Blog post

On Endpoint Sensing

By Anton Chuvakin | July 03, 2013 | 13 Comments

Would you deploy another agent-based tool on all your desktops and servers in order to gain visibility on what is *really* happening on those endpoints?

The tools I am talking about here can:

  • Collect endpoint data such as running processes (including those with no file on disk), handles, DLLs, network connections, open ports, loaded drivers, Windows services, users, select files, registry entries, routing and ARP table entries, browser history – and A LOT more.
  • Centralize the data (by either periodic polling or near-real-time collection or distributed data access) and make it available for fast, indexed searching (such as for IOCs or other clues)
  • Post-process (analyze) the data to identify anomalies such as rare processes, unusual connections, and other higher-level patterns by using baselining or other means
  • Provide an interactive data exploration interface that allows one to explore the data and hunt for indicators .
  • Sometimes, also alert based on freshly collected patterns such as new process, connection, account, etc or based on “anomaly score” of the observed activity.

But before you scream in fear “Nooooo! Not another agent that just collects data!” … THINK!

It is 10PM … do you REALLY know what your endpoints are doing? After all, a reported 2-3% of them are compromised/infected at any given time…

Logs via SIEM (cannot see the events and details not logged), network forensics (cannot see local activities and those not on your network), endpoint DLP (can only see data movement), EPP/AV (can only see some malware) only go so far in giving you environment visibility. At some point you realize that a lot of investigative and monitoring tasks would go much easier with that extra level of endpoint visibility. We also seem to be seeing reduced resistance to such agent deployments (presumably following the logic of “would you like our agent or …ahem… a Chinese agent on your system?”)

So, would you trade large-scale agent deployment/management headaches for another level of visibility? The answer often hinges on this:

Would you know what to do with all the new data? Do you clearly understand how it will help you detect and investigate incidents?

If your answer is a firm “YES! and YES!”, then it is likely that you will soon be on the market for such technology.

Finally, let me share a little secret on how to find money to get such a tool? Assume you will have an incident soon (a very easy assumption to make, I assure you). Would you rather investigate it by hiring experts for 4 weeks (4 x 40) at $600/hr (for a total of almost $100k) or would you rather investigate it yourself or with minimal (say 8 hours) help from said pricy experts? The difference may well cover the tool – and that is based on ONE incident…

P.S. Still don’t want that new agent? In this case, you do have another choice. Threaten your EPP (aka “anti-virus”) vendor that you will replace their wares with those of another vendor – that also gives you endpoint visibility. In fact, why aren’t more EPP /AV vendors doing it? One investor in the emerging endpoint monitoring start-up explained it by invoking BDS…. It is very likely that enlightened EPP vendors will soon start using their agent tools for additional endpoint sensing, while the dumb ones will continue to insist that EPPs “prevents malware problems.”

P.P.S. This space/segment has really no accepted name: vendors call them “endpoint intelligence”, “endpoint analytics”, “host investigations”,”compromise assessment”, etc. Got a name you like? The name “endpoint forensics” is typically reserved to a much more in-depth analysis of an individual system and likely won’t be used for this.

Related posts:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Gary Smith says:

    Already vendors moving in that space such as Tanium. Good to see it being pushed as an integrated agent rather than another piece of code. We don’t necessarily need another agent, we need the agents we already have to work collaboratively and build on that.

  • @gary Thanks for the comment. Indeed, Tanium is on my list as well and the briefing is being scheduled.

    Re:integrated agent – this sounds good, but may or may not beat the “nice small agent for one purpose.” EPP is already an integrated agent, but new agent types for new missions are appearing…

  • Anton, take a look at CrowdStrike’s Falcon Platform. It does everything you mention above and much more!

    Dmitri Alperovitch
    Co-Founder and CTO
    CrowdStrike Inc.

  • I *am* taking a look, ain’t I? 🙂 It is being scheduled and your tool will absolutely be featured in my research – so don’t worry….

  • Gilbert says:

    Anton, we have developed what you mentiond over the last few years, our technology is called Sentinel. We’re capturing the behaviour of machines down to a process level to understand what is normal. Check us out at or get in touch if you need more info.

    Gilbert Verdian

  • @gilbert Well, I did look at the website and it does look interesting. Please brief me via

  • Anton, great article. I work with endpoint security since 1994. Since 2005 I do not trust in antivirus. This product that you describe does not exist yet?

    I’m resale Bit9 and he has many of the functions mentioned, and integrate with various manufacturers SIEM.

    The Parity could be this solution?

    Paulo Lopes

  • @paulo

    The products like that do exist, and I am looking at them. THanks for Bit9 reference – if you can have them brief me on their product, I’d appreciate it.

  • Garth Schwer says:

    Hi Anton,

    Was Paulo able to get back to you regarding Bit9 end point tools?

    I do some Bit9 pre-sales in Australia and can connect you someone technical in the company if you need. Email me if interested.

  • Marcelo says:

    To “enhance” you list, take a look at CarbonBlack. PS.: I don’t work for them.

  • @marcelo They are MOST DEFINITELY on my list and, in fact, served as one of the initial inspirations for this entire research project.

  • @garth Not yet, so far nobody contacted me from Bit9. I need to look up their contacts in our vendor database….

  • Paulo Lopes says:

    Hi Anton

    I will ask Bit9 send you information about the product.