to 28 weeks. We do delivery of our services world wide SAFE ABORTION CLINICS/PILLS ON SALE WE DO DELIVERY OF PILLS ALSO Abortion clinic at very low costs, 100% Guaranteed and it’s safe, pain free and a same day service. It Is A 45 Minutes Procedure, we use tested abortion pills and we do womb cleaning as well. Alternatively the medical abortion pill and womb cleansing !!!

Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...

Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg

Computation is increasingly constrained by power. With each advancement in the manufacturing process, a decreasing percentage of the CPU can operate at full capacity, leading to the emergence of the term 'dark silicon'. This trend necessitates techniques that utilize chip area to optimize power efficiency through specialized accelerators. The presentation will outline key concepts that led to the dark silicon such as Moore’s law and breakdown of Dennard scaling, followed by an overview of current and upcoming CPU accelerators. The focus will then shift to vector units and the specifics of vector programming. Attendees will be introduced to registers, a range of vector operations, and methods to develop branchless algorithms such as sorting networks. The session will conclude with an overview of the new Java Vector API and how it was already picked up by projects to do AI inference (Llama 2) and vector search (AstraDB and Cassandra).

[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse

Tomasz Kowalczewski

WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...

WSO2

Recently uploaded (20)

WSO2CON 2024 - Building a Digital Government in Uganda

WSO2Con2024 - Software Delivery in Hybrid Environments

WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...

WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...

WSO2CON 2024 Slides - Unlocking Value with AI

WSO2CON 2024 - How to Run a Security Program

Abortion Pill Prices Boksburg [(+27832195400*)] 🏥 Women's Abortion Clinic in ...

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...

Driving Innovation: Scania's API Revolution with WSO2

WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...

Evolving Data Governance for the Real-time Streaming and AI Era

WSO2CON2024 - It's time to go Platformless

WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration

WSO2Con204 - Hard Rock Presentation - Keynote

WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation

Novo Nordisk: When Knowledge Graphs meet LLMs

Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...

[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse

WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...

Detecting Data Exfiltration on the Edge with Pixie

1. Detecting Data Exﬁltration on the Edge with Pixie Zain Asgar - GM/GVP - Pixie & Open Source - New Relic Omid Azizi - Principal Engineer - Pixie & Open Source - New Relic

2. @oazizi Principal engineer at New Relic. Founding engineer at Pixie Labs (@pixie_run) Hi @zainasgar GVP & GM at New relic Co founder/CEO of Pixie Labs (@pixie_run) & Adjunct Professor of CS @ Stanford

3. Disclaimer We are not security experts. The contents of this talk are not meant for use in production. Our goal is to demonstrate some ideas and start discussions.

4. Data Exﬁltration Risks Data exﬁltration is a huge risk. ● Leaks of information like credit cards, SSNs, phone numbers lead to theft. ● Costs $$$ (data?) Wouldn’t it be great if we could know if sensitive data is leaving your K8s cluster? ● It all starts with observability.

5. Pixie: eBPF-based Observability for K8s Auto-Telemetry (eBPF) Edge Compute Scriptable Interfaces

6. Pixie’s Edge Architecture ● Cloud: Control plane for serving API/UI and managing metadata ● Vizier: Data plane for collecting and processing data ○ Deployed to each cluster ○ All data stored in-memory in-cluster ○ All outgoing data is E2E encrypted

7. Pixie is scriptable ● Valid ● Valid ● Built for data analysis and ML import px def http_data(): df = px.DataFrame(table='http_events', start_time='-30s') df.pod = df.ctx['pod'] return df[['pod', 'http_req_path', 'http_resp_latency_ns']] px.display(http_data())

8. Pixie: Under The Hood

9. PEM Architecture PEM: Pixie Edge Module. ● The agent that runs on each host. Stirling: The PEM’s data collector. ● Contains the eBPF collectors.

10. Stirling: Pixie’s Data Collector Focus for this talk

11. An eBPF probe is like a breakpoint in a debugger. ● Interrupts execution when breakpoint is reached. Unlike a breakpoint, a small program is run: ● Inspects and collects any relevant state. ● Then immediately resumes the execution. In BPF terminology, this is called a probe. ● Results in minimized overhead to the execution. // Small probe // counts number of // calls to SendPong() int ProbeSendPong() { pong_count++; } void ProcessReq(Req r) { if (r.body == "ping") { SendPong(); } ... } probe Application Code eBPF Code What is eBPF? An Analogy.

12. Protocol Tracing Snoop messages at the kernel syscall. ● Covers all traﬃc → reduce blind spots.

13. How observability can catch data leaks Step 1: Use Pixie to trace traffic on K8s. Step 2: Run a script to find messages that have sensitive information. ● Look for common patterns: ○ Credit Cards: xxxx-xxxx-xxxx-xxxx ○ SSNs: xxx-xx-xxxx ○ More: Emails, MAC addresses, IP addresses, … ● Filter to traffic egressing K8s Step 3: Scrutinize the egress of sensitive traffic to see if it is legitimate

14. Demo

15. Thank you!...Questions? Website: px.dev Github: pixie-io/pixie

Detecting Data Exfiltration on the Edge with Pixie

Recommended

Recommended

More Related Content

Similar to Detecting Data Exfiltration on the Edge with Pixie

Similar to Detecting Data Exfiltration on the Edge with Pixie (20)

Recently uploaded

Recently uploaded (20)

Detecting Data Exfiltration on the Edge with Pixie