Host-Based Sensors

Part of the Cyber Centre’s mandate is to defend the Government of Canada’s computer systems and networks from cyber attacks.

We often talk about our layered approach to that task. But what does that mean?

The outermost layer detects threats at the network level.

But there is also a complementary inner layer, which detects threats at the endpoint level – on servers, laptops and desktops belonging to the Government of Canada.

This is our own in-house technology, called Host-Based Sensors, or HBS.

The short story

  • HBS is a 100% Canadian cyber security innovation.
  • Our team created it to defend Government of Canada systems.
  • It automatically detects and neutralizes malicious activity, like malware trying to download.
  • Privacy is built into HBS by design. *
  • The first version of HBS rolled out in 2012 within CSE.
  • Now HBS is installed on over half a million Government of Canada computers across more than 50 government departments.
  • Our UK counterparts at the National Cyber Security Centre liked HBS so much, they adopted it on their government’s networks.

* HBS does not look at the content of emails or documents. It stops only malicious software and analysis of those emails is automated in other systems.

The longer story

The story began almost exactly a decade ago, in November 2010.

6 employees formed a new team within the Information Technology Services unit at CSE.

They were working on hand-me-down computers built from spare parts, an ethernet hub salvaged from deep storage, and cables that they crimped themselves. Part of their workspace used to be a storage closet.

But despite the unglamourous surroundings, the team’s mission was high-priority.

Because of an increasingly hostile cyber environment, we could no longer rely on traditional anti-virus products. We needed to build a more effective defence, not just at the network perimeter, but on devices themselves. We needed a capability that would not just detect, but also neutralize malicious activity, automatically.

Most importantly of all, it had to have strict privacy controls baked in.

This capability had to layer on top of other security products in a complementary way. It had to work seamlessly on several hundred different software and across different operating systems. And it had to be easy to use.

Back in 2010, there was no commercial solution that would deliver everything we needed. So CSE used our ingenuity to build our own.

This solution has been a major success. As of October 2020, HBS has been deployed on more than half a million Government of Canada endpoints.

Each sensor securely gathers system data, while protecting the privacy of those using this service. That data is fed back to our experts for analysis. They map any malicious activity, such as malware trying to download, and document the recipe to inoculate other devices from being infected in future.

In short, every device that runs HBS becomes a defender of all the others.

Collectively, the sensors process over 200,000 host events per second.

They forward over 30,000 program and system files per day to Assemblyline (our opensource malware detection and analysis framework) for triage and processing.

To be clear, HBS is not in any way reading the content of emails and documents on Government of Canada systems.

The analysis is automated, with strict privacy controls baked in from the get-go.

Bottom line: what historically took months to find and fix is now being done in a matter of hours.

The next chapter

We are finding ways to leverage the data we gain from HBS to beef up cyber security options for all Canadians. For example, data from HBS forms part of the indicators of compromise we provide to CIRA Canadian Shield.

That’s a public DNS firewall service that is available to Canadian individuals and families for free, so that they can browse more securely. Crucially, all the servers are based in Canada and are subject to Canadian privacy laws.

The next chapter will be to tailor a version of HBS that can be deployed to external partners, such as critical infrastructure providers, other levels of government, and key private sector partners.

Based on the reception of HBS by IT security department heads within the Government of Canada, we anticipate the general response will be “Yes, please!”.

Report a problem on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: