Shared Responsibility in Keeping Enterprise Agents Secure

Deploying ThousandEyes Enterprise Agents in your corporate environment unlocks deep insights into every segment of your enterprise network. But remember, keeping everything running securely is a shared responsibility. So, what does that mean for you? Let’s dive in and explore the steps you need to take, tailored to the different types of Enterprise Agents.

What Are ThousandEyes Enterprise Agents?

ThousandEyes Enterprise Agents are embedded, intelligent probes that you deploy within your network to monitor performance and help troubleshoot issues. You can install Enterprise Agents in various ways: as a Linux package, a container, or a virtual/physical appliance. While many of our Enterprise Agent form factors are automatically configured to download and apply updates, certain security tasks require specific actions from you, as described in more detail below. 

Working Together: Shared Responsibility for Security

Security is a team effort between yourself and ThousandEyes. Here’s how we divide the tasks:

1. What ThousandEyes Does:

• • • Automatic Updates: Where applicable, we make sure the Enterprise Agent gets software updates from upstream operating system vendors automatically.
    • Security Standards: We adhere to security guidelines from the Center for Internet Security (CIS) and follow Cisco’s secure development lifecycle requirements (CSDL). 
    • Regular Scans: We continuously evaluate our Enterprise Agents and address issues by releasing new versions at regular intervals.
    • Package Management: We update and distribute our Enterprise Agent packages through official ThousandEyes channels.

2. What You, the System Admin, Need to Do:

• • • Vulnerability Management: Keep your operating system and environment secure by ensuring that apt and yum repositories are accessible.
    • Deploy Updates: Regularly update the container images and reboot managed appliances when necessary to make sure the underlying operating system is properly patched.

Going Deeper: Unique Requirements To Maintain Your Enterprise Agents

Your responsibilities for keeping your Enterprise Agents secure change a bit depending on how you install the Enterprise Agents. Here’s a quick look at how:

1. Linux Package Installations:

• • • Shared Role: You are responsible for managing the operating system and environment. We provide the Enterprise Agent software packages. Our software will be updated through ‘unattended upgrades’ or ‘yum-cron’ when new packages become available through our official ThousandEyes repositories. But you are responsible for ensuring that the ‘unattended upgrades’ or ‘yum-cron’ process is working effectively.

2. Container Installations (Docker, Cisco Devices, Meraki, Webex VMN):

• • • Shared Role: Containers are designed to be ephemeral, functioning as disposable units. They are meant to run specific tasks and be replaced frequently, allowing for the rapid integration of new features and the application of security fixes. To fully leverage the intended container lifecycle, we regularly release updates for our container images. You need to arrange for the rollout of these updates, particularly for devices that cannot be updated automatically—namely, standard Docker and Cisco CAF-enabled device deployments. 
      1. 1. 1. Standard Docker: ThousandEyes typically provides an update every two weeks.
            2. Cisco CAF (Cat9k): ThousandEyes typically provides an update every two months. 
            3. Cisco Meraki/Cisco Webex: New images are deployed automatically. 

• • • Sure, but what’s best? Since containers aren’t meant to run indefinitely, cycle them out regularly to receive our latest features and security updates. That’s a win-win. We’d recommend working towards a monthly cadence of redeploying our latest container image throughout your organization.

• • • How do I…?  There are many easy ways to orchestrate the redeployment of OCI-compliant images on a wide variety of platforms. If you need help in doing so, please reach out to our excellent Customer Engineering crew! These are fun problems to solve.

3. Managed Appliance Installations (TEVA, TEPA, TEPi):

• • • ThousandEyes’ Role: We take care of the appliance if it remains "locked." This includes updates to both the Enterprise Agent and the underlying operating system. 
    • Your responsibility is to reboot the appliance a handful of times each year, and we plan on making that even easier in the near future. 
    • Even Distro upgrades? Absolutely. You’ll be notified within the ThousandEyes SaaS of any appliances that require an operating system update. You can use our SaaS or the local web frontend to your Enterprise Agent appliance to trigger the upgrade. As we reach out directly to customers when a particular Ubuntu release is nearing the end of standard support, we will be in touch about the jump to Jammy Jellyfish before too long. 

In a Nutshell

No matter how you set up your Enterprise Agents, our core Agent software (te-agent) is set by default to update every two weeks. But remember, a mature security program adopted throughout your network is crucial to keeping your entire on-prem footprint safe. By understanding and managing your responsibilities, as listed in this blog post and on corresponding documentation, you can keep your ThousandEyes Enterprise Agents secure and performing at their best while also benefiting from our latest features.

Those Dreaded Gotchas

We understand that perpetually maintaining Linux systems on-premises is not a hobby that many people find rewarding. What’s more, scanning on-prem endpoints of this nature can be a total annoyance, prone to false positives and other time-consuming pitfalls. 

As the majority of ThousandEyes deployments to-date have been based on Ubuntu and RedHat, it is important to note that these vendors have for years followed the practice of backporting critical operating system patches. We’ve found that quite a few scanners can misattribute a version if the tool’s logic is not properly tuned to the backporting process. A good example of this ongoing confusion is the openssl package. Given a particular vulnerability, there are occasions where you will need to view the Ubuntu Security Notice (USN) or RedHat Security Bulletin (RHSB) to make certain that the patch has been issued by the vendor, as a security scanning tool may erroneously report a ‘vulnerable version’ without taking into account that backported patches have been applied.

As a general rule for any responsible sysadmin, we recommend checking on your Enterprise Agents every month to ensure that automatic updates are active. And in the case of Docker deployments, we recommend orchestrating a redeployment of your containers once a month. Naturally, you can take advantage of a multitude of automation options to accomplish these goals while invoking the machine learning assistant of your choosing. That way, your hands-on involvement is minimized. 

We should underscore the fact that our legendary Customer Engineering team is happy to assist if you have any questions.

Thanks for your time and continued dedication to security. We certainly couldn’t do it without you.

_{Additional Resources}

_{https://ubuntu.com/security/notices}

_{https://access.redhat.com/security/vulnerabilities}

_{https://security.alpinelinux.org/}

_{https://docs.thousandeyes.com/product-documentation/global-vantage-points/enterprise-agents/configuring/firewall-configuration-for-enterprise-agents}