Good UNIX tools

aka:  Small things done well 

We spend a lot of time sweating the details when we build Canary. From our user flows to our dialogues, we try hard to make sure that there’s very few opportunities for users to be stuck or confused.

We also never add features just because they sound cool.
Do you “explode malware”? No. 
Export to STYX? No. 
Darknet AI IOCs? No. No. No.. 

Vendors add rafts of “check-list-development” features as a crutch. They hope that one more integration (or one more buzz-word) can help make the sale. This is why enterprise software looks like it does, and why it’s probably the most insecure software on your network.

This also leads to a complete lack of focus. To quote industry curmudgeon (and all around smartypants) Kelly Shortridge: "it is better to whole-ass one thing than to half-ass many". We feel this deeply.

Most of us cut our teeth on UNIX and UNIX clones and cling pretty fastidiously to the original Unix philosophies¹:
  • Make each program do one thing well
  • Expect the output of every program to become the input to another
This is pretty unusual for modern security software. Everybody wants to be your “single pane of glass”. Everybody wants to be a platform.

We don’t. 

Tired: Vendors trying to be an island.
Wired: Vendors who work well together.
Inspired: Let’s get ready to Rumble...

Rumble, HD Moore’s take on network discovery, shares a similar perspective, and provides effortless network inventory visibility without credentials, tap ports, or heavy appliances. Rumble tries to provide the best inventory possible through a single agent and a light (but smart) network scan that is safe to run in nearly any environment. (If you are a fan of the quick deployment and light touch of Canaries, you should check out Rumble’s similar approach to network asset inventory!)

It's fast, It has a free tier, and now It integrates with your Canary Console too.

To illustrate this integration, assume someone reaches out to a (fake) Windows Server called \\BackupFS1 and copies \\Salaries\2020\Exco-Salaries.xlsx. Your Canary will send a single, high fidelity message to let you know that skullduggery is afoot. We can tell you that host-192.168.2.136 accessed the Canary, and that AcmeCorp/Bob (or his creds) accessed the share. 


We give you some details on the attacker, but what if you were also running a Rumble inventory of this network? Well then we can simply hand you over.

From June, Canary customers who are also running Rumble, will notice a new integration option under their Flocks Settings. 

    
Rumble Integration Settings

Once this is turned on, IP Addresses in alerts will include a quick link that allows you to investigate the address inside of Rumble.


The integration is light and non-obtrusive, but should immediately add value. It also affords us a touch for a slight flourish. It’s possible that you could use both Canary and Rumble, and never visit the settings page to enable the feature. We have users with hundreds of birds who only visit their Console once or twice a year (when there’s an actual alert). It’s ok. We got you!


The Canary Console will automatically detect if you have a valid Rumble login, and if you do, will enable the integration to show you the link². You won’t have to think about it, it will “just work”.



____________

¹ https://archive.org/details/bstj57-6-1899/page/n3/mode/2up

² If you hate this, you can stop it from happening by setting the integration to “never” in your settings.


Comments

Check out some of our other popular posts:

A Steve Jobs masterclass (from a decade ago)

Disrupting AWS S3 Logging

Canarytokens: Token Anything, Anywhere