Thoughts From The Nest

Blog, updates, and release notes


Cisco’s Talos research team published a blog post Monday covering another supply chain attack involving CCleaner, the well-known and popular system maintenance software. According to Cisco: For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. Attacks like this against a trusted supply chain between the software manufacturer and the customer are a growing attack vector due to its potential effectiveness and impact.

Read More

Release Notes

August 28, 2017


New Perchybana really loves all the recent attention. To help you really appreciate her beauty, we’ve added a convenient button on each alert that will take you directly to Perchybana with the data filtered just to that alert’s details. Triage alerts just like the pros. New Paginate all the things! We’ve revamped how we handle larger data sets in Perch and how that data is fetched from our servers: Pagination added to: the Community Dashboard recent indicators so you can check out all that juicy community intel (last 10,000 indicators only, for now), not just the most recent 5.

Read More

Release Notes

August 11, 2017


New
Perchybana per-user saved searches - Decorating her nest with all manner of brightly colored bits of user configuration, now each of our users can have their very own Perchybana configuration - including their own saved searches.
New
Group selection on suppression review
  • Suppressions load slowly, we know; this is the first step in fixing that
  • More coming soon.
New
In this month’s edition of Sensor Health magazine:
  • New health details
  • Graph scales that make sense
  • CPU info display
  • And the displayed detection drop percentage precision increased by 100% (Re: now we show two decimal places instead of one.)
New
New end of signup flair - not so exciting for existing customers, but now every new sign up gets a free puppy! Ok, no free puppy, but there are some digital fireworks. And a sad Perchy if things go wrong.
New
Enhanced sensor health evaluation
  • No one is happy when sensors aren’t able to do their thing. We’re making our sensor reporting more robust and being more aggressive about what conditions we monitor. Our periodic sensor health reports contain more details and warn about more conditions.
New
Indicators you’ve created now link to the object detail page so that you can see all of the details about your creation. You’re proud of what you’ve created, you want to see it out there among all the other wild indicators doing its thing. We want those special moments with your indicator to be easier, so now you can jump right to the details page for indicators you’ve created, by clicking on their title from the Sharing ➔ Your Indicators page.
Bugfix
Improved load performance of object detail page, separated sections to load independently - same bat time, same bat channel, same bat data; just served up differently so that the page loads a little better/faster.
Bugfix
Community tags for the communities you’ve shared an indicator with can be clicked to take you to that community’s dash. Community tags should all work the same, but we keep finding the old ones hiding in corners. If you find one that you click on, but it doesn’t take you to the communtiy dashboard, report it!
Bugfix
Global/Community suppressions no longer appear under the ‘Unknown [null]’ group - As part of our No Suppression Left Behind campaign, we’ve ensured that every suppression gets a proper section title, regardless of socioeconomic background, race, creed, or actual group membership. #EqualityForAllSuppressions
Note
Improved internal tools to ensure our customers are having a positive Perchy experience. We’re looking for patterns that warn us that someone’s having a not-so-great experience with Perch, so that we can proactively reach out, figure out what’s not right, and get it fixed ASAP.

Release Notes

July 28, 2017


New
Dashboard: Now you can see both the active alerts and the things that have been suppressed since you were gone.
New
Support for international postal codes in sensor setup - Perch learns to be a more equal opportunity guardian of the galaxy; no matter where your sensor is (as long as it’s not the middle of the desert), Perch can put you on the cyber-security map.
New
Perchybana is live! Impress friends and neighbors with your network traffic insights. Be the life of any party by tracing netflow and diagnosing malware infections.
New
Alert review pagination, improved alert performance throughout Perch - people like books, books have pages, therefore people like pages. Now Perch has pages on its alert panels, therefore people will like Perch’s alert panels.
Bugfix
Sensor config - edge cases: more resiliency and error correction in uncommon install use cases, more ‘self-healing’ functionality to adjust for common problems.
Bugfix
Alert ‘all targets’ now pulls from the right data source - it used to come from column A, now it comes from column B. Same data, but easier/faster to query.
Bugfix
Show error message if user tries to create a subnet with a name that is too long - focus groups seem to indicate that users do not enjoy functionality that silently fails, so we’ve added a meaningful error message. Who would have known?
Bugfix
Backtest now returns group matches.
Note
We love feedback from our users! If you see something that’s not right, or have an idea to make Perch even more awesomer, report it to info@perchsecurity.com

Fishtech Group today announced a strategic investment in Perch Security, the information security maverick that combines innovative application design with an in-house security operations center (SOC). This new partnership seeks to expand Perch’s sales and marketing efforts, and to broaden and accelerate product development.” READ THE PRESS RELEASE

