EP239 Linux Security: The Detection and Response Disconnect and Where Is My Agentless EDR

Guest:

• Craig H. Rowland, Founder and CEO, Sandfly Security

Topics:

• When it comes to Linux environments – spanning on-prem, cloud, and even–gasp–hybrid setups – where are you seeing the most significant blind spots for security teams today? 
• There's sometimes a perception that Linux is inherently more secure or less of a malware target than Windows. Could you break down some of the fundamental differences in how malware behaves on Linux versus Windows, and why that matters for defenders in the cloud?
• 'Living off the Land' isn't a new concept, but on Linux, it feels like attackers have a particularly rich set of native tools at their disposal. What are some of the more subtly abused but legitimate Linux utilities you're seeing weaponized in cloud attacks, and how does that complicate detection?
• When you weigh agent-based versus agentless monitoring in cloud and containerized Linux environments, what are the operational trade-offs and outcome trade-offs security teams really need to consider? 
• SSH keys are the de facto keys to the kingdom in many Linux environments. Beyond just 'use strong passphrases,' what are the critical, often overlooked, risks associated with SSH key management, credential theft, and subsequent lateral movement that you see plaguing organizations, especially at scale in the cloud?
• What are the biggest operational hurdles teams face when trying to conduct incident response effectively and rapidly across such a distributed Linux environment, and what's key to overcoming them?

Resources:

• EP194 Deep Dive into ADR - Application Detection and Response
• EP228 SIEM in 2025: Still Hard? Reimagining Detection at Cloud Scale and with More Pipelines