Continuous monitoring

Concepts behind threat detection tech used by listen.dev

listen.dev is powered by a best-in-class introspection and detection engine that uses dynamic behavioural analysis (powered by eBPF) to capture context from kernel up to the code.

How do you integrate with my stack?

The way listen.dev links with your workload is through integrate what we call a monitor. Think of it as a lightweight sensor that operates standalone in a workload. It instruments the kernel through eBPF hooks, and contains plugins that extend into your user space to capture workload-level context for correlation. It is lightweight, so it can be dropped into an ephemeral workload at start time, observe events during the course of execution, and sends events to a printer interface with a JSON API, so it can be sent to your interfaces (such as your GitHub PRs, incident response tools and SIEM) via web hooks.

What kind of harmful behaviors are detected?

There are two main threats from open source modules; compromised workflows, dependencies, and build tools in your GitHub actions environment:

  1. Exfiltration of credentials, source code and other sensitive data from the CI/CD system

  2. Tampering of code and artifacts at build time

Why traditional approaches aren't sufficient against supply chain attacks?

The supply chain threat landscape is evolving rapidly, with today's adversaries using increasingly sophisticated and novel methods to craft attacks. Conversely, the security tooling industry hasn't kept up.

  • Traditional dependency scanners and SCA tools work by referencing databases of known and publicly disclosed vulnerabilities (CVEs) and your security depends on how updated these databases are.

  • If your dev toolchain contains unknown and unpatched vulnerabilities (e.g. a recent backdoor, malware or zero-day attack) it is in most cases already too late to contain the harm -- before they are captured by CVE-based scanners.

Finding and patching only known vulnerabilities in your dependencies is a reactive approach and does not provide sufficient defense against modern supply chain attacks. Read more about the difference between known vulnerabilities and supply chain attacks in this blog post.

Last updated

© 2024 Garnet Labs