Securing Servers Overview

Agent

The SenseDeep server agent is a lightweight process that is installed on your server instances. It secures your servers by constantly watching for threats and compromises that are best observed from inside the server.

Cloud Connection

The SenseDeep agent is monitored by the SenseDeep service. SenseDeep maintains a semi-permanent connection to the agent so that any attempt to tamper or bypass the SenseDeep agent is detected. For example: if the agent is forcibly terminated, SenseDeep will raise an alert.

Performance

The SenseDeep agent is a user-level process that monitors all critical system functions. It is tiny, at less than 4MB, and uses less than 1% of the systems CPU resource. It is so lightweight that you can also run it inside your containers.

The agent uses the most efficient Linux APIs for secure monitoring including: inotify and BPF packet filtering. In this way it can monitor system resources without polling in most cases. Other checking mechanisms are also used in cases where these event mechanisms can be bypassed by attackers to ensure robust detection of threats.

For self-defense, the agent uses a hardened runtime created over 10 years in developing secure embedded applications.

To minimize the attack surface, the agent does not open any listening ports. It opens a single outbound connection to the SenseDeep service.

Rules

The SenseDeep agent will determine the unique configuration for the server and create a fingerprint representing the server. The SenseDeep service uses this fingerprint to create a rule set describing what services and system components to monitor on the server. The rule set is updated regularly as new rules are developed by SenseDeep or to adapt to a changing server configuration.

Sensors

SenseDeep extends sensors into the O/S, file system and processes to capture important security information. These include:

Threat Detectors

The SenseDeep agent utilizes an extensive set of threat detectors to constantly check the operation of your server. These work in concert with existing mechanisms like AppArmor and SELinux.

SenseDeep detects a wide variety of threats including:

Alerting

When a threat or compromise is detected, the SenseDeep agent will send a secure alert to the SenseDeep service. There it will be analyzed and your account security status will be updated if required. This may trigger notifications or other cloud-side defenses.

The agent will capture the full context of the threat in the alert report. Other network based security products typically struggle to get full context. The SenseDeep agent, by running on the server or container, can get the exact and complete environment at the time of the threat.

The agent takes several steps to optimize alert delivery. If multiple threats of the same kind are detected in quick succession, the alerts are coalesced into a single alert. The agent is careful not to consume too much system resource in the event of multiple threats and alerts. This ensures the agent cannot itself cause a denial of service.

Local Defenses

For some threats, it may be appropriate to enact immediate local defenses on the server. SenseDeep provides the following local defenses:

These can be configured by creating Automated Responses in the SenseDeep App.

Agent Registration

See Also

© SenseDeep® LLC. All rights reserved. Generated at 05:29:37 Sep 22, 2017. Privacy Policy and Terms of Use.