NPM and Threat Detection with Device Management Services (DMS)

Device Management Services is a SaaS offering that pulls data from multiple devices into one console and allows global changes to be made to network devices.

The LiveAction Device Management Service (DMS) is a SaaS offering that allows LiveWire & ThreatEyeNV devices to be managed and monitored at scale and in bulk from a single dashboard.

What Products Include DMS?

LiveWire and ThreatEye use network probes that enable the DMS portal.

These probes are devices or programs placed on key nodes in a network to collect and monitor data and to extend network visibility to remote sites.

What Problem Does a DMS Solve?

There are many hardware and software appliances distributed throughout any given enterprise-level network. While the benefits of having packet-level visibility into the whole network are clear, the many hardware and software appliances distributed throughout a network can be difficult to manage on a large scale. A DMS SaaS solves that problem.

LiveAction provides a centralized DMS portal to manage and make global changes to all LiveWire and ThreatEye Devices on a network.

The DMS Portal is hosted on AWS as a part of a larger service known as cloudkeys.liveaction.com The DMS Portal consists of the following software components:

• web server – nginx
• REST – API
• authentication server – okta
• database – mongo
• user interface – react

The DMS Agent with LiveWire and ThreatEye is the liaison between the DMS Portal and the device. The DMS Agent running on the network probe, implemented as a service in the communicates using a REST-API to share data between the device and the DMS portal.

The DMS Service is an option in LiveAdmin that is enabled by default.

DMS Communications

The diagram below illustrates how the communication flow between the device, the DMS, and other cloud based services that the DMS uses.

Both sides of the DMS communicate through a REST-API. Within the DMS on the LiveAction side, the DMS service communicates with the device through the LiveAction REST-API. Our DMS supports proxy services and zero-touch configuration.

All Communications between the ThreatEye and LiveWire devices and the DMS Portal are initiated by the device. This is more secure, and practical, since most enterprise networks allow connections to be done from the inside out, but not from the outside in. This means that all LiveWire configuration made by the user through the DMS Portal are queued up, and made only when the LiveWire connects outbound to the DMS Portal. This happens when the device connects to the DMS Portal, which occurs at 10-minute intervals. For more detailed specifications of the DMS API, please contact LiveAction.

DMS Registration

When a LiveWire or ThreatEye is first connected to the network, it will reach out to the DMS Portal and register itself through zero-touch configuration. The DMS Portal will use the serial number to match the device to the entry in the database.

Invite

When a customer purchases LiveWire or ThreatEye for the first time, a DMS account is created for them, the LiveWire or ThreatEye is added to the account, and the customer is sent an invite via email to login to their new DMS Portal Account. This takes them to a login on a cloudkeys page. You will not receive a second registration email if you purchase additional DMS supported products.

DMS Automatic Activation

During the registration process, the DMS Portal will also send the serial number and locking code to the EMS to activate the device and get a product key. The result of the activation is a license file that is installed onto the device. With the license installed, the user will be able to go right to work on creating a capture, and using their LiveWire.

DMS Functions

The DMS Portal provides the following functions to the user for managing and configuring LiveWire devices:

Device List The main UI for the DMS is a list of the devices that the customer has purchased. The list has a header row, followed by a row for each device.
Configure Button The Configure Button is used to configure the devices that are currently selected. If multiple devices are selected, certain configuration options are greyed out, like the Device Name.
Upgrade Button The Upgrade button is enabled when one or more of the devices are selected. The Upgrade Button allows the user to upgrade the selected devices remotely through the DMS. The DMS upgrade is the latest shipping version. There is no capability to downgrade to a previously released version.
Actions Button The Actions button allows the user to perform the following actions against the currently selected devices: Power Off, Reboot, Factory Reset.
Share Button The Share Button allows the user to share the devices with others who manage and configure them. Hitting the Share button will bring up a popup modal dialog with a list of shared users, and a field to add new users
Templates Button The Templates button allows the user to apply pre-defined configurations to the selected devices.

ThreatEye

ThreatEye’s probe extracts a rich metadata set of more than 150 packet dynamic features to support threat and anomaly detection, response, hunting, forensics, and compliance validation reporting ThreatEye’s software components scale to ingest network data directly from physical or virtual network taps at wire-speeds up to 40Gbps. All ThreatEye products include a DMS console.

Minimum Requirements: ThreatEye hardware recommendations are based on standard internet traffic composition per bandwidth. Therefore, the network traffic mix may affect performance.

LiveWire

LiveWire enables packet capture from virtually anywhere in the network extending network tracking to remote sites, branches, Cloud, WAN edge, LAN, and data centers.

LiveWire can be deployed as a hardware device or as a virtual product. LiveWire appliances are connected to the network with span ports or network packet brokers that capture north-south traffic. LiveWire Virtual captures north-south and east-west traffic. All LiveWire products include a DMS console.

Our diagram below includes the specifications for LiveWire products: