Improving intrusion detection with Sandfly

Sandfly allows us to monitor and respond to security threats

Bar disconnecting all cables from your servers and encasing them in concrete (which has a rather detrimental affect on their usefulness) there's no 100% secure system.

When we protect our offices by installing a new lock, an alarm or CCTV we don't believe that in doing so we are making them 100% secure. Instead we are aiming to tip the scales such that the effort and potential risk for breaking in is outweighed by the value of what would be gained.

The same is true when protecting data in the cloud, there's no one security tool or service that can prevent a bad actor with enough time and resources from gaining access. Instead we have to make the reward for gaining access unworthy of the required effort and potential risk and to do that we need to deploy multiple layers of security and among them intrusion detection.

What is intrusion detection?

Intrusion detection is exactly what it sounds like, it is the process of identifying when an unwanted person or tool has breached your security layers and gained access to some part of your system.

When someone gains access to a server (or attempts to) they leave evidence of their activity, evidence they will attempt to remove or hide to buy themselves enough time to find and steal data of value or to deploy malicious software such as ransomware / spyware.

By detecting a breach or attempts to breach early there's a high chance of preventing or limiting any loss or corruption of data. Further by understanding how an intruder gained access based on the evidence detected those weak points can be addressed to prevent them being exploited in the future.

The task of detecting a breach is complex, many breaches are at least in part performed using tools that automate the process of scanning for vulnerabilities, exploiting those vulnerabilities to gain access and covering up evidence of the breach. By using automated scripts a discovered vulnerability can be exploited in seconds leaving the attacker with access to the server and little or no evidence of their presences.

To counter this we have to continuously monitor for the thousands of potential signals that might indicate a breach (or attempt) and where possible automatically eliminate potential threats in real-time. To do this we need to use an intrusion detection platform.

Introducing Sandfly

Sandfly is an intrusion detection and incident response platform that we are using to monitor all CareHQ servers. There were a number of reasons we chose Sandfly including:

  • Sandfly is purpose-built for Linux which is the operating system we develop and run CareHQ on.
  • Sandfly is agentless and runs on a separate dedicated server which makes it harder for attackers to detect / counteract the platform and ensures that CareHQ's performance isn't impacted.
  • Sandfly runs thousands of threat detection tests in real-time 24/7 and  can detect and respond to an intrusion in minutes instead of weeks, months or even years if we relied on manual checks.
  • We can write custom threat responses for Sandfly, allowing us to determine the steps taken for any given threat based on the perceived risk.

Installing Sandfly immediately provided additional protection for your data and over the next few weeks as we further configure the platform that protection will continue to improve.