Why You Must Monitor Linux for Signs of Intruders

When Sandfly Founder Craig Rowland was brought in to do his first penetration test many years ago, one of the first systems he broke into was a Unix system that had an uptime of four years. The box was unmonitored, unpatched and unknown just sitting on the network with nobody touching it.

He used that box to bring over other tools and spread all around the enterprise without anyone noticing. This episode made it clear to him how important it is to have security monitoring on all systems on a network no matter what.

In this video Craig will explain why having no active intruder monitoring on Linux is a very bad idea and why you should be watching your Linux boxes for active intruders all the time.

The reason we focus on Linux at Sandfly is to bring active hunting for intruders to Linux which is notoriously under-monitored for a variety of reasons. We use an agentless approach so you can have visibility into Linux systems where normally you wouldn’t be able to load any software on the endpoint.