00:56 Presenter Introduction
03:09 Webinar Agenda
04:18 What is Linux?
05:46 Why Does it Matter?
07:01 Why is Linux Complicated?
08:22 Challenges with Protecting Linux
09:53 Red Canary Linux EDR Solution
11:50 Discussion with Linux Experts
11:58 Why is Linux used so widely today?
13:50 “One thing that makes Linux so great is you can get in deep to the configuration of it – you can strip out all of the unnecessary stuff to focus on whatever the [production] server is supposed to be doing and that it’s doing it really well.” – Dave
14:20 What are the biggest obstacles to protecting Linux?
15:05 “Since Linux is often used to run highly available systems, production servers, or specialized systems like network or virtualization equipment a lot of our customers are sensitive to including third-party code…so we have to take great care in what data we collect, what system resources we use, and what response actions we can take during an incident.” – Thomas
17:30 What are the biggest and most common threats to Linux?
18:33 “A lot of the threats we’ll see are coinminers, webshells, things that are trying to exploit databases, or other services that might be running on those systems.” – Dave
23:01 What’s unique about Red Canary’s approach to protecting Linux?
24:29 “We made some design decisions [for our Linux EDR solution] like using Rust because that’s a language known for developing lightweight and very fast code, and leveraging eBPF so that we can do a lot of the telemetry collection in the kernel which ends up being very fast.” – Dave
27:17 “The really nice thing about the method that we use [for our MDR service] is that we combine responsibilities to both review and detect threats within the same team, so we have a big incentive to drive down false positives and build very highly tuned detection logic.” – Thomas
28:03 How do you research or identify new Linux threats?
28:45 “One of the best sources of data we get is analyzing new threats that we see firsthand. When we identify attacks happening, then publish and adequately scope them, we’ll go back, revisit the behavior we saw, and try and shore up our coverage.” – Thomas
33:41 Linux Threat Investigation Demo
36:34 Key Takeaways
- Linux threats and attack vectors differ from their Windows/MacOS counterparts.
- Linux is often the foundation of a production system so disruptions or interference negatively impact the business.
- Red Canary’s Linux experts are on the front lines of Linux defense, researching and writing on the latest threats.
- Our lightweight Linux EDR sensor is built and optimized for Linux with minimal impact on the system.
39:12 Questions & Answers