Thought Leadership

Canaries from the mines to the enterprise

Written by Jim Cosser | Nov 5, 2018 10:38:40 AM

Canaries are high confidence triggers that showed miners when the air was unsafe, and when the miners needed to take action. In the digital world, Information Security systems such as SIEMs (Security Information and Event Management systems) can be time consuming to setup and tune. In the interim, security teams can end up blind through a lack of alerts or alert fatigue, and as it is a dangerous environment out there - like the miners of old - we need high confidence triggers to know when to take action.

The end game might be all your crown jewel assets, security systems logging and low false positive alerts, but on the journey to SIEM utopia (and potentially even after) it is wise to consider other high confidence triggers that might flag malicious actors in your environment.

A honeypot can be a great low cost, low maintenance and a high confidence trigger, and they can be quickly configured to look like an attractive target tailored to your environment. Your honeypot does not need to be internet facing, it could be a fake SCADA system in your ICS environment or look like a vulnerable fileserver in your server environment (with juicy looking files and folder names). You know when the alerts are triggered and when it is highly likely there is something malicious going on inside your network. It may well lead you to discover compromised endpoints or malicious insiders.

There are honeypot specialists such as Canary that take the leg work out of making the system look real, and for a list price of $10k for 5 Canaries it is accessible to companies of all sizes. You can even implement honeypots at home, it is cheap and easy (and quite fun!) to setup OpenCanary on a RaspberryPi.

We would be happy to support you on your journey, please get in touch info@savanti.co.uk or visit the chat function on our website: www.savanti.co.uk