How Sandfly Works
Visibility in Seconds
Sandfly is an agentless and scalable solution that can find compromised Linux hosts without the need for specialized Linux skills. With Sandfly, you simply point it at the hosts you want protected and it will monitor them for intruders and malicious activity.
Sandfly runs on all versions of Linux, including cloud and virtual systems, on premise, and on stripped down embedded systems supporting Internet of Things (IoT) and Industrial Control Systems (ICS). Sandfly also scans inside Docker containers for attacks attempting to replicate in those images, giving you the widest coverage available for Linux.
Sandfly only requires SSH which runs on most Linux systems. Sandfly has been tested on the following Linux distributions plus many more:
Sandfly will protect most Linux variants and versions running Intel, AMD, Arm or MIPS CPUs without any special modifications.
Sandfly is flexible, integrates easily and can be driven by administrators using other security platforms of their choice. Sandfly offers a full library of REST-based APIs to support various functions and connectivity requirements.
Sandfly can send events over syslog to log aggregation systems or SIEM of your choice. We can also export events directly to an Elasticsearch database or use our Splunk App to send data directly into Splunk.
Sandfly was developed on cloud infrastructure and works immediately at places like Amazon AWS, Azure, Digital Ocean, Linode, etc. But in reality, Sandfly doesn’t care where your Linux hosts are located. As long as the Linux systems allow SSH access, Sandfly can protect them immediately. Whether it’s in the cloud, on your own network, in Docker images, part of an ICS system, or any other configuration, Sandfly will tirelessly monitor for suspicious activity.
Sandfly is fully Dockerized and sets up in minutes. You need two systems capable of running Docker with these minimum requirements:
A Server with 2GB or more of RAM running Linux (depending on your install size). This computer will be running the REST API and database.
A Node with 2GB of RAM running Linux. A Node system can run multiple node containers for performance and redundancy. You can spin up a large number of node containers to handle very large installations without any trouble. Each node can scan 500 systems at a time so you can cover thousands of hosts very easily.
Sandfly is easy to set up and immediately begins hunting and discovery operations within seconds after you add a host. See the setup video here.
Sandfly uses purpose-built forensic engines to detect Linux attacks. Once the presence of malware is detected, investigators can drill down to see detailed forensic data on the attack processes and activities for a picture of the entire exploit and its impact.
The average sandfly takes under one second to scan a Linux system. A swarm of sandflies can typically assess a system in under 15 seconds and then vanish without a trace. Sandflies have minimal system impacts because they don’t require agents that connect into the kernel.
The system will select Sandfly Investigations to run based on a random schedule and in random quantities. Each sandfly looks for a particular problem (such as suspicious processes or users) and reports back findings. These activities are correlated against other tactics discovered by other sandflies, such as a process embedded through a stealth rootkit.
We recognize that many organizations have spent tremendous amounts of money to secure their data and do not want it sent out to third parties for analysis. Sandfly does not send your data out to us or any other third-party. Search and analysis occur locally on your systems – not on anyone else’s. Sandfly runs perfectly fine on air-gapped and tightly regulated networks on premises or in the cloud.