Technical note
1 minute read

Improving endpoint security on Linux with IBM ReaQta-SysFlow

The endpoint is the weakest link in security — perhaps only second to the human being. Defending the endpoint against advanced cyberattacks requires the ability to see inside computer system endpoints and is critical for creating a strong security posture and reducing cybersecurity risks. This is especially important, as detecting attacks early is key to mitigating and responding to cyber threats.

To address cyber threats at endpoints, the IBM Security ReaQta team joined forces with IBM Research's security team to use their SysFlow technology as the basis of the next release of ReaQta’s endpoint security agent for Linux.

ReaQta is a multi-faceted approach to endpoint security that combines traditional signature-based security approaches with heuristics and behavioral analytics to identify and remediate both known and unknown threats in near-real time. Through this partnership, SysFlow enhances ReaQta's ecosystem with a lightweight layer that brings observability into Linux endpoints and takes ReaQta to the cutting edge of Linux runtime security.

Picture1. .png

SysFlow is a runtime observability framework designed to make security-related data science tasks easy. Its core is an open telemetry format that records how processes, containers (individual application workloads), and Kubernetes pods interact with their environment, including the network, filesystem, and other processes. Its compact format enables the creation of stateful system behavioral graphs from streaming data, providing important context for security analysis.

SysFlow can collect system events using the latest in eBPF technology to achieve portability across modern environments. And eBPF enables users to build applications that monitor systems and enforce security policies on Linux-based systems. The collection layer uses the CNCF Falco libraries to collect system events for downstream tasks, including real-time analysis through a stream analytics pipeline that accepts user-defined plugins, tags telemetry records with MITRE TTPs, and exports events to storage and analytic backends.

The SysFlow team is excited to work with ReaQta to improve endpoint security. Please stop by to say hello on the SysFlow Slack channel and visit our GitHub page to find out about how to use and contribute to SysFlow.

Date