Subscribe
Share
Share
Embed
Conversations with security leaders and practitioners about their real-world experience of canaries and honeypots.
Our guests share tactics, detection stories, and lessons learned from production deployments - ranging from technical details to the role deception plays in their defensive strategy, we explore the reality of 'canaries in the wild'.
From the team at Tracebit.
Want to be the best at security. A breach cannot happen. We need to prevent it. The use of canaries is the least intrusive from an engineering point of view. We should always assume that somebody can come in, that we should always assume there will be a breach.
Didier:Let's make sure that we have some ways to find us and react quickly. When we did the Slack acquisition, we didn't know that Slack had cameras in place. They created fake keys, and there were a fair amount of deception mechanism in the environment. That makes me feel more confident in the posture that I have. I protect the device, but if something happens, I'm ready.
Andy:So I'm very excited, to be doing, this this call today. So I'm Andy, I'm CEO, co founder of Tracebit. And we're here to talk all things canaries, deception and honeypots. And I'm joined by Didier Vanderboock. I'll hand over to you Didier to introduce yourself.
Didier:Oh, I'm Dee Dee van der Broek. I'm the VP of Security at Oleria, which is a startup in the identity management space. So we try to solve the problem about getting your own entities managed and providing the right access at the right time to all your employees. I've been in the security space for many years, now twenty five years. Before that, I did a long stint at Salesforce where I was leading red teaming on merger and acquisition, then red teaming for the whole company.
Didier:So I have lots of exposure to the offensive side and the defensive side over the years.
Andy:Amazing. Thank you very much. That's a that is an impressive background. And I imagine that's given you opportunities to think quite a lot about Canary's deception, which we'll dig into now. And then is that so, Didier, we we know each other from working together with Tracebit.
Andy:Is there anything you'd like to share about that?
Didier:Well, we are we are a customer of of Tracebit, a happy customer. That's one of the challenge that that I saw, I don't know, historically, and we we met we met you, Andy, and the rest of the company in the the early days of Tracebit, and and we've been with you since the early days, and it's exciting to see like all the development that is happening and the growth of TraceBeat for sure. So yeah.
Andy:Amazing, amazing. Maybe on that subject, how do you how do you think about working with, you know, deploying Canary's perception, like, early on in the journey on on that subject? Because it's something that you maybe did earlier in Alaria than perhaps other security programs would have done.
Didier:Correct. We did it in the early days, and we did that system by system. As we've been with you guys for a long time now. We didn't have to do everything at the same time. We could do it as things were getting turned on, like Okta, Okta calories, Kanji calories.
Didier:So all of that came more like a stage way, which made it a bit easier to adopt for sure compared to somebody that would come now and see the amount of choice. That said, the deployment of the canary was super simple. It was always a matter of running running a script which was given to us. And that is the thing probably where most people have concern about building a deception program, because you need to do it in a smart way. You can't just build your canary and call it my first canary, and the attacker does not trigger it.
Didier:So it needs to be there is some intelligence behind it that needs to be done. And using using a company like Tracebit gave me a bit more peace of mind about the way we were doing that and try to bring some value out of it. Because at the end of the day, the goal is to act as a canary in the coal mine and alert in case of incident earlier. And we had that recently on the Red Team exercise. The Red Team was accessing some of the resource that were protected.
Andy:Amazing, amazing. And is that I'm kind of jumping ahead here slightly, but is that is that one of the goals you is that like a measurement of success for you with with Canaries?
Didier:There are things that we try to achieve. That's really one of them being we want to be the best around security. We are all security professionals that build this company, and we want to be the best at security. So we don't have a lot of external events, which is good, because that's where myself and my team are working hard. It's about how do we make sure we have enough mitigation in place, we have enough control, that we are confident in our posture.
Didier:So one way that we know that it works is when we invite Red Teamers to attack us, we can see, like, at least it's a way that we can see, okay, does it work or not? Like, if they would never get tripped, it would be difficult to measure the success. How do you know that those deception mechanism worked if it doesn't alert you in in the early days? And then we had we had other events definitely where engineers do things without thinking. They delete stuff without really seeing, and the thing is all the canaries are looking really like real object in our environment, So they just go and delete stuff and then I ping them, Hey, what did you do?
Didier:And they're like, How do you know? Well, I have my ways.
