Operation

Sandfly Operation

Sandfly Security is proud to be part of the

Vodafone Xone Accelerator Program

Go from vulnerable to protected in under 60 seconds.

Sandfly was designed to be fast to setup and use. Our unique approach ensures remote systems can not only be protected quickly, but they will have virtually no resource impacts when being monitored. Below you can see the steps needed to begin protecting your Linux infrastructure today.

Fast Setup for Fast Results

Dashboard

The dashboard of Sandfly is simple. Green all is well. Red there is a problem. Sandflies are written to not bother you with false alarms. If there’s an alert, then it’s probably important.

Sandfly Security Dashboard
Dashboard

Add Hosts

Adding hosts to Sandfly is simple and fast. You can add an IP list or put in a netblock and Sandfly will scan it and add hosts where it was able to login automatically. You don’t need to do anything on the hosts you want monitored other than have valid SSH credentials. SSH credentials are stored securely with public key encryption in a way that ensures users cannot access them once added to the system.

View Hosts

After hosts are added, you can view operating system details about each one. This is useful for inventory and baseline purposes during an investigation.

Sandfly Security Host Viewer
Host View

Scan

You can now perform an initial manual scan to make sure everything looks fine on your systems. Sandfly will run the selected sandflies across the hosts and report back findings. No news is good news.

You can run scans manually whenever you feel like it. However, the real power of Sandfly comes from the next step where we schedule an automated presence of sandflies to be used across all your hosts.

Sandfly List

Random Scheduler

Sandfly was designed from the ground up to search for attackers. As part of this we employ tactics to be fully automated and random to make evasion more difficult.

Because of the above, the scheduling system in Sandfly works differently than what you may be used to. Instead of scheduling big monolithic scans at 3AM each morning for instance, you instead tell Sandfly to schedule small, fast, and random investigations to happen all day long.

Dividing compromise detection into small random tasks is the best way to provide security coverage that won’t crater your remote systems like monster monolithic scanners can do. In fact, the impact on your hosts is so low doing random scheduling with sandflies you can have very frequent scans throughout the day and never know they are happening. Best of all, it’s also the best way to get the most complete security coverage possible. 

View Alerts

Sandfly has an easy to use forensic viewer if alerts are detected. Sandfly always provides a plain English description of the issue with supporting details to put you onto intruders quickly. Below are three examples of various problems that were detected.

Forensic Viewer utmp Log Tampering
PHP Reverse Bindshell Backdoor
PHP Reverse Bindshell Backdoor
Tampered Login Shell

Monitor

Once you setup a random schedule, you can put in email alerts or output syslog to your favorite log monitor. Sandfly syslog alerts contain rich structured data of the results that is identical to what you see in the Sandfly UI. This means what you see in our UI will be the same as you see in Splunk, Logstash, Graylog, etc. For example, below is a snip of Sandfly syslog output to Graylog.

Graylog Syslog Output
Sandfly Security Graylog Syslog Output 2
Graylog Syslog Output

Leave Sandfly to Work

Sandfly is designed to automatically prune its databases and take care of other internal maintenance tasks unattended. It will keep an eye on your hosts and send out any alerts if it finds a problem. You can go back to doing other things and let Sandfly stand guard.

If you receive alerts, they will contain a wealth of information about the attack including a plain English explanation of what is going on along with detailed forensic data. Your security team can then determine the best course of action to take. Sandfly is careful to not alter anything on the disk so forensic data is not compromised if needed for later use.