It goes without saying that Swimlane Turbine is exciting in the world of security automation. I’m personally super excited, though, about one specific new feature that’s a key part of Turbine – remote agents. I believe they will be a game changer in the world of SOAR and XDR.
(If you haven’t heard about Swimlane Turbine yet, read about it here.)
When I joined Swimlane, the first product effort I worked on was the launch of Swimlane Cloud. Anyone who has worked on a project to launch a cloud offering knows it can be hard. Once you solve the security concerns, one of the hardest parts is deciding how to connect from the cloud to on-premises services like Jira, ServiceNow, Exchange, etc. Typical options are all tedious and painful for everyone involved.
That’s why I am so jazzed about remote agents. They are the perfect solution for this all-too-common pain point.
What are Remote Agents?
Remote agents are dynamic sensors that enable the intelligent collection of hard-to-reach telemetry sources. The secure architecture makes it easy to connect Turbine to internal applications and systems without spending time configuring complicated networks or multiple VPNs.
Above: the Turbine remote agent installation window.
For enterprise security teams, remote agents make it easier to gain a seamless connection across multiple business units or segmented environments. It’s also easier to manage multiple infrastructures, which is helpful for managed security service providers (MSSPs).
How do Turbine Remote Agents Work?
Remote agents are designed to sit between Turbine in Swimlane Cloud and the on-premises services. They interact directly with Turbine’s Active Sensing Fabric.
Agents start listening for jobs as soon as they’re deployed using a simple bash script. This script is configured within Turbine and after inputting some fairly basic information, you’ve got the script to install a remote agent. It’s almost magic.
Once installed, Turbine orchestrates all of the agent activities. It provides the action to be done, and once the agent has received the job, it executes the action in an internal container. Once it receives the results back, the agent sends them back to Turbine. Throughout the flow, Turbine has not directly accessed any on-premises resource, just the agent itself, which can be sitting safely nestled in a DMZ or other segregated network. It’s a way to get data out of siloed components without having to worry about challenging VPN connections or firewall configurations.
Above: a diagram of how remote agents work in automation workflows.
Remote agents communicate with Swimlane Turbine securely over an outbound connection on port 443. They’re assigned to a pool, and you assign work to that pool via playbooks. It’s possible to have multiple pools at work within Turbine that playbooks pass work to.
Why Security Teams Are Excited
The power that this unleashes for an analyst or orchestrator is immeasurable. This allows one Turbine instance to communicate with multiple on-premises resources, all potentially from entirely different networks. You’re able to do more, with less effort. A SOAR engineering team lead at an enterprise technology leader said it best:
“The remote agent feature is a game-changer as we seek to efficiently manage multiple infrastructures for our diverse customer base.”
In the image below, you can see a simple representation of how Remote Agents interact with both Turbine and the on-premises resources. In this example, we’ve used Microsoft Exchange server as the on-premises resource, but this could be anything. Service Now, Jira, or any other resource that Turbine needs to ingest data from and automatically take action on, and it’s all driven from the playbook.
Above: how remote agents interact with Turbine resources.
Swimlane Turbine, with the use of Remote Agents, has the potential to allow any company to unleash immensely powerful next-generation XDR capabilities.
Featured Reading: The Force Multiplier for XDR
Read the in-depth analysis of the growing XDR landscape and how security automation can help fulfill the promises of XDR.