CAASM Use Case #2 – Find Devices With Broken Agents
Home » Latest Articles » CAASM Use Case #2 – Find Devices With Broken Agents
By Steve Chambers
on
inCybersecurity Observability
Hey there, cybersecurity warriors! How goes the good fight?
Welcome to the second instalment in our series on Cybersecurity Observability use cases. Today, we’re diving into a sneaky little problem that can leave your defenses wide open: broken endpoint agents.
You know the drill: you’ve got your security policy in place, agents deployed across your network, and everything seems hunky-dory. But then your CSO drops this bomb:
"How do we know our endpoint agents are actually working? I mean, they're installed, but are they really doing their job?"
(Chief Security Officer)
Ouch. Talk about a reality check. 🥹
But fear not! This is where CAASMCyber Asset Attack Surface Management (CAASM) focuses on man… (Cyber Asset Attack Surface Management) and cybersecurity observability come to the rescue.
Picture this: You’ve got an endpoint agent installed on every device in your network. Your dashboard shows green across the board. Life is good, right? Wrong.
Here’s the kicker – just because an agent is installed doesn’t mean it’s working. It could be:
Turned off by a crafty user
Uninstalled without your knowledge
Installed but malfunctioning due to a technical hiccup
And the worst part? Your agent’s admin console might not even know it’s not working! Talk about a false sense of security.
Who's job is it to check if agents are working and to fix them?
Enter SJULTRA's Cybersecurity Observability Service
This is where things get exciting. At SJULTRA, we use CAASMCyber Asset Attack Surface Management (CAASM) focuses on man… in our CAASMCyber Asset Attack Surface Management (CAASM) focuses on man… Services to pull off some serious cybersecurity magic.
CAASMCyber Asset Attack Surface Management (CAASM) focuses on man… is like the Sherlock Holmes of your IT environment. It gathers clues from multiple data sources, cross-references them, and uncovers the mystery of your missing or malfunctioning agents.
Book your free CAASM trial now
Get visibility on all 14 cybersecurity observability use cases in less than 30 days with SJULTRA.
Once we have CAASMCyber Asset Attack Surface Management (CAASM) focuses on man… set up (remember, SJULTRA offers a free 30-day trial), we can begin identifying those elusive malfunctioning agents. Want to locate all devices where the Carbon Black agent is installed but hasn’t been active for 30 days, even though Active Directory has detected the device within the last week? Here’s how we accomplish that.
Show me all devices that have been seen by Carbon Black, but not in the last 30 days, and have been seen by AD in the last 7 days.
3. In CAASMCyber Asset Attack Surface Management (CAASM) focuses on man…Query Languge (SQL):
(adapters_data.carbonblack_response_adapter.id == ({"$exists":true,"$ne":""})) and not adapters_data.carbonblack_response_adapter.last_seen >= date("NOW - 30d") and adapters_data.active_directory_adapter.last_seen >= date("NOW - 7d")
I know, I know, it looks like a cat walked across the keyboard. But trust me, this little line of code is cybersecurity gold.
Result:
Ok, we found devices with no agents: now what?
Great, so now we’ve got this list of non-compliant devices. What do we do with it?
This is where the “enforcement” part of our cybersecurity observability comes in. We’ve got four tricks up our sleeves:
Send out notifications (because who doesn’t love another email, right?)
Create incident tickets in your favorite ITSM tool (Jira, ServiceNow, you name it)
Tell another agent to isolate or un-isolate a device (for those “uh-oh” moments)
Deploy and run files, or even initiate a device scan (if the stars align and the device is reachable)
Summary
And there you have it, folks! That’s how we turn the invisible threat of broken agents into a manageable, observable process. It’s not always pretty, but it gets the job done.
Remember, this is just 2 out of 14 standard use cases we help our customers with as part of our CAASMCyber Asset Attack Surface Management (CAASM) focuses on man… Concierge service. And guess what? You can get it for free!
Cybersecurity is a never-ending game of hide and seek. But with the right tools and a bit of observability magic, we can shine a light on those hidden threats.
Stay vigilant, keep querying, and may your agents always be functioning!