Putting a Canary in your Data Mine

Despite having many monitoring and detection tools, many companies fail to identify attackers that have gained a foothold within their networks. Many times, a company is only aware of a breach after a 3rd party has informed them.

It’s not that current tools can’t catch an attackers lateral movement within the network. Rather, the relevant alerts hide in a mountain of other alerts all competing for analysts attention.

Technologies like security analytics and machine learning are getting more accurate. But they still lack the absolute certainty needed to respond, creating a scenario where more data isn’t the answer.

Rather, like miners that would carry caged canary birds with them into the mines, one reliable early warning system is needed. If there was a leakage or a buildup of dangerous gasses, the canary would die first – giving the miners a chance to escape.

Taking this concept, South Africa-based Thinkst Applied Research has created a digital equivalent with its Canary offering.


Canary is a small form hardware device that can be configured to mimic a number of devices such as a Windows file server, a Linux web server or Cisco/Dell switches. Once deployed on the network, it hosts services making them virtually indistinguishable from real devices its mimicking.

Because there is no legitimate need for anyone to connect, probe or otherwise interact with these devices – any activity to do so will generate an alert. These alerts would point to an extremely high likelihood of malicious activity. In essence Canary is a portable honeypot on your network. From that perspective, one could argue that the technology is not particularly new or groundbreaking. That may be the case, but Canary brings honeypot technology to the masses. Technology that most companies don’t have the resource to deploy.

Thinkst Canaries would fall under the group of “mixed-interaction” honeypots, with some services simply mimicking a banner or service handshake, while others offer full, expected, service functionality.

Thinkst says it has spent considerable effort to bring a honeypot to the market that can be deployed in “four minutes or less” and that can be deployed by junior staff. A Canary starter pack costs $5,000 and includes the console and two devices. Further Canary devices are available at $1,000 per device per year.


Buzzwords, bandwagons and advanced persistent threats. It's somewhat surprising to see a product that doesn't try to tick any of these boxes.
Instead, what we have with Canary is a simple yet effective product that is focussed on solving one problem - and trying to do it well. 

I really like the approach Thinkst has taken with Canary. It democratises honeypots to a large degree. Additionally, it gives a realistic and workable offering to detect malicious activity inside a network at an affordable price point.

Canary already claims an impressive roster of clients, so the company should look to build up public case studies where customers discuss success they've had with the product. 

A natural progression to the offering would be to include the functionality for cloud-applications. Something the company says is on its roadmap. 

Ample partnership opportunities exist for Canary. Providing a natural fit with SIEM's or other monitoring technologies inside a SOC. It could also partner with network hardware devices, to prevent companies needing to deploy and manage another separate box. 

The potential exists to include increased functionality such as machine learning or profiling of attackers. But that would increase the complexity of the product and pit it against a broader set of competitors. Thinkst would be better resisting the temptation to do so and retain its focus on high quality alerts to pinpoint malicious activity in the network.

Casting a Digital Shadow over Threat Intelligence

Stand alone pure-play threat intelligence firms have all started with great promise. But somewhere along the way, many have not fully realised their potential.
Recent notable threat intelligence vendor acquisitions
Target Acquirer Date Amount
Malcovery (key assets) PhishMe Oct 14 2015 Undisclosed
iSight Partners FireEye Jan 20 2016 $200m
Cyveillance LookingGlass Dec 10 2015 Undisclosed
Anubis Networks BitSight Technologies Oct 21 2014 Undisclosed
IID Infoblox Feb 8 2016 $45m
However, that’s not to say acquisition is the only exit or growth path for threat intel vendors. The key is in finding the best use-cases, at the right price points with the right quality of data.

Finding the right combination of these elements is not easy. A task made even more difficult by the fact that determining the quality of threat intel remains a specialist skill set. The elephant in the threat intel room, Norse Corp, serves as the perfect reminder of this.

In these uncertain times, Digital Shadows looks determined to buck the trend and announces $14m series B funding led by Trinity Ventures. and joined by Ten Eleven Ventures, Storm Ventures and Passion Capital. The round closes almost 12 months after it closed its $8m series A

Digital Shadows was founded in London, but today has a joint HQ out of London and San Francisco. Typically Series B rounds are all about scaling, so it’s expected the company will grow its headcount, invest in development as well as marketing.

The next 18 months will likely be the telling time for the company – and maybe for pure-play threat intel vendors as a whole. But a lot will rely on it continuing its momentum, growth and retaining customer interest.

Invotas acquired by the all-seeing FireEye

Despite its stock sinking to an all time low. Milpitas, CA-based FireEye acquired iSight Partners for $200m a few weeks ago.

iSight is somewhat complementary to Mandiant. But still left me with the feeling that the deal had a “hail Mary” feel to it.

FireEye didn’t stop to breath as it announced its acquisition of Invotas.

Target Profile

Invotas was a spin off from CSG international and was formally launched in February 2014.

