Inspired by recent presentations and discussions around Tetragon, we picked out the top security observability use cases – and what we find are extensive use cases deep across the security application landscape. This is the first in a series of posts exploring where Tetragon solves our most pressing pain points and uniquely extracts the best data to secure our production environments.
Since reaching 1.0, platform and security teams have quickly adopted Tetragon for flexible eBPF-based security observability and runtime enforcement. Tetragon is the standard for eBPF-based security observability, and let’s look at what that means in practical terms for the use cases teams are successfully solving.
Tetragon provides our security teams with rich data that connects important network, process, and Kubernetes metadata into a single event record. Getting this combined view of activity allows us to answer questions about network activity on our clusters down to the node, namespace, pod, and container level. Even more, it was quick to set up and has minimal overhead, which is critical at our scale.
Jason Cetina – Staff Security Engineer at GitHub
eBPF Security Observability: Top Tetragon Use Cases (Part 2)
Beyond observability and into runtime control. See the top use cases for detecting and responding to runtime threats with Tetragon and eBPF.
See the eBPF runtime security use cases
Generate audit trails for mission-critical applications
Tetragon thrives at generating events that bring context around an alert, suspicious activity, or even baseline expected behavior. A common use case for teams supporting high-risk environments is the requirement for reliable audit trails, tracing the what, where, when, who, and how behind security-significant events.
As we will see in later use cases, the depth of telemetry from Tetragon allows you to capture extremely granular details, tie them to specific identities, and keep the context around an event (like the parent-child processes).
Detect, audit, act. In the following graphic, we see an example of a process tree built using Tetragon, mapping the processes leading to a data exfiltration attack. This provides a clear context around where (system, namespace, & pod) this event happened and the series of processes that led to the reverse shell, lateral movement attempt, and exfiltration (with audit data on the exact process, port, and protocol used).
Detecting a Container Escape with Tetragon and eBPF
In this blog post we will show you how an attacker with access to your cluster could do a container escape: running a pod to gain root privileges, escaping the pod onto the host, and persisting the attack with invisible pods and fileless executions.
Detect a container escape
Deploy dynamic policies for zero days
One of the fun benefits of Tetragon is you can write and apply policies in minutes. For a zero-day attack, when a new vulnerability is disclosed, immediately deploy a TracingPolicy applied to the entire production environment without requiring a restart or downtime.
For example, with the XZ Utils CVE, teams were scrambling to roll back their versions or apply mitigating compensating controls. With Tetragon, we wrote a policy to monitor the XZ/liblzma library and block vulnerable versions from launching based on the dependencies. Instead of worrying about version numbers and production uptime, teams started monitoring and hardening their environment in minutes.
So rather than waiting for an advisory, upgraded version, or needing downtime to perform a roll back on the XZ/liblzma library, the Tetragon policy enforced the compensating controls needed to keep production workloads running without being exploitable.
eBPF & Tetragon: Tools for detecting XZ Utils CVE 2024-3094 Exploit
Leveraging eBPF provides security teams a near-zero overhead framework for detecting vulnerable versions of XZ Utils in the kernel, built in and deployed in minutes.
See the XZ Utils policyGain deeper visibility into runtime events
You can’t protect what you can’t see. This simple mantra behind many security discussions is a core use case for why teams are excited about Tetragon’s unparalleled depth of visibility. Out of the box, see deeper into running workloads with eBPF programs capturing every process event and the exact binaries spawning events across all your Linux applications.
Tetragon’s unique position in the kernel allows it to see everything at runtime, from system call activity, I/O file access, process execution events, and network activity. This is coupled with Kubernetes awareness, which matches security events and policies based on K8s metadata rather than ephemeral IP addresses.
With Isovalent, Tetragon runs on any Linux machine regardless of kernel version or where it sits.
See deeper into your runtime activity with eBPF-based observability
Tetragon uses eBPF to bring a wide combination of strengths and gets rid of most weaknesses of legacy security tools.
Observe deeper with TetragonMonitor and log with lower overhead
How we capture data is just as important as what we capture. We need tools that have an extremely low overhead to minimize resource footprint without compromising on the visibility. Tetragon does just that, with visibility into every process exec at less than 2% overhead (and even less in most use cases).
For example, monitoring extremely high volumes of I/O file activity is almost trivial as seen in the benchmarks below. With eBPF, the cost to observe an event in the kernel is almost nothing. Tetragon is observing all file activity occurring on a workload, but not creating any overhead until the policy is triggered and an event is moved over to user space. Meanwhile, other legacy tools spend needless cycles moving events between the kernel and userland.
Tetragon observability performance benchmarks
Dive into Tetragon's low performance overhead for core use cases: tracking process executions, high-volume file monitoring, and network TCP_CRR.
Read more about Tetragon benchmarks
Security built for Kubernetes environments
Kubernetes is the dominant enterprise architecture for deploying containers, and with it comes many benefits and challenges. One of those challenges is around security in an environment where workloads are constantly in flux.
