Hey there, cybersecurity warriors! How goes the good fight?
Welcome to the second instalment in our series on Cybersecurity Observability use cases. Today, we’re diving into a sneaky little problem that can leave your defenses wide open: broken endpoint agents.
You know the drill: you’ve got your security policy in place, agents deployed across your network, and everything seems hunky-dory. But then your CSO drops this bomb:
"How do we know our endpoint agents are actually working? I mean, they're installed, but are they really doing their job?" (Chief Security Officer)
Ouch. Talk about a reality check. 🥹
But fear not! This is where CAASMCyber Asset Attack Surface Management (CAASM) focuses on man… (Cyber Asset Attack Surface Management) and cybersecurity observability come to the rescue.
Picture this: You’ve got an endpoint agent installed on every device in your network. Your dashboard shows green across the board. Life is good, right? Wrong.
Here’s the kicker – just because an agent is installed doesn’t mean it’s working. It could be:
And the worst part? Your agent’s admin console might not even know it’s not working! Talk about a false sense of security.
Who's job is it to check if agents are working and to fix them?
This is where things get exciting. At SJULTRA, we use Axonius in our CAASMCyber Asset Attack Surface Management (CAASM) focuses on man… Services to pull off some serious cybersecurity magic.
Axonius is like the Sherlock Holmes of your IT environment. It gathers clues from multiple data sources, cross-references them, and uncovers the mystery of your missing or malfunctioning agents.
Once we’ve got Axonius set up (remember, SJULTRA offers a free 30-day Axonius trial), we can start hunting those elusive broken agents.
Want to find all devices where the Carbon Black agent is installed but hasn’t been seen in 30 days, even though Active Directory has seen the device in the last week? Here’s how we do it.
Show me all devices that have been seen by Carbon Black, but not in the last 30 days, and have been seen by AD in the last 7 days.
3. In Axonius Query Languge (SQL):
(adapters_data.carbonblack_response_adapter.id == ({"$exists":true,"$ne":""})) and not adapters_data.carbonblack_response_adapter.last_seen >= date("NOW - 30d") and adapters_data.active_directory_adapter.last_seen >= date("NOW - 7d")
I know, I know, it looks like a cat walked across the keyboard. But trust me, this little line of code is cybersecurity gold.
Result:
Great, so now we’ve got this list of non-compliant devices. What do we do with it?
This is where the “enforcement” part of our cybersecurity observability comes in. We’ve got four tricks up our sleeves:
And there you have it, folks! That’s how we turn the invisible threat of broken agents into a manageable, observable process. It’s not always pretty, but it gets the job done.
Remember, this is just 2 out of 14 standard use cases we help our customers with as part of our CAASMCyber Asset Attack Surface Management (CAASM) focuses on man… Concierge service. And guess what? You can get it for free!
Cybersecurity is a never-ending game of hide and seek. But with the right tools and a bit of observability magic, we can shine a light on those hidden threats.
Stay vigilant, keep querying, and may your agents always be functioning!
Read the Axonius documentation on Finding Endpoint Agents Not Functioning Correctly.
