Showing posts from May, 2018

Using the Linux Audit System to detect badness

Security vendors have a mediocre track record in keeping their own applications and infrastructure safe. As a security product company, we need to make sure that we don’t get compromised. But we also need to plan for the horrible event that a customer console is compromised, at which point the goal is to quickly detect the breach. This post talks about how we use Linux's Audit System (LAS) along with ELK (Elasticsearch, Logstash, and Kibana) to help us achieve this goal. Background Every Canary customer has multiple Canaries on their network (physical, virtual, cloud) that reports in to their console which is hosted in AWS. Consoles are single tenant, hardened instances that live in an AWS region. This architecture choice means that a single customer console being compromised, won’t translate to a compromise of other customer consoles. ( In fact, customers would not trivially even discover other customer consoles, but that's irrelevant for this post. )

RSAC 2018 - A Recap...

This year we attended the RSAC expo in San Francisco as a vendor (with booth, swag & badge scanners!). We documented the trip, it’s quirks, costs and benefits along with some thoughts on the event. Check it out, and feel free to drop us a note on the post or by tweeting at @ThinkstCanary . Considering an RSAC Expo booth? Our Experience, in 5,000 words or less