Protecting your agent? SNARE Windows Agent Security


SUMMARY

Jul 06, 2015

The Snare agent reads from the windows event logs that are protected by ACLs (access control lists) to prevent them from being changed. The only way to change the logs while the machine is running is to clear them and you need administrative permissions to do. Also since the logs are being used all the time by the machine, the machine would have to be taken offline to make changes.

The Snare agent can detect the possible changes as follow:

  • The agent has an Event Count which increments. This would show if you are missing logs. (For example, logs numbers jump from 3500 event count to 3900)

  • The agent provides TLS encryption to protect the data while in transmission.

  • The Snare agent has a heartbeat that can be enabled on the agent for whatever time interval you would like. If the heartbeat log is missing, a notification could be created depending on the SIEM product, that could tell you something has possibly happened.

A trace log feature can be turned on, this would show if the configuration has changed.