SecureWorks to Snare Enterprise agent migration
- rthornton
- Steve Challans
Due to the announcement that the SecureWorks agent is now EOL, many customers are now migrating to the Snare Enterprise agent. A feature comparison of the 2 agents can be found below:
When migrating, there are a number of options and tools that can help streamline this process and ensure simple transition for customers. When migrating between agents, there are 2 things to consider:
the licensing function within the Enterprise agent.
the difference in default auditing policies between the SecureWorks agent and Enterprise agent.
There are 2 methods of licensing in the new Enterprise agents:
Standalone licensing. This method requires the unique KeyIDs associated with an individual agent be uploaded to a license in the portal. From here a new license will be generated which can be downloaded and applied to the agent via its web UI. Sales/Support will need to prepare licenses to be used in this way so please discuss with your sales person/presales consultant on how you will need to use the software.
Snare Agent Manager (SAM) licensing. The SAM is a free tool available in base form on windows platform or is part of the Snare Central product (separately licensed) to customers to streamline licensing management in larger deployments. Licenses can be added added to the SAM and automatically assigned to agents who have the necessary configuration. The SAM also can provide other useful capabilities such as remote upgrading of Windows agents to later versions (requires an additional license for Agent Management) and license utilisation overviews, more information can be found here Overview - Snare Agent Manager Documentation - Confluence (atlassian.net).
The differences in the default policies applied by the SecureWorks and Snare Enterprise agent are highlighted below:
SecureWorks default policies. Collects all Application & System logs, as well as Active Directory Service, Domain Name Server, DFS-Replication, Legacy FRS and all Security events except event IDs 4627,5156 and “Filtering platform events” that are generated by the snare process.
Snare Enterprise agent default policies. Collects all Application, System & Custom logs, as well as Active Directory Service, Domain Name Server, DFS-Replication and high level Security events from Logon_Logoff, Process_Events, User_Group_Management_Events, Reboot_Events, Security_Policy_Events, User_Right_Events & Other_Object_Access_Events.
When choosing a migration method, ensure you select the correct method for the policies you want to inherit.
The below list details the various migration methods (with links to each guide) and when they should be used:
Reinstall (Install Wizard - Standalone Licensing) - Snare Solutions - Confluence (atlassian.net) - Should be used when a small number of agents are being upgraded. All existing settings will be replaced with default Snare policies and the settings supplied during install, the previous SecureWorks agent will be replaced. This will be a manual process on each system and can become time-consuming with a larger volume of agents. Maintenance of the license is manual and will need to be replaced for every new subscription period.
Reinstall (MSI Builder - SAM Licensing) - Snare Solutions - Confluence (atlassian.net) - Can be used to centrally deploy large volume of agents to estate, embeds the configuration with the msi and sets the license configuration for the SAM to issue licenses on deployment. All existing settings will be replaced with default Snare policies and the settings supplied during “Export configuration with SAM modification - Snare Solutions - Confluence (atlassian.net)”, the previous SecureWorks agent will be replaced. Will utilise Snare default policies for log collection. This option is not suitable for stand alone licensed agents as each host license key will still need to be updated.
Reinstall (Silent installer - SAM Licensing) - Snare Solutions - Confluence (atlassian.net) - Can be used to centrally deploy large volume of agents to estate, including license configuration set for the SAM to issue licenses on deployment. All existing settings will be replaced with default Snare policies and the settings supplied during “Export configuration with SAM modification - Snare Solutions - Confluence (atlassian.net)”, the previous SecureWorks agent will be replaced. Maintenance of the license is performed in one location being the SAM for the fleet of agents deployed.
In place upgrade (Install Wizard - Standalone Licensing) - Snare Solutions - Confluence (atlassian.net) - Should be used when a small number of agents are being upgraded. All existing settings will be maintained and the previous SecureWorks agent replaced. This will be a manual process on each system and can become time-consuming with a larger volume of agents. Maintenance of the license is manual and will need to be replaced for every new subscription period.
In place upgrade (MSI Builder - SAM Licensing) - Snare Solutions - Confluence (atlassian.net) - Can be used to centrally deploy large volume of agents to estate, embeds the configuration with the msi and sets the license configuration for the SAM to issue licenses on deployment. Will maintain all existing configuration from the SecureWorks agent. This option is not suitable for stand alone licensed agents as each host license key will still need to be updated.
In place upgrade (Silent installer - SAM Licensing) - Snare Solutions - Confluence (atlassian.net) - Can be used to centrally deploy large volume of agents to estate, including license configuration set for the SAM to issue licenses on deployment. Will maintain all existing configuration from the SecureWorks agent. Maintenance of the license is performed in one location being the SAM for the fleet of agents deployed.