All posts
Product

The full costs of building your own Canary Program

Andy Smith
February 24, 2025
February 27, 2025
5
min read
I am the text that will be copied.

At Tracebit, our goal is to bring canaries from the 1% to the 100% of security teams by making them a ‘no brainer’, easy and safe to deploy whilst producing a low volume of valuable, actionable security alerts.

In this article, I’d like to answer a question we hear fairly often which also gets at the core of why we founded Tracebit in the first place:

Canaries are a great idea, but why not just build them myself?

There’s a general 'build vs buy’ topic here, but there’s already some great writing on this subject - Rami McCarthy's discussions on challenges in security engineering and the Hammer and Nail trap are a great starting point. Moving beyond security we liked Teleport’s Build vs. Buy for Startups article and Amazon’s Buy vs. Build Revisited: 3 Traps to Avoid.

We founded Tracebit because we think canaries are incredibly valuable but generally represent undifferentiated work for a security team.

When it comes to canaries, we believe that teams often over index on their ability to deploy canary resources themselves, fail to tie the security canary program to concrete goals and underestimate all of the work required to build a robust, enduring security canary program.

Why there’s a bias to build canaries

Beyond 'build vs buy' there can be a bias to build canaries specifically, we've identified three sources for this bias.

In house skills

The best canaries - whether it’s a cloud bucket, API token, server, or anything else - look and feel exactly like the real thing.

A key source of this build bias is the fact that for any resource an organisation may wish to ‘canary’, they will already have people, process and technology for deploying these types of resource.

For example, if an organization has 500 S3 buckets, these two statements likely hold true:

  • It makes sense for that organisation to create canary S3 buckets.
  • The organisation is good at deploying S3 buckets.

So, organisations are usually already quite good at deploying the types of resources which it would be valuable for them to canary.

Specialist knowledge

The other factor is that there’s an assumption that the security team has their own unique knowledge about the systems and business that will make them perfectly placed to create more realistic canaries, be it naming schemes or sensitive project names.

Potential for canaries

Finally, there exists a pre-conception that there’s a ceiling on the number and types of valuable canaries available (e.g. it's just S3 Buckets or Credentials), as opposed to this being a valuable strategy across the organization that can apply to many different systems and applications.

Taking a step back with canaries: What do you want from canaries?

It's important to answer the 'why' of canaries, before asking 'how'.

Before jumping to how to build, we’d suggest that the first thing you consider is what success actually looks like for you in your security canary program.

This might sound obvious - but we’ve met many teams where the first step they took was “scatter canary credentials around” without aligning on the end goal, sometimes missing an opportunity to improve their security program at all.

We’d argue that this is why some canary programs fail to takeoff - they fizzle out because they aren't tied to any concrete security objectives or goals.

We’d suggest that you consider:

  1. The security outcomes you would like to achieve with the canary security program
  2. Where this would place you in terms of maturity in the different categories on the Security Canary Maturity Model

To save the click (though we’d recommend it), the security canary maturity model breaks down 3 levels of maturity:

  • Defined - Initial steps in to canaries taken
  • Managed - Maintainable program is in place
  • Optimized - Advanced program is in place

Security Outcomes and Canaries

To make this concrete, let’s take 3 example use cases that could be part of a team’s wider goals and consider their maturity level in the security canary maturity model (you can read a longer list here).

Security Outcome Maturity
Quickly test the impact of deploying canaries to understand any potential drawbacks and any initial signals from the environment. Defined
Close specific, known detection gaps in your environment that are too costly or noisy to handle with other techniques. Managed
Develop a defense in depth strategy that you can share with auditors, regulators and/or customers. Optimized

By thinking through the particular outcomes you wish to achieve and applying the security canary maturity model, you can quickly identify the level of maturity you likely wish to attain.

Our view is that when considering the desired outcomes it will generally become clear that implementing a security canary program at the Managed level is necessary as this is where real value of a canary program comes. It is also where significant work comes in.

The work to be done

H/T to Rami McCarthy's "Challenges in Security Engineering Programs"

So if we take this back to the start of the article - we’re still deploying canaries, these are still resources that an organisation will have the skills to deploy themselves, is this really going to take that much work?

The Security Canary Maturity Model does a great job of breaking down the various features you may or may not wish to build, many of which are actually quite tangential to just deploying those resource types or customising them to match your environment.