Andy:And and is that for you? Because I think when we talk about about the idea of putting canaries into production environments, that's that's the question we sometimes hear, which is what if this gets in the way of my engineering team? What if this causes some friction? Is that is that for you quite is that still for you a valuable detection to see that, you know, that's not a 10 out of 10 malicious event that you've you've witnessed, but it's still still an event. Is that giving you some additional insight into the environment?
Didier:One, I you should never assume that all your engineers are doing the right thing. There is insider threat. It's it is 100% true. Lived it in my career, and, yeah, it definitely exist. So having even mechanism that alerts you when, like, you know, accident happened, that people go and delete object and don't really realize what they are doing.
Didier:So having those those alerts through through GuardDuty and through through PagerDuty is is extremely valuable because at least I know something is happening in the environment that probably should not happen. Seeing some table getting dropped in our database, it's, well, okay. At least I know that something happened. I can ask, hey. Everything normal?
Didier:Was that planned? It's a good way to keep people honest.
Andy:Nice. Okay.
Didier:I think that's visibility. So it didn't it does it did not introduce friction because it's it's very low visibility for the engineers. They don't really sort intrusive compared to all all the other security tools that exist. I would say the use of Calari is the least intrusive from an engineering point of view. Because even if they delete it, nothing happens.
Didier:Yes, they just get a call from me, but the PR doesn't fail, the deployment doesn't fail, and nothing fails.
Andy:Great. Yeah, that makes sense. It hasn't actually impacted the engineering velocity. Yeah.
Didier:Correct. Correct. Plus the deployment is super easy. So doesn't doesn't it impact them on deployment phase because you guys are doing the work. Like, we give you the permission and you guys are doing the work about deploying the CANA Rays.
Andy:Brilliant. Yeah. That is always good to hear. That's definitely how we've tried to build the system. And then I guess thinking back to kind of your your career, which which has which has been a a significant one, and and Deception and Canaries and where they've played a a role, I'd love I'd love to hear a little bit about, yeah, the where where maybe where you first heard about Deception or where you've when you've deployed it successfully and where you've seen value in it elsewhere?
Didier:So really, Deception is something that I raised multiple times when I was at Salesforce about we were doing Red Team exercise with great success every time. And I raised that multiple times with the defenders, with the Blue Team, that you don't have any system in place that alerts you when we start to leverage you with certain AWS functions. Like we love to use SSM. That's a good way to to move laterally. And the fact that there is no there is there was nothing in place really, like, gave us a great time because we could try lots of things inside of the environment and not be detected as long as you're paying attention at the pace at which we were going.
Didier:And then when we did the Slack acquisition, and we did twice Red Team operation, and the first time we didn't know that Slack had cameras in place, they created fake keys, and there were a fair amount of deception mechanism in the environment. And we got caught pretty quickly that way. Within a couple of weeks, we got caught because we we accessed keys that that were triggered. And that definitely, like, told me this is the value. This is really how you can find a good attacker in your environment.
Didier:That's probably the only way all the other things about ingesting petabytes of log and opening data. The Nautilus will see the the abnormal traffic doesn't work at scale. This this is a good way that works at scale if you make it enticing enough. Like, if you can see there there is a round that looks to be really having access to everything. Let's let's try to gain access to that role.
Didier:And in fact, it's it's a booby trap. So we got caught. And then the the funny thing is that a year later, we did another red team exercise to validate the fixes. And what we saw was that and so is my team was my team was very afraid to do anything. So the whole exercise took us way longer because, like, everything that we were finding was like, do we want to use that key, or will we trigger another other?
Didier:And so it took us way longer to to be able to find ways that we could exercise things like keys and secret keys that we found, triggering things. So that's a second positive. The attacker needs to move slower and gives you more time to get detected. So those were really good things. I've seen similar things at Heroku, which was another acquisition.
Didier:They build their own thing about detection, their their whole framework. And that that told me, like, this is not the most cost efficient way to build Because they went and built their whole management of calories, and several years later, their management was asking the question about, like, why do we really need to pay two engineers' time the whole year to maintain that? And I was like so that that when when I met you, I was and you introduced us to Transmit was, yeah, FLT, I don't wanna pay two FTEs to maintain that environment. I'm more than happy to to pay for for an environment like that. So it's definitely helping.
