Cado Security has launched its new open source community tool, Cado varc. The new volatile artifact collector tool allows security analysts to collect a snapshot of volatile data, adding critical context to incident investigations. We spoke with Chris Doman, CTO & Co-Founder of Cado Security, to discuss the open source tool and how use cases for the tool could evolve in the future.
Tell us about this open-source tool. What makes it special?
Cado’s new open-source tool, Cado varc, is a volatile artifact collector tool. Cado varc allows security analysts to collect a snapshot of volatile data, adding critical context to incident investigations in complex environments like cloud environments, containerized Docker/Kubernetes environments, and even serverless environments such as ECS Fargate and AWS Lamba.
Today analyzing volatile data is an extremely manual and time consuming process. What makes Cado varc special is that analysts can completely automate volatile data capture and processing, significantly reducing investigation and response time.
Cado varc collects key data from a system, data that isn't easily extracted by other tools. For example, the memory allocated to processes, and open files from inside containerized environments like Docker.
What challenges does this open-source tool aim to solve?
While volatile data can add critical context to incident investigations, analyzing this type of data presents many challenges. For starters, the process of collecting volatile data is an extremely manual and time consuming process. This is a problem because in order for volatile data to be valuable, it must be captured the moment malicious activity is detected. Cado varc drastically simplifies the process. As soon as suspicious activity is detected, Cado varc can be triggered to automatically collect and identify further activity, helping security professionals gain enhanced visibility to identify root cause and respond to incidents faster.
Further, volatile data analysis requires massive amounts of data to be processed, which can take significant time and resources. With Cado varc, however, only relevant data is extracted for processing and analysis - significantly reducing overall investigation time.
How do you see the tool evolving in the future?
At Cado Security, we’re thrilled to continue our commitment to innovation and the security community by making this new open source Volatile Artifact Collector tool (varc) available for analysts to conduct faster, more efficient incident investigations. While we plan to make continuous improvements to the tool such as extending the breadth of support where Cado varc can run, the future of varc greatly depends on feedback from the community.
Any other use cases you see on the horizon?
Analyzing volatile data can be extremely useful in scenarios where an agent-based solution cannot be deployed. For example, high-availability production servers cannot support agents, but volatile data can be captured to enable live investigation.
We are particularly excited that we have managed to run Cado varc inside serverless environments like Lambda, which both provides detection opportunities and exposes some of the underlying mechanics.