Read More

Release Notes

July 14, 2017


New
New button next to alert IP addresses to copy to clipboard (without port number)
New
Improved sensor health network host count
  • Shows last 48 hours only (instead of all time)
  • Updates in real-time (instead of once daily)
New
Cisco Talos community created – get an oink code here: https://www.snort.org/ (third party, not affiliated with Perch)
New
Suppress by IP: you can now apply a suppression to a single host. Global, community, team, host; so many yummy suppression flavors to choose from.
New
Replaced Community Dashboard - Trending Indicators data with a top 5 list of indicators in a community with the highest unsuppressed alert counts, over the last 30 days.
New
General stability improvements to our sensors and improvements to health reporting; keeping Perchy’s eyes and ears clean and in top shape so we can See Farther.
New
Community feed list ‘Select All’: we think that having to click 100+ checkboxes is lame, too.
Bugfix
Due to the sheer number of individual sightings associated with some alerts, our ‘alert by host’ functionality on the alert review page had to be disabled temporarily so that we could re-architect some of the data that it used.
Bugfix
Fixed: signup process would allow a new user to skip creating a group, which causes all kinds of paperwork issues for sweet, old Fran in the back office. Per Fran’s rules, all new users must now either create a new group or join an existing one before they’re allowed inside Perchy’s exquisite garden.
Bugfix
Secret communities were re-classified SO secret than even Perchy had no idea which was which and started assigning groups to the wrong secret communities. We’ve given Our Great Leader access to the secret community codes and peace is restored to the galaxy, for now.
Bugfix
Fixed: Existing users that received an email invite to another group should now be able to use the invite link to join the group.
Bugfix
Fixed: Buttons that would allow multiple submissions of an action if the button was clicked rapidly (e.g. double-click). Dr. Perchy, PhB(ird), recommends that users limit coffee intake.
Bugfix
Fixes and tweaks to our sensor network and monitoring configurations
Note
Perchy-bana POC is complete, was successful, and we’re building out the QA infrastructure for its initial internal release and testing.
Note
Perch core relational database infrastructure went through another major upgrade with the addition of a read-replica, multi-db configuration, multi-port fuel injector, and twin-turbo blower. VTEC just kicked in, yo!
Note
Hired custodial cron jobs to vacuum and clean up the database nightly. Tried to get the office custodial staff to do it, but they mumbled something about union regulations and overtime.
Note
Nuked certain parts of our BigData infrastructure from orbit and replaced it with something better. Things work like they did before, but they cost less, run smoother, and allow us to scale better in the future.

Release Notes

June 30, 2017


New
Sensor health enhancements and improved monitoring so Perchy’s caretakers can respond quicker to sensors that are having issues.
  • Detection graph to see traffic level trends
  • Warning/down state for unchanging detection counts
  • Private IPs counts: how many unique IPs in each of the private IP blocks has a sensor seen (You have 1000 hosts on your network, but Perch is only seeing 10 of them)
New
Perchy gets better at communicating with users: action notification review and cleanup
  • More notifications, for both success and errors
  • Standard success/error look
New
New suppression scopes:
  • Global: SOC can suppress for all users at once
  • Community: SOC and community admins can suppress an indicator for an entire community
  • (coming soon, work complete, in-review and testing) by-IP: suppress for a single IP
Bugfix
Corrected the Community Dashboard Daily Events indicator counts so that they’re:
  • Storing the indicator counts
  • Computing the count correctly
Bugfix
Sorting by CIDR/subnet now sorts more naturally
Bugfix
Improved handling for observables that are missing intel data
Bugfix
Long comments have had a good talking to and have agreed to stay inside their comment panel better
Bugfix
Several minor bugs and tweaks corrected caused by database migrations & updates
Note
The ’all-natural’ performance enhancing supplements we’ve been feeding Perchy are paying off, his brain is bigger and better than ever!
  • Lots of expensive tech words = faster databases = more responsive Perch = happier users
  • Infrastructure work to ensure that as Perchy’s flock grows (and it is growing!), he can still respond to all of the data as fast as possible!
  • Migration to ElasticSearch 5
Note
Relational DB hardware upgrade and addition of read replica
Note
We’re making strong progress toward Perchy-bana, internal POC and development is promising

National Health Care Information Sharing and Analysis Community (NH-ISAC) has rolled out an offer for their members that incorporates Perch’s “extremely affordable and simple way to detect and mitigate against threats.” READ THE PRESS RELEASE

Read More

Release Notes

June 2, 2017


New
Public Backtest API
  • Manage API token and credentials in Perch
  • Get token, backtest observables, profit!
New
(Soon) Additional suppression scopes:
  • Global: the Perch SOC will be able to suppress false positives for every group in a single action; we’ll be able to clean up the noisy, false positive intel more quickly so that the gems with real value can shine through.
  • Community: community leaders will be able to groom their own intel from within Perch; a community that preens together, stays together, right?
  • Individual Host: have a single host that you know triggers a FP, but you don’t want to completely ignore the indicator for other hosts? Now you can suppress an event for just one of them.
New
Sensor Health Summary:
  • Consolidated view of all of your group’s sensors and their health
  • Warnings for low resources and abnormal conditions:
    • Old rules and low rule counts
    • Sensor not uploading data
    • In the Admin menu: Sensor Summary
New
Emerging Threats (and Pro) selectable feeds
New
Unmonitored network filtering at the sensor
  • Perch takes the list of unmonitored network subnets for your group and sends it to the sensor so that it knows to ignore those networks in its detections.
  • Results in less work for the sensor, allowing us to do more with the hardware; less data sent to Perch, less outgoing network traffic for you, and less to process and store for us! It’s a genuine win-win paradigm-shifting value add, look at all this synergy! Give Canute and Chris a raise, this is amazing!
New
Alert filtering now considers subnet names
New
(Soon) Restart tours: watch them again and again with your friends and family!
New
Touch ups and polish here and there; retry button added to the end of the signup process when there is an error registering.
Bugfix
User group page no longer shows all of the groups from all of your communities, but only those you are actually a member of.
Note
Perch reaches it’s 1000th build and Perchy has his first birthday!

Just like always, Perch detected indicators for the infamous Grizzly Steppe minutes after DHS released them. Read about how we were able to diffuse any panic or confusion for our users before “the Russians are coming” even hit the news that day. Check out the full article here.

Read More