Didier:It's helping through a fair amount of all compliance too about, like, showing that it shows the auditor that we go, we definitely go multiple steps beyond what a startup would do to make sure we have enough detection in the environment. And that's what I saw. Like I did over fifty fifty merger and acquisition deal when I was at Salesforce. But it was so young startups, series a, series b, that were putting as much around, like, the depth of security. They'll they'll sprinkle a bit of security on top, but they will not think about the world picture.
Didier:So here we we did that. Like, we we we deployed canaries on every every laptop. Every laptop has a fake AWS credential that are then monitored by TraceBit, it makes me feel more comfortable because if an attacker comes, I know they will go for those credentials because it's the only credential in CLEAR. So, that that makes me feel more confident in the posture that I have. And I protect the device, but if something happens, I'm ready.
Didier:I'm really ready to to jump into it. We have the same thing in Okta. We deployed several fake application. Funnily enough, I told all the people that were assigned to sign an application, like finance people, the finance app, legal people, the legal app, don't touch. And I still got all lawyer to launch the app the first time we saw the app.
Didier:That's how we knew that it worked. But from the past, like, seeing all those companies getting falling victim of red teams, not even knowing that they had been compromised. Like, that that's when you realize, like and at the end, like, compared to all the other security control, this is probably one of the the cheapest way to get some detection in place, in my opinion. Compared to the rest, it's a bit like, yeah, it's a good way. Yes.
Didier:It doesn't cover everything for sure, But it's enticing enough. Any retimer would go for a good role. Or, like, getting access to SSM, it's great. I can deploy packages on every instance. So all those things are enough for Rwendy to to give you some insurance.
Andy:Thus, yeah, those are some those are some amazing amazing stories and a bunch to unpick there. I think the the two things you said to me there, which are around, like both protecting the red team and psychologically affecting the red team to make them slower and less effective are are kind of things we hear time and time again. I think that's super interesting. And then also the kind of the cost of maintaining these these programs. So I'm interested.
Andy:Is that something you've seen in? Because I think something we see and something we feel quite strongly about is, like, a a key failure mode almost for deception programs is where, you know, those those FTEs do their six month long project, and they they spin up deception. They they get it in a good shape, and then it kinda just it just pauses, and then it doesn't change. It doesn't it doesn't evolve. So you you have that initial positive result with the red team, and then they come back, and nothing's changed, and they they know how to kind of work their way through the maze and and skip everything.
Andy:And we think that should be an ongoing programme.
Didier:Exactly. Once you know once you know where the calories are, like the way they are made, it's much easier to avoid them. And that's the thing that's why it needs to be maintained. It can't be it's not a fire and forget. One, environment are not static.
Didier:In our case, we are growing, we are adding customer. And as we add customers, we have customers going through attrition. The calories can't stay named the same way because they will get orphaned and that's where it starts with Yeah. You can't do that. It needs to be an active management of your queries, especially in the cloud environment.
Didier:Yeah, the AWS cloud don't care too much for that. Some of those, I don't care too much. But like in a cloud environment, it needs you you need to keep your your keys up to date. You need to change. You need to change too.
Didier:You can't just exactly. Because you'll get one with team operation. They'll they'll understand quickly where they are getting burned. And in our case, like with Slack, the second year we knew where not to go, but we were not sure how much has changed. Yeah.
Andy:Yeah. I mean, I think even for us, like, new new features and building new features out as well is is kind of important. You know, we've we've taken the decision to be somewhat transparent in terms of what it is we we might create decoy assets for. And if you if you're doing that, you kinda need to keep keep pace and keep keep evolving because if, you know, if your customers are reading your documentation, your attackers are probably also reading your documentation as well. Amazing.
Andy:That's that's those those are really, really interesting stories. Thank you for sharing them. I'm interested. You you touched on auditors there and and and that whole that whole world. Are there any controls or regulations in particular that you you would like you would like pull canaries out for specifically?
Andy:Or is it more around kind of showing the auditors that, you know, you know what you're doing and you're putting you're you're taking security seriously?
Didier:Definitely was helping for PCI was helping for PCI to show that yeah. And that's where we have we we could have credit card data that we have additional controls to not just like, yes, we we have a scene, some things that we have, we we have a stock. But in addition, we have extra, extra controls that would alert us in case of compromise or unapproved access. Because, like, one one of the things too around IPCI is that you need to show that only authorized employees have access to potentially to critical data, and that one was one way to show where we have other things than traditional things. So we do the same thing on the identity piece, like all our identities just in time.
