This event has ended. Visit the official site or create your own event on Sched.
Back To Schedule
Thursday, January 14 • 10:15am - 10:45am
A Pluggable Edge-Processing Pipeline for SysFlow

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
SysFlow is a compact open data format that lifts the representation of system activities into a flow-centric, object-relational mapping. It records how applications interact with their environment and relates processes to file accesses, network activities, and runtime information. The telemetry format encodes single-event and volumetric flow representations, naturally linking these entities together to provide context for analytics and provenance. SysFlow drastically reduces endpoint event collection rates and lifts events into behaviors. This supports forensic applications and more comprehensive analysis approaches, such as cyber threat hunting, big data analytics, and visualization.

This talk will introduce a new stream processing and edge analytics pipeline for SysFlow. The pipeline is implemented as a multi-threaded, pluggable framework that enables custom analytics on SysFlow data streams. It supports enriching those streams with important information such as cluster meta-data, container configurations, and application logs. It also includes an extendable policy engine that can monitor and enforce reference policies on cloud workload and trigger remediations. We will describe the design and open-sourcing of the pipeline and demonstrate threat identification use cases that make use of runtime reference policies. We will also demonstrate the custom analytic capabilities of the pipeline by showing a graph-based streaming analytic that uses process graphlets to uncover security-relevant application behaviors for threat hunting, forensics, and context representation of security alerts.

Attendees Will Learn: 
  • Design principles and architectural insights influencing the SysFlow edge pipeline implementation;
  • How to deploy runtime reference monitoring policies in container cloud environments;
  • How to use SysFlow to create stream-based graph behavioral analytics to identify malicious behaviors in container clusters.

avatar for Frederico Araujo

Frederico Araujo

Research Scientist, IBM Research
Dr. Frederico Araujo is a Research Scientist at IBM Research, where he leads the team's efforts on cloud-native security. He's an active contributor to open source and a maintainer of the SysFlow project. He's also a contributor to CNCF's Falco project. His work has been featured... Read More →
avatar for Teryl Taylor

Teryl Taylor

Research Staff Member, IBM Research
Dr. Teryl Taylor is a Research Staff Member in the Cognitive Cybersecurity Intelligence Group at IBM Research. He has ten years of experience in cybersecurity-related research, including NetFlow based analytics, system telemetry and analytics, security visualization and cyber deception... Read More →

Thursday January 14, 2021 10:15am - 10:45am EST