The SenseDeep server agent is a lightweight process that is installed on your server instances. It secures your servers by constantly watching for threats and compromises that are best observed from inside the server.
The SenseDeep agent is monitored by the SenseDeep service. SenseDeep maintains a semi-permanent connection to the agent so that any attempt to tamper or bypass the SenseDeep agent is detected. For example: if the agent is forcibly terminated, SenseDeep will raise an alert.
The SenseDeep agent is a user-level process that monitors all critical system functions. It is tiny, at less than 4MB, and uses less than 1% of the systems CPU resource. It is so lightweight that you can also run it inside your containers.
The agent uses the most efficient Linux APIs for secure monitoring including: inotify and BPF packet filtering. In this way it can monitor system resources without polling in most cases. Other checking mechanisms are also used in cases where these event mechanisms can be bypassed by attackers to ensure robust detection of threats.
For self-defense, the agent uses a hardened runtime created over 10 years in developing secure embedded applications.
To minimize the attack surface, the agent does not open any listening ports. It opens a single outbound connection to the SenseDeep service.
The SenseDeep agent will determine the unique configuration for the server and create a fingerprint representing the server. The SenseDeep service uses this fingerprint to create a rule set describing what services and system components to monitor on the server. The rule set is updated regularly as new rules are developed by SenseDeep or to adapt to a changing server configuration.
SenseDeep extends sensors into the O/S, file system and processes to capture important security information. These include:
- Log files
- Filesystem files
- Audit files
- Network traffic via the packet filter
The SenseDeep agent utilizes an extensive set of threat detectors to constantly check the operation of your server. These work in concert with existing mechanisms like AppArmor and SELinux.
SenseDeep detects a wide variety of threats including:
- Modifications to critical system files.
- Installation of unauthorized software and files.
- Execution of unauthorized processes.
- Unauthorized login attempts.
- Attempts to circumvent security.
- Denial of service attacks.
- Incorrect cloud configuration.
- Probes of network ports.
- Probes of http web servers.
- Probes of account logins.
When a threat or compromise is detected, the SenseDeep agent will send a secure alert to the SenseDeep service. There it will be analyzed and your account security status will be updated if required. This may trigger notifications or other cloud-side defenses.
The agent will capture the full context of the threat in the alert report. Other network based security products typically struggle to get full context. The SenseDeep agent, by running on the server or container, can get the exact and complete environment at the time of the threat.
The agent takes several steps to optimize alert delivery. If multiple threats of the same kind are detected in quick succession, the alerts are coalesced into a single alert. The agent is careful not to consume too much system resource in the event of multiple threats and alerts. This ensures the agent cannot itself cause a denial of service.
For some threats, it may be appropriate to enact immediate local defenses on the server. SenseDeep provides the following local defenses:
- block-attacker — to block the attack at the server iptables firewall
- slow-attacker — to slow the attack's network traffic
- kill-process — to kill any unauthorized process
These can be configured by creating Automated Responses in the SenseDeep App.