Didier:And so that buys you a fair amount of goodwill from auditor when you can show that you go above and beyond what the requirement says.
Andy:Right. Yeah, think we've heard that from folks.
Didier:Yeah, it was just a way to show the maturity of your control versus like we are just skipping by hand hoping to get through.
Andy:I think we've heard from folks as well that cases where, you know, there are obviously some regulations that call for deception, but even cases where they don't, it can be kind of valuable to to draw the auditors' attention to where you are doing very well versus places where you may be not doing so well. And that's kind of been something we've heard them them value before because there is that that quick win. Amazing. I'm interested as well. I mean, we kind of talked about, like, the the value you've you've got from Canaries, but when you're talking about deception, Canaries to to leadership, how are you putting that into kind of more exec level simple terms to talk about the return on investment, the story there?
Didier:So I'm extremely fortunate around that, like in the way that my CEO was chief trust officer at Salesforce, was the GM of Security at Microsoft for many, many years. So I don't need to sell him on on the value of of what we do around security. That said, he had some question because he was getting so we have we deployed an access management solution that looks for secrets on disk that are unencrypted. And so he got a fair amount of others about that there was there were AWS credentials on this disk and he could not understand why because he doesn't doesn't log in to our cloud environment. So and that was one of the canaries.
Didier:So I I explained him the the the why, and I explained him, like, so if somebody gets access to your laptop, I think they will they would go for anything in your your credential. They will look for credential like those tools do, and would try to to use it, and he understood immediately the value. So I never got, like it was an easy sell to explain why do we want to do that. Because he's been on the receiving end during all his years at Salesforce. He was on the receiving end of my team destroying the production environment through red teaming.
Didier:And then you had to go and build a plan to remediate all that. So it was that was be that's being fortunate enough. That said, when I see, like, I would say the cost of the solution, the time it takes to deploy, which is super minimal, I think each time for each of the system, I spend at most one or category of canaries that we deploy at max. So it's a very small investment for my part. I have to go from time to time to refresh the calories when we do too much changes.
Didier:But it's still very little compared to the amount of time that I've seen other one doing. So the pitch was really, you know, it's a small investment. We should always assume that somebody can come in, that we should always assume there will be a breach. So let's make sure that we have some ways to find us and react quickly. In my past, I did so many operation where we were in the environment for weeks, months, and and the target never discovered anything until we told them.
Didier:I would never want to be in that position. So
Andy:I I guess, yeah, as as you said, you're in that kind of fortunate position where you are you have a very you the the the CEO of the company is a very experienced security leader. You are a security company selling a, you know, selling a sensitive security product. So it's a it's a high priority for you.
Didier:Yeah. So it was an easy sale, which is a good thing. But I can see that in other corporations, that would be a different story. But the angle I would take would be the amount of investment you have to spend to keep the system functioning well, being so low. The return on investment is always, you know, it's like insurance.
Didier:Yes, if you drive really well, you've never had an accident and you drive in an environment where everybody else drives really well, like a Formula one Grand Prix, you would never have an accident. You don't need insurance. No, that's not true. This is like you would still take an insurance. It's the same in cybersecurity.
Didier:We should always think something will happen. I don't know any environment like anybody telling me my environment is unbreakable. Yeah. Lost credibility there.
Andy:Agree. And and I think that that kind of assumed breach story is is one we kinda hear very, very often as well. What why do you think you know, you mentioned that you you've been in environments where you've kind of rolled in and no one's noticed you for for for a long amount of time, and, you know, canaries are not kind of a default today, think it's fair to say, certainly on an early early, like in a in a security program. Why why do you think that is?
Didier:I think there is well, there are a couple of things. So far, there is it's there was no real companies providing you that that self managed approach canaries. So deploying canaries is seen as it's an advanced security control, and you'll need to spend a fair amount of engineering time and effort to get it working. It needs to plug into working detection, working alerting, working response. So people are seeing that, like I would say on the maturity metrics, that's really for the advanced scenario.
Didier:And I think that's where you guys come in. Break all that, you can bring that an advanced maturity to an early stage maturity. Because you don't need to have all that knowledge. As what would I have to do? I would have to have an eyesore or object and try to figure out, okay, like, what is your really your naming convention?
