Who are these agents of yours, or how to monitor a large closed circuit

In this series of articles, we will dive deeper into the study of agents, tell why they are needed, about their capabilities and the nuances of working with them. And the current article, as an introduction, will give a general understanding of this phenomenon, briefly touch on the types of agents and general formats for their implementation in the network structure.

When building a security system, organizations use many technologies and their combinations to create a secure environment for their assets, be they informational or physical. Each category of organizations has its own “rules” by which the quality of the built protection is assessed, and regular checks are carried out. Accordingly, for high-quality security, full-fledged input data is needed. To put it simply, the decision made by security personnel depends on the completeness and timeliness of the information received. Without the proper level of information and general awareness, it is sometimes impossible to make the right decisions and even perform certain procedures. Currently, there are many methods for collecting data, and even more tools, but the greatest completeness is provided by such entities as agents. They have become widespread in the IT sphere, since they do not require a remote connection to the machine, authorization and manual execution of commands, and are implemented in many solutions pursuing various goals: antiviruses, event management systems and even vulnerability scanners.

But the above-mentioned ease of support and the advantage in the completeness of the information transmitted are not the only properties that make agents popular. Depending on the functionality and configuration of the agent, the list of the main tasks to be solved includes:

  • Network monitoring of devices (NOC) – node response time, service response time and codes, collection of network service logs.

  • Information security assurance (SOC) — collection of logs, telemetry from the node (ensuring confidentiality, integrity, reliability of data, increasing the guarantee of successful data delivery), detection and blocking of malicious activity by intercepting system events using signature analysis, as well as Machine Learning (ML) technologies (antivirus, EDR solutions), detection and prevention of leaks through the use of mathematical statistics and ML mechanisms.

An agent is a service or intermediary program that collects operational information for the purpose of research and sends it to the “head office” – the data processing/storage server. For example, we receive the contents of the host security log using an agent that has read access because it has been granted the appropriate rights. Then the agent transfers the collected data to the system, from where the administrator monitors it. In the case of managing one host, the agent method may seem inappropriate, or at least not the simplest, but if we are talking about a modern organization with a complex infrastructure, then agents significantly simplify the work of information security specialists.

There are two methods for agent data collection:

A passive agent does not initiate collection on its own, waits for new events to be received on the monitoring node, and then sends data to the server at a certain frequency. Such agents are easier to implement and often may not have an interface. This method is suitable for collecting certain types of data that do not require regular monitoring. For example, the maximum number of simultaneously supported OS processes, statistics on incoming/outgoing traffic, or DNS server performance.

The active method, on the contrary, independently polls the target using certain control/data collection protocols (WMI, RPC, WinRM) and sends it to the main server in accordance with policies or a specified schedule. Such an agent is already considered more complex and requires preliminary configuration by the administrator. It is often used by monitoring systems or when regular monitoring of the host status is required. It is appropriate for cases when, for one reason or another, it is impossible to install additional services or applications on the target device.

In addition to the collection method, there is another format based on the end-device-agent connection that can be used when implementing agents into the infrastructure – we are talking about the agent and end-node message. In general, there are two approaches to data collection. The first is when the agent is an internal package of the machine being examined, i.e. literally installed on a specific host. The second is when the agent itself is an intermediate host/server that transmits information from remote end devices.

The first case can be represented by the following diagram:

The agent is installed on the end device as a program and collects data directly from inside the machine. Convenient for continuous monitoring of critical assets, but only when there are few of them. Deploying multiple agents on each machine of interest will require certain rights and quite a lot of time, and in the case of updating the agent, it will become a regular problem. Only when using third-party tools (the same AD) can this process be automated.

When using an agent as an intermediary, part of the infrastructure will look like this:

Here the agent is installed directly on the collector server (for example, WEC/WEF technology), which first collects data from several machines at once, and then transfers it to the agent for further sending to the main server. This allows you to cover a larger network area and, probably, save on the license.

For a more illustrative comparison, let's consider an agentless method of collecting information. In this interaction concept, data is transferred to the processing center via various collection protocols (shown in the diagram). It, in turn, filters and systematizes the received data into a more general format for further analysis in the system core. This method is suitable for small networks and is most often used in SIEM-type products with an all-in-one installation.

To sum up the introductory part of this series of articles, we can already highlight the main advantages and disadvantages of working with agents:

+ One-time initial setup

+ Security and ability to control data flow

+ Scalability

+ Automation of collection

+ Solving the issue with a closed circuit and the impossibility of remote connection

– End-device performance consumption

– Requirement for reconfiguration in case of atypical end node configuration/atypical information collection requests

– Incompatibility with all possible types of devices and OS infrastructure

– May not meet safety requirements

The choice between agent and non-agent collection methods is individual for each organization and is based primarily on the size of the organization, security requirements, equipment capacity and human resources.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *