It goes without saying that the Swimlane Turbine is exciting in the world of security automation. I am personally very excited, however, about one particular new feature that is an important part of Turbine – remote agents. I believe they will be a game changer in the world of SOAR and XDR.
(If you haven’t heard of the Swimlane Turbine, read about it.)
When I joined Swimlane, the first product effort I did was the launch of Swimlane Cloud. Anyone who has worked on a project to launch a cloud offering knows that it can be difficult. Once you’ve resolved the security concerns, one of the hardest parts is deciding how to connect from the cloud to on-premises services like Jira, ServiceNow, Exchange, etc. Standard options are tedious and painful for everyone involved.
That’s why I’m crazy about remote agents. They are the perfect solution for this all-too-common pain point.
What are Remote Agents?
Remote agents are dynamic sensors that enable the intelligent collection of telemetry sources that are hard to reach. The secure architecture makes it easy to connect Turbine to internal applications and systems without spending time configuring complex networks or multiple VPNs.
Above: the Turbine remote agent installation window.
For enterprise security teams, remote agents make it easy to maintain seamless connectivity across multiple business units or segmented environments. It’s easier to manage multiple infrastructures, which is helpful for managed security service providers (MSSPs).
How Do Turbine Remote Agents Work?
Remote agents are designed to sit between Turbine in the Swimlane Cloud and on-premises services. They interact directly with the Turbine’s Active Sensing Fabric.
Agents start listening for jobs as soon as they are deployed using a simple bash script. This script is configured within Turbine and after inputting some pretty basic information, you have a script to install a remote agent. It’s almost magic.
Once installed, Turbine orchestrates all agent activities. It provides an action to be performed, and once the agent receives the job, it executes the action in an inner container. Once it receives the results back, the agent sends them back to Turbine. Throughout the flow, Turbine does not directly access any on-premises resources, only the agent itself, which may be sitting securely in a DMZ or other isolated network. This is a way to get data from siled components without having to worry about challenging VPN connections or firewall configurations.
Above: a diagram of how remote agents work in automation workflows.
Remote agents communicate securely with Swimlane Turbine over an outgoing connection on port 443. They are assigned to a pool, and you assign work to that pool through playbooks. It is possible to have multiple work pools within a Turbine to which playbooks pass work.
Why Security Teams Are Excited
The power it unleashes for an analyst or orchestrator is immeasurable. This allows a Turbine instance to communicate with multiple on-premises resources, all potentially from completely different networks. You can do more, with less effort. A SOAR engineering team lead said it best to an enterprise technology leader:
“The remote agent feature is a game-changer as we seek to efficiently manage multiple infrastructures for our diverse customer base.”
In the image below, you can see a simple representation of how Remote Agents interact with the Turbine and the on-site resources. In this example, we used the Microsoft Exchange server as the on-premises resource, but it could be anything. Service Now, Jira, or any other source where Turbine needs to take data and take action automatically, and it’s all driven from the playbook.
Above: how remote agents interact with Turbine resources.
Swimlane Turbine, using Remote Agents, has the potential to allow any company to unleash powerful next-generation XDR capabilities.
*** This is a Security Bloggers Network syndicated blog from Swimlane (en-US) written by Melissa Espinal. Read the original post at: https://swimlane.com/blog/security-automation-turbine-remote-agents/