Didier:In a startup naming convention is very relative. It depends on who's been writing the script. So having somebody that does the work did not exist in the past, or people like Slife, for example, they build or they can I read from scratch? The bad news is the person that manage that environment and build it left. And so like I have one of my friends who cover the security team at Slack and needs to rebuild all that.
Didier:So I pointed it to you guys with today, there are solution. Up to two years ago, there was no solution. Was yeah. You have to go and do it yourself. And then that leads to what is the ROI?
Didier:How many attackers will you find? How many attacks will will you prevent that way? And and and lots of people are still more like, instead of assuming breach and I need to be able to have that detection, they are still more in the a breach cannot happen. We need to prevent it. And I think that takes a big shift to move to, okay, breach will happen.
Didier:It may already have happened. We don't know. So how do we find out? And I think that's where it starts to change. When we have companies like TraceVit, that really helps change that conversation.
Didier:Before that was, yeah, it's a big investment. I agree. It needs to be prioritized against everything else.
Andy:Yep. Totally. I think I think making sure it's this this quick win is is what really, really helps. And then just the kind of the the the the constant barrage of security events, right, that that kind of, I think, are opening more and more people's eyes up to assume breach is really the the only way. You know, if you can't control the OpenSSH's security, then, you know, you you kinda have to be realistic that someone someone will get in somehow and being prepared for it is the way.
Didier:It goes really fast. Like, I know that, like, nine months ago, we we had a developer that, by accident, exposed SSH to the Internet. Within thirty minutes, we were bombarded. We scanned from Iran group Iranian groups. So it is to brute force the environment.
Didier:Yeah, it goes really fast. It goes really fast those days.
Andy:One other thing I'd be interested to get your thoughts on is does AI change this at all? Do you think recent advancements, LLMs, and all the excitement around it changes the need, the possibility of canaries and deception?
Didier:I think it just increases the need. I don't know if it changes the need. It will increase the need because there are definitely lots of things that I would say from a security practitioner. AI systems tend to be over provisioned from an identity point of view. They're like bigger access to more things.
Didier:And then as we are we are thinking more about agentic AI, that's like, I'm not too worried about language model. The language model is just a language model. So per se, that's not very interesting. Agentic AI, I can start to see, like, once you can ask agents to go do things on your behalf, That's where things will be more interesting and you need probably more canaries to get that type of detection. Because it will be, it will look, it will feel exactly like any other API action, and it will make, like, big detection harder.
Didier:So I think there is some space there where we need to think about, like, eventually creating fake MCPs or fake agents to to try to see, like, are they getting triggered by another MCP by accident? And so I think there is it's a new world. It's new capabilities. But definitely, I'm more concerned about like, definitely, there are some folks that are putting together agenting, pentesting, like using agents just to run pentest tools and find find things faster. The rest, like the Dalai Lempires is not the things that I worry about, because it may be more an advantage for us to use that and to, for example, to discover faster, like find me my common nomenclature, how do I name things in my environment?
Didier:Those are good questions for language models. So I think that AI is more around, we need better capabilities, definitely be looking at you guys to see how you change that space again and bring some kind of raise in that space.
Andy:Awesome. Yeah, I think I think for us, you know, when I think about valuable detections we make for customers around those kind of, you know, those non malicious events we talked about earlier, right, which is the unusual risky insider behavior. And then the value in those canary detections is, you know, you know that no one should have downloaded this file or used this key because it's a it's a canary. That's the whole idea. And then when I think about us unleashing agents into our systems, I think those detections are going to become even more valuable because, the agents are nondeterministic, and they are not humans.
Andy:And you cannot speak to them and and understand what they're actually necessarily thinking. So being able to know that you've got at least some some flags around your environment that they're going to trip up on if they do stray outside outside of your expected bounds, I think it's gonna become increasingly important.
Didier:A 100%. Like, definitely, when we see the zero click attack with using Copilot and email, there is really no action from the from from the victim as the the agent reads the email, take action based on what's in the email, retrieve privilege information, and send it. It's all very it's definitely it's that's where the there isn't there is no additional need for calories there because, like, Hopefully, I can catch it that way, for sure.
Andy:Amazing, Didier. Thank you so much for your for your time. I really appreciate you, you taking the time to to chat to me today.
Didier:Thank you, Andy. Really appreciate it. Have good one.