Putting a Canary in your Data Mine

Despite having many monitoring and detection tools, many companies fail to identify attackers that have gained a foothold within their networks. Many times, a company is only aware of a breach after a 3rd party has informed them.

It’s not that current tools can’t catch an attackers lateral movement within the network. Rather, the relevant alerts hide in a mountain of other alerts all competing for analysts attention.

Technologies like security analytics and machine learning are getting more accurate. But they still lack the absolute certainty needed to respond, creating a scenario where more data isn’t the answer.

Rather, like miners that would carry caged canary birds with them into the mines, one reliable early warning system is needed. If there was a leakage or a buildup of dangerous gasses, the canary would die first – giving the miners a chance to escape.

Taking this concept, South Africa-based Thinkst Applied Research has created a digital equivalent with its Canary offering.


Canary is a small form hardware device that can be configured to mimic a number of devices such as a Windows file server, a Linux web server or Cisco/Dell switches. Once deployed on the network, it hosts services making them virtually indistinguishable from real devices its mimicking.

Because there is no legitimate need for anyone to connect, probe or otherwise interact with these devices – any activity to do so will generate an alert. These alerts would point to an extremely high likelihood of malicious activity. In essence Canary is a portable honeypot on your network. From that perspective, one could argue that the technology is not particularly new or groundbreaking. That may be the case, but Canary brings honeypot technology to the masses. Technology that most companies don’t have the resource to deploy.

Thinkst Canaries would fall under the group of “mixed-interaction” honeypots, with some services simply mimicking a banner or service handshake, while others offer full, expected, service functionality.

Thinkst says it has spent considerable effort to bring a honeypot to the market that can be deployed in “four minutes or less” and that can be deployed by junior staff. A Canary starter pack costs $5,000 and includes the console and two devices. Further Canary devices are available at $1,000 per device per year.


Buzzwords, bandwagons and advanced persistent threats. It’s somewhat surprising to see a product that doesn’t try to tick any of these boxes. Instead, what we have with Canary is a simple yet effective product that is focussed on solving one problem – and trying to do it well. I really like the approach Thinkst has taken with Canary. It democratises honeypots to a large degree. Additionally, it gives a realistic and workable offering to detect malicious activity inside a network at an affordable price point. Canary already claims an impressive roster of clients, so the company should look to build up public case studies where customers discuss success they’ve had with the product. A natural progression to the offering would be to include the functionality for cloud-applications. Something the company says is on its roadmap. Ample partnership opportunities exist for Canary. Providing a natural fit with SIEM’s or other monitoring technologies inside a SOC. It could also partner with network hardware devices, to prevent companies needing to deploy and manage another separate box. The potential exists to include increased functionality such as machine learning or profiling of attackers. But that would increase the complexity of the product and pit it against a broader set of competitors. Thinkst would be better resisting the temptation to do so and retain its focus on high quality alerts to pinpoint malicious activity in the network.