Notes on Deployment

How and when to deploy endpoint agents?

Depending on your use case and environment, you can deploy agents in one of the models listed below.


1. On-Demand Deployment

In this model, agents are deployed on-demand whenever you want to collect evidence from an endpoint or perform triage and uninstalled it once you are done.

It is suitable for MSPs or Consultants who need to perform IR tasks on the spot and leave once done and doesn't work with Triggers feature that enables real-time evidence acquisition/triage.


2. Always-Ready Deployment

In this model, agents are deployed on the endpoint prior to receiving an alert from your internal security solutions. This way, it becomes possible to start evidence acquisition/triage whenever you need without dealing with the hassle of deploying an endpoint, calling IT Admins, coordinating with other key people and etc.

An example scenario,

  • 3:00 AM in the morning,

  • Your SIEM generates an alert for an endpoint running Mimikatz,

  • AIR receives the alert via a trigger you previously created for your SIEM,

  • It starts collecting evidence in-realtime just like capturing the pictures of a crime scene!

Having these pictures alongside the alert you receive not only decreases the response time by magnitudes but also highly increases the situational awareness of your analysts.


Comparison

 

On-Demand Always-Ready
👨🔧 Best for MSPs and Consultants 💻 Best for Enterprises and SOCs
⌛ Requires time to deploy at scale ⏲ Lets you respond without losing a second
❗ Can not integrate with SIEM/SOAR/EDRs 🔁 Automates response to SIEM/SOAR/EDR alerts

 

Previous Article                                                                                                                     Next Article