BLOG | OFFICE OF THE CTO

eBPF: Revolutionizing Security and Observability in 2023

Lori MacVittie 缩略图
Lori MacVittie
Published November 13, 2023

eBPF is agentless, non-disruptive, and offers a tantalizing mix of data generation and control.

eBPF is on a trajectory to become one of the most significant components of modern observability and security solutions thanks to its ability to provide unparalleled visibility and act as a strategic control point for security.

What is eBPF?

eBPF (extended Berkley Packet Filter) is a lightweight, kernel-level Linux construct that can act as both a collection and control point for telemetry. It is popular because it does not require modifications to the kernel or recompilation, allowing it to act as a frictionless way to insert capture and control capabilities into systems.

While it is primarily used for capturing telemetry from a system, it can also be used as a control point because it is able to perform a limited set of functions. For example, it can be used to prevent propagation of suspicious packets as well as acting as a sort of packet-level router.

This dual nature is why the technology is gaining significance in both the observability (capture) and security (control) markets. eBPF enables analysis by offering a more robust set of capture points than is possible or financially feasible with traditional agent-based technologies. eBPF is an enabler of observability and security capabilities.

Why is eBPF the top technology of 2023?

I’m sure the first response to this statement is “Nuh-uh, generative AI is the top technology of 2023.”

Allow me to disagree.

While generative AI is the most promising technology of 2023, its impact on the market is still nascent. There are thousands (literally) of tools, frameworks, libraries, apps, and websites that enable organizations to quickly leverage the power of generative AI, but few tangible impacts on the market. To date, the impact of generative AI is largely on internal productivity gains which, while a good sign, are not significantly changing markets.

That’s not true of eBPF, which is having a profound impact on two distinct markets: security and observability. Indeed, eBPF is one of the foundational technologies making it possible for these two markets to converge and produce a new generation of operational tools that help keep enterprises—and their data—safer. Thus, eBPF is the most strategic technology of 2023.

Over the course of 2023 we’ve seen eBPF move from an enabler of observability to a significant shaper of security through its ability to act as an albeit limited control point. It is technically agentless, given that it can be incorporated into Linux-based systems without requiring recompilation or modification and is incredibly lightweight when compared to traditional agent-based alternatives.

Now, eBPF does not solve for the challenge of what to do with all that data that’s generated. That’s a bigger problem, and the rise of practices and approaches like ML and DataOps are a response to scaling telemetry pipelines to make sure all that goodness can be levered by analytics to produce the actionable insights organizations have been asking for since 2021.

But like most orgs, the first step is to make sure they’re collecting telemetry from all the right places, and one of the answers to that challenge is found in the use of eBPF.

Now, it turns out that eBPF isn’t just a data-generating technology. It’s also capable of acting on data, which means it can be used as a filter, a rudimentary router, and a means of neutralizing attacks or bad actors early on. Security services are fueled by data, but they also rely on control points to act on that data, and eBPF helpfully provides both functions.

And that’s why we’re seeing more and more usage of eBPF in both the observability and security markets, and especially in those offerings that are starting to operate in both domains. eBPF is the top technology of 2023.

Whether it can hold its place in 2024 in the face of the overwhelming momentum of generative AI remains to be seen. But the speed with which AI is moving indicates that if it doesn’t overtake eBPF in 2024, it will soon after.

Enterprise adoption of eBPF

Enterprise organizations can take advantage of eBPF through software and services that rely on the technology, as well as incorporating it into its own tech stack. The use of eBPF can greatly enhance visibility, particularly for traditional applications for which the cost is too high to instrument manually. By relying on eBPF, organizations can effectively “slide” visibility into an application stack without the overhead—and additional cost—required to deploy and manage agent-based options.

Organizations that haven’t explored eBPF yet are encouraged to do so now. With the rising costs associated with cloud—and with agent-based options—leveraging eBPF is an excellent strategic option for reducing costs while increasing visibility and fueling the data pipelines required by AI.