I have had a number of recent debates regarding the merits of the much talked about Canary. (You may have read about it in previous blogs or listened to Thinkst CEO Haroon Meer on the riskybusiness podcast).
The concept is really simple, you stick it on a network, you make it look like any other device on that network and set it up such that it appears to contain tempting files, that would-be attackers are likely to be drawn to. Any attempt to access them leads the Canary to 'chirp', which signals an alert and hopefully a reaction from your incident response (IR) team or IR service provider.
Most of the aforementioned discussions revolve around the fact that one should be focusing one's efforts on keeping the attackers at bay, with the Canary's mere presence, a tacit admission that you have been defeated. It should be a solution of last resort, with some contesting that there is probably a lot more that could be done before turning to the humble Canary.
To others it's mere simplicity is difficult to contend with. Surely there has to be a catch, since no cyber security solution is worth its salt unless it fries the brains of those who run the business and will ultimately be asked to fund it!
Personally I believe that our industry has the potential to 'cry wolf' once too often. Indeed I was speaking to a prospect a few weeks back who said he needed something that meant he could go to senior management when it really mattered. Flagging up every issue just to be safe, garnered a response along the lines of 'come back to me when you are absolutely sure.' So here in could lie the problem. Data breaches are going long unreported because they are either not spotted or where suspicions are aroused time is wasted validating whether or not the attack is for real. In either case, knowing when matters, through the chirp of a Canary makes absolute sense?
The fact of the matter is that the Canary goes against the grain, it disrupts things by dint of the fact that it is so simple. The concept and the name just happen to resonate with the way the layman is likely to think.
Indeed with most businesses woefully under-skilled and understaffed where cyber security is concerned, what is there not to like about a Canary? Especially with GDPR breathing down our necks, which aside of the 72 hr breach notification obligation, will require businesses to fess up or face a wave of punitive fines that no cyber insurance policy will ever cover!
So in an industry that caveats every solution with 'there are no silver bullets', we have to make sure that when we have been out-foxed, we are quick to recognise that this is the case.
The insurance that companies rely on for data privacy and cybersecurity is important but will not cover the fines and lawsuits if the breaches are deemed to be from negligence. It will also not cover loss of reputation. Thus, businesses need a plan of what to do when (not if) their security is compromised.The first part of this is realising that it has been compromised.