Honeypots and canary files are two of the most underused tools in cybersecurity — and in this episode, Dr. Mike Saylor and I break down exactly how they work and why you should be using them. The short version: they're tripwires. They tell you a bad guy is poking around your network before anything gets encrypted.
Mike walks through his layered security analogy, explains the three different ways organizations use honeypots — learning attacker tactics, distraction, and testing — and then we get into canary files: what makes them different from a honeypot, how they beacon home when stolen, and why clock synchronization matters more than most people think if you ever want that evidence to hold up.
We also cover how to stand one up without a big budget, what tools are available, and why something is absolutely better than nothing. Plus, Mike and I have news about our new O'Reilly book, Learning Ransomware Response and Recovery.
0:00 - Intro and book news
1:09 - Meet the crew
3:45 - Security is all about layers
9:22 - What are honeypots and canary files?
11:00 - Three ways honeypots work for you
13:17 - Real-world examples: bait cars and glitter bombs
15:20 - Making your honeypot convincing
19:11 - Honeypot tools and options
21:13 - Something is better than nothing
24:10 - Monitoring and notifications
25:05 - Canary files explained
27:03 - How canary files beacon and track attackers
28:03 - Don't forget to sync your clocks
29:05 - Final thoughts
