With the time-sensitive nature of incident response investigations, delays in gaining access to endpoints and collecting data can have serious consequences—giving threats more time to spread through a network. In our latest State of Enterprise DFIR report, 34% of respondents ranked “Do not have the right access or permissions to acquire data” as having a large to extreme impact on investigations.
To help simplify and expedite your access to endpoints, we have introduced Shared Agents! Prior to introducing Shared Agents, a unique ad-hoc agent needed to be installed on the endpoint for each AXIOM Cyber instance, even if one was previously deployed via a separate instance. We heard your feedback, and that’s why we’ve simplified the approach with agents that can be shared across all of your instances of AXIOM Cyber.
Sharing Agents Within Your Organization
Shared Agents are an entirely new type of agent that can call back to multiple instances of AXIOM Cyber within your team. To avoid overloading individual Agent Status Dashboards with every shared agent in an organization, Agent Placeholders are used to include shared agents in a collection. Every AXIOM Cyber instance manages its own collection activities, and the shared agents call back to see if a collection is required.
As with the existing ad-hoc agents in AXIOM Cyber, Shared Agents are specific to the supported endpoint operating systems of Windows, Mac, and Linux but you now only need one agent per OS. Shared Agents can also utilize all of the existing AXIOM Cyber agent features, such as Queued Collection, Targeted Location Profiles, and Volatile Artifacts.
Check out the video featuring Dean Carlson, Senior Product Manager for an expanded explanation and visualization of the Shared Agent.
For more information on implementing shared agents in your organization, check out our knowledge base article in our support site (login required).
Benefits of Shared Agents
Using Shared Agents in your organization can provide a range of benefits to your DFIR workflow:
- Reduced Agent Overhead – By employing shared agents your security team will have fewer agents to deploy and manage, simplifying whitelisting to a single agent per operating system.
- Simplified Access to Endpoints – Accessing existing agents deployed to endpoints helps to remove barriers to quickly and effectively collecting the data you need to perform your investigation.
- Ease of Scalability – As your team scales and you need to add additional AXIOM Cyber licenses, these new licenses can be easily integrated into the organization and granted access to deployed shared agents.
Shared Agents provide several efficiencies for deploying, managing, and collecting from endpoints while maintaining the existing, non-concurrent collection scale of AXIOM Cyber. If you need a solution with concurrent collections, we also have you covered—check out Magnet IGNITE for concurrent triage of endpoints. For enterprise DFIR teams looking to further scale up their DFIR investigations, check out Magnet AUTOMATE Enterprise for automated concurrent collection and parallel processing of evidence from multiple targets and data sources.
Shared Agents will require a security certificate which can be generated your security operations or IT team, we don’t recommend using an existing certificate on your system as this would be a potential security risk, if you need some help with this check out this article on how to generate self-signed certificates.