Its product is an orchestration platform for SOCs, designed to integrate with most SIEM’s and networking monitoring tools. It allows analysts to bring up options within the SIEM itself to take actions. This is intended to save analyst time by performing backgound searches automatically and bringing relevant information to the fore.

In essence, at its core, security orchestrator is a cyber playbook. Capturing security-analyst workflows and deconstructing into a sequence of tasks, assigning roles and approval processes. Teams can then specify which tasks are should be automated and which will need analyst approval.

Deal Rationale

Incident response can be challenging. A lot of these challenges don’t come from the technology side. Rather, these come from a business and process level. For that Invotas makes a logical fit into FireEye’s core offerings and can help its customers better-manage incidents.

Much like the rationale behind ProofPoint’s acquisition of NetCitadel, FireEye can help reduce the time from incident alert to resolution.

The reduction in time from incident alert to resolution is the holy grail for many companies. In that regard, its somewhat surprising other companies didn’t move in to acquire Invotas sooner.


As many companies have found through history. Acquiring a technology is the easy part – integrating it in a timely and practical manner is quite another matter altogether.

Hexis Cyber Solutions, a spin off from KEYW, is probably the closest direct independent competitor to Invotas. It would make a good acquisition for any FireEye competitor wanting to match features.

But incident response as a whole is a crowded competitive space. FireEye will need to contend with Forensics vendors, SIEM providers as well as orchestration and change management vendors moving in the same space.

As a public company though, FireEye may be less worried about competitors. Its stock price was at a high just under a year ago at 54.23 and today lingers at 13.93. That may be too big a gap to buy its way out of.

Two hundred and fifty meeeeelion dollars!

If I were a betting man, I would have believed that Tenable was on its way to filing its papers for an IPO. After all, the company seemed to be growing organically nicely since its series A $50m round way back in 2012.

Known primarily for Nessus, its vulnerability management product, Tenable has evolved its offering over time. Security Centre built a series of inter-connected capabilities for continuous monitoring and analytics.

In a world filled with buzzwords of products surrounded by APT’s, nation-state espionage and Eastern European hackers for hire Tenable may not seem like its playing in an entirely commoditised area. Which may be correct, but truth be told, fundamental security is where most companies fail. Pick up a breach report and simple security hygiene is the cause of most losses.


A truly staggering and unprecedented $250m investment gives Tenable many options. It’s almost too big an amount for the company to fail – and that’s without having to worry about keeping the market happy had it gone down the IPO route.

With such a large investment, I expect to see acquisition(s) on the horizon – maybe even a big one. The right technology acquisition could help Tenable leapfrog its competitors both in terms of technical capability as well as breaking into new markets.

Like an episode of Jerry Springer

The security industry is known to be somewhat incestuous at times. The same faces can often be seen running, investing or purchasing companies.

Over the recent weeks and months though, some of the M&A activity reads like an episode of Jerry Springer.

In July of this year, HP declared the corporate-consumer marriage was no longer working and announced its intention to split into two companies.

Trend Micro sensed that TippingPoint was the unloved child in HP’s single-parent home and picked up all of TippingPoint’s products, 316 employees and 2300 customers for $300m.

A purchase that by all accounts was a bargain, considering HP acquired TippingPoint over 10 years ago from 3Com for $450m. The deal seems even more impressive when compared to Cisco’s acquisition of Sourcefire in 2013 for $2.7b

There’s a scene in the social network where Justin Timberlake’s character utters the quote, “A million dollars isn’t cool, you know what’s cool… a billion dollars”

I suspect that is what was going through Michael Dell’s mind as he sent waves through the industry when Dell acquired EMC for $67b  … the largest deal in tech history.

Dell was a public company until 2 years ago when it announced its acquisition by Michael Dell and Silver Lake Partners. Silver Lake Partners also recently joined forces with Thoma Bravo and took SolarWinds private for $4.5b.

For completeness sake, we also saw Thales acquire Vormetric for $400m

All that’s lacking are a couple of burly bouncers separating rival vendors whilst the crowd chants “Jerry! Jerry! Jerry!”


Within 12 hours of publishing this article, we just saw Cisco acquire Lancope for $435m.


Buying, selling, going public or going private - the IT security industry seems to be making money whichever direction it turns. But the general message seems to be one of consolidation. Dell said, “The IT marketplace wants fewer vendors, not more.” Trend Micro hopes the buyout will position it to become the “go-to enterprise security provider.”

This is all well and good, but acquiring a company and integrating the technologies are two very different propositions. Symantec tried for years to hold together its security and storage arms, but eventually conceded and split Veritas. Maybe EMC could have swapped RSA for Veritas at the time and both companies would have been a lot happier.

Whilst the IT market place may want fewer vendors - the strings attached to this is buyers want a simpler experience to accompany that. They want a technology stack that looks like it was cut from the same cloth - as opposed to a Frankenstein stitched together from various parts. That will be the biggest challenge if any of the mega-providers want to attain their desired vision.