Surveyor: The Swiss Army Knife for EDR

A supply chain attack on SolarWinds and exploitation of Exchange zero-days have been two of the biggest security stories in recent memory. In both cases, public and private sector organizations published hundreds of IoCs, leaving individual security teams to sort out whether they were affected and to what extent.

This presents a complicated, two-part problem. To determine if your company was affected, you have to collect long lists of indicators from multiple, disparate sources—and then you have to search for these IoCs across your environment.

Surveyor is an open source tool that solves both problems. It interacts with EDR tools and includes definition files that consist of signatures, processes, and other indicators. The tool and definitions together empower security teams to take inventory of software usage and validate threats across their environment. When the SolarWinds and Exchange IoCs dropped, we created definitions files that vastly expedited the process to determine impact.

Those are just two use-cases for Surveyor. We originally created it to streamline the way that Red Canary’s incident handlers queried Carbon Black environments to baseline normal and abnormal activity. Since then, we’ve made it open source, added new definitions files, and expanded it to support Microsoft Defender for Endpoint.

In this talk you’ll learn what Surveyor is, how your security team can use it to sort out what’s normal and what isn’t, and how you can become a contributor!