Whiteboard Wednesday:

Endpoint Security: The Value of Continuous Monitoring with Agents

August 08, 2018

In this week’s Whiteboard Wednesday, Eric Sun and Justin Buchanan, Solutions Managers for Detection and Response and Vulnerability Management, respectively, discuss the value in having agents in today’s modern environment. Learn how agents can help us perform vulnerability assessment and real-time detection and response, how a unified agent can enhance your security analysis, and the key factors to consider when deploying agents at your company.

Video Transcript

Hi. Welcome to this week's Whiteboard Wednesday. We're going to be talking about the value of endpoint agents. I'm Eric Sun, Solutions Manager for Detection and Response.

Show more Show less

I'm Justin Buchanan, Solutions Manager for Vulnerability Management and Offensive Security Solutions. So, Eric, why do we need agents in today's modern environment?

Yeah, so definitely modern is that key component. As global workers, we're traveling around the world, we're accessing the network and critical items from hotels, on the road, so it's important to have coverage for those remote assets. At the same time, it's also important to have real time coverage so that if there's compromise on that endpoint, we're able to detect that in real time. 

From a vulnerability management perspective, agents can really help us solve some pretty serious problems. One of the things that's really nice is that agents don't require us to provide credentials in order for us to perform detailed assessment of vulnerabilities in our environment. This is actually a real pain that people have because sometimes there's disparate teams in an organization, managing these assets, and they may be reluctant to release local administrator privileges to a centralized security or IT team.

In general, just swapping credentials around is less than preferred. So, having an agent that can automatically have the access that it needs to perform a full assessment on that device is certainly a big win.

We also run into sensitive assets that may have undesired behavior when they're hit with a traditional vulnerability management scan engine. If we can put an agent on those devices, we no longer need to use that assessment method, making it eligible once again for us to assess those more sensitive assets.

I think one thing to add on to that is as we move to this global network, there's also the requirement to take action on these assets, whether it's something like killing a process that's malicious on the endpoint, or also quarantining an asset to really get those forensics artifacts or ensure that there's no Command and Control taking place on those assets.

So, Justin, what should we consider when folks are looking to deploy agents in their organization?

Great, Eric, I think those, there's some key things that we should really be cognizant of. The first and foremost one is we want to consider the footprint that the agent's going to have on our devices. Because we're not going to deploy this agent to one single device, but we're going to deploy it enterprise-wide, so the footprint really is going to add up once we roll it out across the whole company. By footprint I mean things like how much RAM memory is this going to use? How much CPU does this agent consume? How much disc space does it take up? How much network bandwidth does it consume?


These are all concerns that we're going to want to consider when we're evaluating potential agents for deployment. We're also going to want to look at the various operating systems that these agents support. Because again, we're here talking about an enterprise-wide deployment, and we don't want to find an agent that only supports one of the operating systems we have in our environment. We want to find an agent that supports all of the operating systems we have in our environment. That way, we can standardize on one agent and seamlessly deploy it across the organization.


We'll also want to consider what deployment options we have when we're rolling out this agent. The reason being, because we are going to send it to so many assets, we want to make sure that we can do this deployment in a programmatic way. We want to find an agent that's going to interface well with our existing deployment solutions so that we don't need to reinvent the wheel to get this agent out.


Finally, we want to look at the interoperability of these agents. We want to deploy agents that are going to bring us high value, but we want to deploy as few agents as possible simultaneously, so we're kind of wrestling with these two competing efforts. If we can find agents that have high interoperability, agents that can perform multiple tasks, that's going to be a big win for us. Send one agent out, get multiple things done, get more for our money.


On that note, let's talk a little bit about our approach to endpoint agents and continuous monitoring. At Rapid7, we have the Insight Agent, and it's one agent across our entire portfolio of products, so the single agent can perform vulnerability assessment, as well as real-time detection and response. The beauty of that is, with the Insight platform, all the computation takes place on the cloud. As result, there's no computation, there's no impact to the end user, and we're very specific about the data that we want.


On a vulnerability management standpoint, we're only looking at the delta of what's changed on that asset, instead of having to start from scratch every time. On the detection and response front, we're really looking very deeply into nuances on each endpoint. So, things like process trees, scheduled tasks, and other forensics artifacts that really help us detect attackers as early as possible at the edge.


Here are Rapid7, we do offer a unified agent that takes into account those considerations that we've covered today and has the functionality that Eric has described here for us. Two major Rapid7 products that leverage the value of this unified agent is our threat detection and response tool, InsightIDR, and our vulnerability management tool, InsightVM. These two tools are part of the Insight platform, a broader portfolio of solutions that help our customers deliver SecOps in their organizations.


In addition to these two tools, we'll also see InsightAppSec—our application security testing tool, InsightOps—our IT operations and log management tool, InsightPhish—our phishing analysis and simulation tool, and Komand—our security orchestration automation tool, all part of this broad Insight platform that has shared data, visibility, and analytics.


That brings us to the end of today's endpoint discussion. Be sure to tune in continuously for our Whiteboard Wednesdays. Thank you. Thank you.


Insight Agent

The Rapid7 Insight Agent ensures your security team has real-time visibility into all your assets beyond the perimeter, when they're most at risk.

Learn More
Try InsightVM Free

Learn how to understand your network, assess risk, and track remediation progress.

Free Trial
Try InsightIDR Free

Unify your security data, detect stealthy behavior early, accelerate incident investigations.

Free Trial