Do you have something cool to share? Some questions? Let us know:
Here is a detailed summary of the recent podcast episode featuring Craig Rowland, the Founder and CEO of Sandfly Security. The discussion was co-hosted by Tim Peacock with a brief introduction by Anton Chuvakin. The primary focus of the conversation was on agentless endpoint security, specifically for Linux environments, and the evolving threat landscape for these systems.
Introduction and The Agentless EDR Debate
The episode began with an opening discussion on the concept of agentless EDR. Anton Chuvakin, a former Gartner analyst and an originator of the EDR concept, provided historical context. He noted that in the early days of EDR, there was a significant internal debate among Gartner analysts about whether a product could be considered a true EDR solution without a persistent agent. The key argument against agentless EDR was its inability to collect certain types of real-time telemetry, such as live memory data.
Chuvakin concluded that while there are certainly "cons" to the agentless approach, such as a lack of continuous, real-time visibility, the approach also presents "pros" and can still be considered a valid form of EDR. This established a foundation for the main conversation, setting up the premise that agentless security is a viable and important topic, particularly for the diverse and complex world of Linux.
The Sandfly Story: A Theory of Defense for Linux
Craig Rowland was then introduced and asked to explain his company's approach to Linux security. Rowland's core premise is that "Linux is an umbrella term" that encompasses a vast range of systems, from large cloud GPU clusters to tiny, low-power devices like a Raspberry Pi. He highlighted that a traditional kernel-level agent or eBPF-based solution is often incompatible or difficult to deploy across this wide variety of distributions, kernels, and CPU architectures (Intel, AMD, ARM, MIPS, IBM Power, and IBM S390, etc.).
This technical fragmentation, Rowland explained, led to the development of an agentless solution to achieve "total, complete compatibility" and stability across these diverse environments. The Sandfly approach involves connecting to a system via SSH and running a small, purpose-built Golang binary on demand. This binary performs forensics and collects data about the system's state, which is then analyzed off-host. While this method sacrifices real-time visibility, it gains stability and avoids the risk of an agent interfering with mission-critical systems.
Beyond traditional EDR functions, Sandfly's agentless approach allows for other unique capabilities, including:
SSH key tracking: Monitoring for the movement or misuse of SSH keys.
Password auditing: Identifying weak or exposed passwords.
Drift detection: Spotting any changes to the system's state, such as new processes, users, or services.
The Linux Threat Landscape: A Misunderstood Frontier
Rowland addressed the common misconception that Linux is inherently more secure than Windows, or that it faces fewer threats. He characterized Linux as the "ignored stepchild" of cybersecurity, where security teams are often understaffed and lack the necessary expertise to monitor Linux deployments effectively. He cited a striking example of a three-person team responsible for securing 100,000 Linux VMs.
He further elaborated on the nature of Linux attacks, noting that attackers often leverage the fact that "Linux is a programming language," not just an operating system. This allows them to chain together a series of benign, built-in commands to perform malicious actions, a practice often referred to as "living off the land." The bespoke nature of many Linux deployments also makes it harder for automated ransomware attacks to succeed, forcing attackers to be more custom and patient in their approach.
A significant part of the conversation was dedicated to the threat of stolen credentials and SSH keys. Rowland explained that once an attacker gains a foothold, they will often crawl the system for private keys and SSH configuration files, allowing them to move laterally across the network while appearing as a legitimate user.
He also provided a fascinating example of an advanced nation-state backdoor called BPFDoor, which uses a Berkeley Packet Filter to listen for "magic packets" on a host. Upon receiving a specific packet, it reconfigures the firewall to forward traffic to a hidden shell, making its malicious communication appear as legitimate traffic on a commonly used port like 443.
Trade-offs and The Role of AI in Linux Security
The discussion then pivoted to the practical trade-offs between agent-based and agentless security, and how to help customers navigate this choice. Rowland's strategy is to position Sandfly as a solution for environments "where agents can't be," such as in highly varied, mission-critical, or legacy systems where a traditional agent would be too risky or unstable. He emphasized that Sandfly's ability to provide "very certain" alerts and deeper forensic context after an attack is often more valuable than a flood of real-time telemetry that a less mature security team cannot process effectively. He used the example of an agent alerting on a log file being modified versus Sandfly's ability to show that a specific entry was overwritten to hide an attacker's presence.
On the topic of AI, Rowland highlighted its potential to significantly aid blue teams. Sandfly has integrated AI, specifically the Gemini LLM, to analyze forensic data and provide security teams with actionable recommendations. He praised Gemini's ability to provide high-quality, confident answers when given good data. Rowland shared a compelling anecdote about using the Gemini LLM to decode BPF bytecode in 30 seconds, a task that took a human analyst half a day to complete.
He also cautioned against the misuse of AI, noting that it can provide "very confident, wrong answers" with bad data. Rowland believes AI will not replace human security analysts but will instead accelerate their ability to ask the right questions and respond to threats faster. Looking ahead, he anticipates that attackers (red teams) will also leverage AI to make their attacks more automated and efficient.
Conclusion and Final Recommendations
To conclude the episode, Rowland offered two key recommendations for listeners to improve their Linux security game:
Recommended Reading: He stressed the importance of coding knowledge for anyone in InfoSec, particularly Linux security. His recommended reading includes books on C, Python, and shell scripting, as well as books on Linux system fundamentals and TCP/IP networking.
Level-Up Tip: His final tip was to leverage AI systems to accelerate analysis, noting that if you know the right questions to ask, these systems can provide a huge advantage.
Timeline of Key Discussion Topics
Introduction and The Agentless EDR Debate: Tim Peacock and Anton Chuvakin discuss the historical and technical debate surrounding agentless EDR, with Anton highlighting the division among former Gartner colleagues on the topic.
The Sandfly Security Approach: Craig Rowland introduces Sandfly Security and its agentless strategy, emphasizing the challenges of deploying agents across a diverse range of Linux systems and the benefits of their on-demand SSH-based forensics.
The Nuances of Linux Threats: The conversation shifts to the Linux threat landscape, debunking the myth that it's inherently more secure. Rowland explains how attackers "live off the land" by chaining benign commands and the danger of stolen SSH keys.
BPFDoor and Advanced Threats: Rowland provides a detailed example of the BPFDoor backdoor, explaining how it uses a Berkeley Packet Filter to perform stealthy command and control communications.
Agentless vs. Agent-Based Trade-offs: The hosts and guest discuss the pros and cons of agentless security, with Rowland explaining how Sandfly's post-factum analysis provides more actionable and definitive context for security teams.
The Integration of AI: Rowland shares how Sandfly uses AI, specifically the Google Gemini LLM, to enhance its forensic analysis and provide recommendations to customers, citing its ability to accelerate complex tasks like reverse engineering.
Future of AI in Security: The discussion concludes with predictions about how both blue teams and red teams will leverage AI to become more efficient, and the importance of human expertise to guide these systems.
Final Recommendations: Craig Rowland provides his recommended reading list and a final tip for leveling up Linux security skills.
