2026-02-03, 16:00–16:25, B.1.036
Many monitoring solutions exist for tracking numbers and percentages which change, trends, outliers, spikes, and so on. However, what about things that don't change, or rather, shouldn't change? There are many examples of these relevant for security teams to know about. And since you don't expect them to change, any change is noteworthy.
In this talk I will discuss the idea, and launch my open source implementation of it. It uses PostgreSQL as the database, and has a modular architecture, so it is easy to expand it with the things you want to monitor. History and changes for each variable are tracked in the database, making it simple to implement new modules.
Some examples for things to track are: number of script tags on your website, checksum of a released version of software, commit SHA of a tag (version), number of unsigned / untrusted commits in a repo, number of admins in an organization, IP address (DNS entry) of your website, etc. When any of these change, it can be a signal of some kind of compromise or malicious activity, and a way to track and alert on these changes is useful.
Works for Northern.tech, the company behind CFEngine, Mender, and Alvaldi. Passionate about open source, information security, privacy, automation, and monitoring.