How Sandfly Works
Visibility in Seconds
Sandfly is an agentless and scalable solution that can find compromised Linux hosts without the need for specialized Linux skills. With Sandfly, you simply point it at the hosts you want protected and it will monitor them for intruders and malicious activity.
Sandfly runs on all versions of Linux, including cloud and virtual systems, on premise, and on stripped down embedded systems supporting Internet of Things (IoT) and Industrial Control Systems (ICS). Sandfly also scans inside Docker containers for attacks attempting to replicate in those images, giving you the widest coverage available for Linux.
Sandfly Security is proud to be part of the
Vodafone Xone Accelerator Program
Sandfly is flexible, integrates easily and can be driven by administrators using other security platforms of their choice. Sandfly offers a full library of REST-based APIs to support various functions and connectivity requirements.
Sandfly also can send events out over syslog to log aggregation systems. We can also send events natively to an Elasticsearch database cluster. Finally, we offer a Splunk App to allow intake of alerts directly into Splunk.
Sandfly is fully Dockerized and sets up in minutes. You need two systems capable of running Docker with these minimum requirements:
- A Server with 8GB or more of RAM running Linux (depending on your install size). This computer will be running the REST API and Elasticsearch database.
- A Node with 2GB of RAM running Linux. A Node system can run multiple node containers for performance and redundancy.
You can spin up a large number of node containers to handle very large installations without any trouble. Each node can scan 500 systems at a time so you can cover thousands of hosts very easily.
Sandfly was developed on cloud infrastructure and works immediately at places like Amazon AWS, Digital Ocean, Linode, etc. But in reality, Sandfly doesn’t care where your Linux hosts are located. As long as the Linux systems allow SSH access, Sandfly can protect them immediately. Whether it’s in the cloud, on your own network, in Docker images, part of an ICS system, or any other configuration, Sandfly will tirelessly monitor for suspicious activity.
Sandfly is easy to set up and immediately begins hunting and discovery operations within seconds after you add a host. See the setup video below.
Try Sandfly or Request a Demo
Attack Pattern Analysis
Sandfly uses purpose-built forensic engines to detect Linux attacks. Once the presence of malware is detected, investigators can drill down to see detailed forensic data on the attack processes and activities for a picture of the entire exploit and its impact.
The average sandfly takes under one second to scan a Linux system. A swarm of sandflies can typically assess a system in under 15 seconds and then vanish without a trace. Sandflies have minimal system impacts because they don’t require agents that connect into the kernel.