Abstract
Since the SolarWinds attack and the Biden-era cybersecurity executive order, much of the security industry’s energy has gone into preventing attacks in the software supply chain, before software is ever deployed. That work matters — but it is not enough. Defence in depth means accepting that vulnerabilities, misconfigurations, and unexpected behaviour will still reach production. Runtime security is essential, especially under the threat of AI-driven automated attacks.
eBPF has fundamentally changed what’s possible at runtime by opening up the kernel as a safe, programmable place to observe — and increasingly enforce — system behaviour with rich context and low overhead. This talk focuses on how that power can be used to spot when something is actively going wrong in production.
We’ll look at how open source tools such as Tetragon use eBPF to detect real attack techniques, from suspicious process execution to unexpected privilege changes and anomalous network activity. Rather than starting from tools, we’ll start from attacker behaviour and work backwards to the kernel signals that matter.
Along the way, we’ll examine which signals are reliable indicators of compromise, how containers change the threat model, and when it makes sense to enforce policy directly in the kernel rather than deferring decisions to user space.
The goal isn’t to turn everyone into a kernel hacker, but to provide a clear mental model for how eBPF enables practical, opinionated runtime security — no prior eBPF deep dives required.
Speaker
Liz Rice
Chief Open Source Officer @Isovalent at Cisco, Ex-Governing Board at CNCF and OpenUK, Emeritus Chair, CNCF Technical Oversight Committee, eBPF, Security, Cilium, Cloud Native
Liz Rice is Chief Open Source Officer with eBPF specialists Isovalent, creators of the Cilium cloud native networking, security and observability project. She is the author of Container Security, and Learning eBPF, both published by O'Reilly, and she sits on the CNCF Governing Board, and on the Board of OpenUK. She was Chair of the CNCF's Technical Oversight Committee in 2019-2022, and Co-Chair of KubeCon + CloudNativeCon in 2018.
She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems, and in digital technology sectors such as VOD, music, and VoIP. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, competing in virtual races on Zwift, and making music under the pseudonym Insider Nine.
