Tachyon Activity Record: Historic data and forensics

Jason Keogh
Jason Keogh
Jun 15, 2019
Tachyon-Activity-Record -Historic-data-and-forensics

There are three core factors to Tachyon. First, the communications architecture, which enables concurrent connectivity for up to 1.5 million endpoints even over high latency, non-corporate connections, second is leveraging the concept of distributed computing rather than centralized data gathering and storage and third is the ability to extend Tachyon using the lightweight, modern agent to abstract direct OS using a cross-platform, easy to understand “SCALE” language and our simple but powerful REST API which between them provide for rapid extensibility and flexibility in Tachyon applications.

This extensible, distributed computing approach tied to massively scalable and resilient comms architecture makes Tachyon lightweight on the network and endpoint, and capable of providing real-time access to data from endpoints. Typical Tachyon “instructions” return live data from endpoints, providing visibility and control of what is happening right now, in real-time, across millions of endpoints, regardless of their network connectivity type.

However, sometimes we want to look at historic data rather than real-time. This may be to understand trends over time, or to inform root cause analysis or to identify “Patient Zero” for a security incident.

The “Tachyon Activity Record” or TAR for short, is a component of the agent which provides historic data across a multitude of useful data points. Tachyon is also, as ever, extensible, so customers and partners can create additional historic data stores by leveraging Agent Storage methods – essentially enabling the historic data storage of any data that Tachyon can return (which is almost any data a device can provide).

Tachyon Activity Record – Let’s dive in to the TAR

TAR stores and aggregates data about the following activities, on all endpoints:

  1. DNS LookupsTachyon Activity Record
  2. TCP Connections
  3. ARP Cache Modifications
  4. Process Execution
  5. Process Stabilization
  6. Process Usage
  7. Software Installations and Removals
  8. User Usage

Data is stored in a local, compressed and encrypted persistent store, which persists during an Agent upgrade, uninstall and re-installation, unless specifically deleted.

Many instructions exist which leverage this data, and users can leverage TIMS (the Tachyon Instruction Management Studio) to query this data as simple data tables with SQLite commands. These tables are identified with a leading $ symbol.

Each data element has “Live” data which by default stores the last 5,000 occurrences of the activity and “Hourly”, “Daily” and “Monthly” tables which aggregate the number of occurrences of the activity over 24 hours, 31 days and 12 months by default. All of these default values can be modified on an endpoint by endpoint basis by updating the agent configuration file on the endpoint.

But wait, there’s more

At 1E we recognized from the very start that customers and partners would want to extend and change the functionality that Tachyon provides over time. Rather than storing in and retrieving data from files that instructions can create on local disks, which is one possibility, it is recommended that anyone writing instructions who wishes to store data in a persistent manner use the “Storage.Set()” and “Storage.Get()” SCALE methods. These allow the user to store any data they want in the endpoints persistent data store – which is then, by default, encrypted and compressed (and ergo preferable to flat file storage). This can be used to store simple key/value pairs or can store any structured data you prefer, for example JSON, which can in turn be easily worked with using the “Utilities.TableFromJson()”and “Utilities.JsonFromTable” methods.

Forensic forensics

TAR data is stored on each endpoint, therefore, if an endpoint is compromised or lost, the data may be compromised or lost. It is possible to retrieve historic data on a periodic basis, or based on a trigger condition and offload or persist that data to a secondary source (a SIEM tool, file or database for example). It is also possible to deploy forensic toolkits with Tachyon instructions and perform forensics suitable for legal evidentiary use.

Conclusion

Tachyon has several features useful for history data analysis, trending and root cause analysis. These can be extended and complimented with third party tooling if required. Data is stored, by default, on the endpoint, but can be consolidated back to persistent data stores if required or desired. All of this is in addition to the real-time data query capabilities which are the mainstay of the Tachyon product.

Please fill out the form below to schedule a live demo of our solutions.

';