Tetragon was built to address these security challenges in Kubernetes (and beyond) by being Kubernetes aware and able to natively understand the namespaces, clusters, pods, and more that make up a K8s deployment. This provides easy, out-of-the-box observability and enforcement for all your Kubernetes runtimes.
With Kubernetes’ granular workload management, Tetragon’s 1.13 update enhances security by allowing policies to be applied to specific pods or namespaces, improving control and reducing alert noise through in-kernel event filtering and aggregation, leading to lower CPU and memory overhead.
With full Kubernetes awareness, Tetragon applies identity aware label-based policies to manage access, embodying the principles of least privilege and zero-trust security within dynamic Kubernetes environments.
Mastering Cilium for Kubernetes Compliance
Mastering Cilium for Kubernetes Compliance
The Cilium + Tetragon white paper from Isovalent and ControlPlane, solving NIST-800 and other compliance frameworks in cloud-native environments.
Download the Cilium compliance white paperStreamline compliance attestation
Implement compliance and prove it too. A core use case for teams is using Tetragon to enforce policies at runtime, alert on critical security-significant events, and collect health metrics for known compliance standards, including SOC2, PCI-DSS, NIST-800, and more.
Control and audit where information can travel within or between systems, and restrict workloads to communicate only with the endpoints, binaries, files, or capabilities they need and nothing more.
To protect sensitive cardholder data, Stephen Hoekstra and Marcel Bezemer from Schuberg Philis use Tetragon for runtime security visibility to achieve PCI-DSS compliance in AWS.
Take a use case example where we are processing transactions, which we do in batches, we write it to the disc inside the pod, and then we want to send it off to its destination inside the customer network through the egress gateway. And so if a bad actor was able to exec into a pod, there is a small window of opportunity between writing the file to disc and uploading it and then deleting it where they could, in theory, exfiltrate data or just read the contents of the file.
Stephen Hoekstra, Mission Critical Engineer, Schuberg Philis
What Tetragon can do in this case is if you have a policy that [defines if] you’re not this process or not this user, and you’re trying to access this file, then just terminate that system call. And we’ve seen some really nice demos in the case where from the outside you do like an ls, and that’s all good, and you do a cat, and the process just hangs because under the hood Tetragon has ripped out that system call, and basically dev nulled that call.
Running PCI-DSS Certified Kubernetes Workloads in the Public Cloud
Compliance in the public cloud with Kubernetes can sound difficult and scary, but it doesn’t have to be. In this session Stephen and Marcel talk about their experiences running a PCI-DSS certified Kubernetes cluster in AWS, and share some lessons learned to help you achieve the same.
Watch the KubeCon session
High-performance network health monitoring
Proactively manage your network health to maintain enterprise-grade efficiency and security. Tetragon offers deep insights into network activities (TCP, UDP, DNS, HTTP, TLS, and more), helping teams to quickly identify and resolve issues, ensure optimal performance, and prevent potential threats from escalating.
Isovalent Enterprise protocol parsing easily configures event collection for various backends, from standalone bare metal hosts to high-volume Kubernetes clusters, and includes out-of-the-box policies to enable the Tetragon parser for DNS, TCP, UDP, or Interface events. This gives platform teams clear visibility into their network’s real-time health and status, with the granularity (processes and binary metadata) to quickly pinpoint bottlenecks or security-significant activity.
With this data, we can quickly identify which application is consuming all the bandwidth, spot DNS issues from DNS requests, responses, or name lookups, and pinpoint the source of latency in an application.
Observing multicast traffic is notoriously difficult for network administrators. Tetragon can monitor any kind of multicast traffic performance, regardless of whether it’s powered by Cilium or not. See more about Cilium and Tetragon’s eBPF-based IP Multicast support starting from the Cilium 1.15 announcement.
Isovalent Enterprise for Tetragon: Deeper Host Network Observability with eBPF
Tetragon, powered by eBPF, can provide network observability directly from the Kernel of your platform. We’ll walk you through example use-cases such as bandwidth, latency, and DNS monitoring, from the host, from the pod, and also from the binaries running inside of the containers!
See the Tetragon network health dashboardsSummary of the top Tetragon use cases
Limiting ourselves to just the top security observability use cases was difficult, with so many different applications for Tetragon. The underlying theme in each use case draws on the uniquely granular level of detail that Tetragon extracts down to the binary of each process, the context from Kubernetes or kernel aware metadata, and the trivial overhead that makes it simple to filter high-volumes of data into meaningful insights.
Over the next year, I think we will continue to see this dramatic rise in adoption of Tetragon for core use cases, but also into more niche areas of security like setting up Canary honeypots or even just using Tetragon to build a turing complete machine.
If you are using Tetragon, feel free to submit your use case in the GitHub USERS file or reach out directly to see how Isovalent (the creators of eBPF, Cilium, and Tetragon) drives your infrastructure to future-proof, scalable, and efficient solutions.
eBPF Security Observability: Top Tetragon Use Cases (Part 2)
Continue to the next post in the series. Beyond observability and into runtime control, see the top runtime security cases and how eBPF security offers stronger runtime enforcement and detection.
See the eBPF runtime security use cases
