Devo Endpoint Agent 2.0 by Snare
Overview
The Snare agents are a set of lightweight collectors that enable you to get data from your endpoints in a very similar way to the current Devo Endpoint Agent. They can be deployed in the endpoints, WEC servers, or even SQL databases.
Key benefits
By using the Endpoint Agent by Snare, you will benefit from:
An easy deployment procedure for both your agents and your Agent Manager.
Centralized agent upgrades performed from the SAMC.
Centralized configuration of agents via policies.
Remove limitation of current Devo Endpoint Agent of 200 EPS in a single endpoint for Windows agents.
Support for native Windows Event Forwarding. By deploying the Endpoint Agent in the Windows Event Collector, you can leverage the native Windows Event Forwarding structure so you do not need to deploy an agent to every endpoint and still gain observability on your fleet.
Native agent for MSSQL systems.
Improved data concentrator throughout using Devo Relay to send data and removing the requirement of several managers to accommodate the load.
Devo Endpoint Agent 2.0 reference architecture
The Endpoint Agent 2.0 supports a wide range of scenarios depending on the use case and requirements of your organization.
The reference architecture depicted in the above image shows a typical setup where Snare Agents are deployed on several types of endpoints that can exist in an organization’s fleet. The agents are managed by a centralized Snare Agent Manager, which resides on the Windows server. The collected data is then forwarded via TCP to a Devo Relay which acts as an aggregator, tagging the events and forwarding them to the Devo platform for analysis and storage.
Key components
Snare Agents: The agents can be installed in different types of endpoints across your organization network. Their main function is to collect detailed event log data from their respective servers. Snare Agents can automatically fetch configuration and policy updates from the Snare Agent Manager, which simplifies management and ensures that all agents are consistently configured.
Snare Agent Manager Console (SAMC): Central management console that resides on a Windows server in your network. The Snare Manager is responsible for defining groups of agents, managing configurations, and policy updates. Administrators use the Snare Manager to apply uniform policy settings across all Snare Agents, which ensures that all collected event data is consistent and in accordance with organizational security policies. The SAMC element is not mandatory in the Endpoint Agent architecture however its usage is highly encouraged. Smaller deployments or test environments may not require a manager so they can be set up quickly.
Devo Relay: The Devo Relay is a dedicated service that receives event data from Snare Agents. It acts as a secure transfer point, filtering and enriching the event data before it is sent to the Devo platform. The relay ensures that the data transfer to Devo is efficient and secure, minimizing the exposure of the internal network to the outside. The Devo relay is a mandatory piece when deploying the Endpoint Agent architecture.
Devo Platform: This is the final destination for the event data collected by Snare Agents. Devo is a cloud-based data analytics platform that provides tools for real-time data analysis, alerting, and visualization. It allows organizations to gain insights from their data to detect security threats, compliance issues, and to make informed decisions.
Hardware recommendations
Relay | |
---|---|
CPU | 2 vCPU |
Memory | 8 GB |
Hard disk | The hard disk memory should be twice the required disk buffer |
Official documentation |
Snare Agent Manager minimum | |
---|---|
Operating system | Supported Windows or Windows Server Version. Refer to Platform Support Matrix |
CPU | 2 vCPU |
Memory | Base OS usage + 1GB |
Hard disk | 5GB available |
Official documentation |
Snare Manager Environment Sizing | ||
Agent environment size | CPU recommendation | Memory recommendation |
1000 | 2 Logical Processors | 4 GB memory |
2000 | 4 Logical Processors | 4 GB memory |
5000 | 10 Logical Processors | 6 GB memory |
10000 | 20 Logical Processors | 8 GB memory |
25000 | 40 Logical Processors | 8 GB memory |