To help in your decision making, we wanted to draw on some themes from this model and consider the amount of work involved to implement them, and add some details and gotchas you may hit along the way.

Theme Description Requirements and Gotchas Effort Rating
Automated Onboarding As new environments deploy, it's important canaries deploy too.

 Picking meaningful canary names and settings for new environments without requiring manual effort.

Supporting new canary types or deployment regions as the business adopts new resources.

Integrating into existing infrastructure as code or other IT workflows.

Avoiding disruption to existing teams and work flows.		 🛠️🛠️🛠️🛠️
Automated Cycling and Updating It's important that your canaries get removed and replaced over time.

This helps keep attackers guessing, and with credentials or tokens it means that after they trigger, you replace them.		 Solving 'automated onboarding' helps here but also consider heuristics you may use to remove a canary - perhaps you decide the expiry up-front or if a certain number of hits engage it, you automatically cycle.
 🛠️🛠️🛠️
Monitoring and Testing Canaries don't alert very often - that's the whole idea - so how do you know for sure they're still in existence and your monitoring is still working? "Dead man's switch alerting" - consider end to end testing with heartbeats, to alert that there would be no alert. Consider also how you detect if this fails.

Explicit monitoring to see if the canary has been deleted or removed.		 🛠️🛠️🛠️
Cross Platform Support It likely makes sense to at first pick the system with the largest attack surface for your business (e.g. a specific public cloud - AWS) but likely there is more than just 1 cloud or other system that would get value from canaries. It may be that the team building the canary program requires upskilling on less popular systems in the company.
Sometimes those systems can be the ones for which it is most critical to deploy canaries.		 🛠️🛠️🛠️🛠️
Stealth Threat Actors and Insiders are increasingly looking for techniques to avoid canaries¹, it's important to avoid implementing 'tells' that allow detection and evasion of canaries (e.g. in docs or infrastructure as code). Meticulous design to avoid canary fingerprinting.

Avoiding or limiting references to specific canaries in the code, ticketing system and internal wiki.

Separating the monitoring of the canaries as much as possible to avoid obvious 'tells'.

Iterating your canary design as new evasion techniques are developed.		 🛠️🛠️
Tuning The promise of a canary is low noise, high signal. To deliver on that promise it's important to tune out automated and manual processes that will interrogate them. Building and maintaining an allowed list of 'known vendors' that we expect to hit the canaries (e.g. CSPM, EDR).

Supporting a manual exclusion approach for ad-hoc or one-off processes (such as an audit).		 🛠️🛠️
Integration Naturally, integration with SIEM and SOAR is going to be crucial (e.g. Panther) There's not so many gotchas here, except there may be multiple levels which wish to integrate at - chat for canaries being deployed, SIEM for alerts, SOAR for certain high priority alerts. 🛠️

Hopefully this shows quite concretely that actually to get the results you want from a security canary program, there’s a lot of work to do.

If we consider the biases we highlighted earlier - having the skills to deploy these resource types and the knowledge of the environment, does not give a significant advantage to deploy canaries yourself.

Considerations if you DIY

So to recap, when thinking about your canary program:

  1. Align on the security outcomes you are seeking to achieve
  2. Leverage the Security Canary Maturity Model to understand the implications this has for the feature set you will need to implement
  3. If you still wish to build in-house, be realistic about how much work is going to be involved to do this yourself, both the initial set up and on-going maintenance, and trade this off against other security work that could be done instead

Naturally, we have a strong bias here, or Tracebit would not exist today, but we’ll leave you with a few of the original ideas that got us excited when building a security canary platform.

  1. It’s crucial you trust that the canaries you deploy will alert you when you need - someone thinking about this 24/7/365 is really the best way to have this trust.
  2. The true value of canaries unlocks when they are dynamic and automated, keeping both attackers and insiders guessing. This becomes 10x more powerful when new canary types and approaches are being shipped constantly.
  3. 99% of the work of a canary deployment is undifferentiated to the specific business. The security team has more differentiated work they could be investing their time that is truly unique to your particular business.

If you’d like to learn more about how we’re helping teams implement security canary programs, please Book A Demo!

Table of contents
Subscribe to newsletter

Subscribe to receive the latest research and product updates to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Subscribe to newsletter

Subscribe to receive the latest research and product updates to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.