Comment on page
About the Spyderbat Nano Agent
Nano Agent operational principles, compatibility, network requirements and proxy support, general FAQ
Spyderbat collects data by deploying a lightweight “Nano Agent” for Linux based systems. The agent leverages eBPF (“extended Berkeley Packet Filter”) filters to build a continuous map of activity within and across systems.
Existing endpoint agents and system logs do not include the necessary information required by Spyderbat to build a complete, living map of causal activity within and across systems. Spyderbat’s Nano Agent is optimized to collect this information so that analysts can see the complete causal attack picture across systems, users, and time.
Spyderbat has observed minimal impact on system resources (CPU, memory), and minimal network bandwidth impact due to heavy compression.
Spyderbat currently supports the following Linux systems:
Spyderbat Nano Agents can be currently installed on the K8s clusters utilizing the following distributions:
Ensure that the systems running the Nano Agent have outbound access on port 443 to https://orc.spyderbat.com.
Yes. If you have a proxy configured and you have Linux environment variables like:
The installation script will automatically grab the environment variables from your terminal using the “-E” flag and pass those to the agent as required.
Yes. Spyderbat securely encrypts information sent by the Nano Agent to the Spyderbat backend using TLS.
The Nano Agent can be installed on any of the supported systems listed above as virtual or physical machines. Additionally, the Nano Agent collects metadata from AWS instances such as Cloud Tags, Region, Zone etc. To collect this metadata, ensure your AWS instances have an appropriate IAM (read only) role assigned to them such as “AmazonEC2ReadOnlyAccess”, see https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/security-iam-awsmanpol.html
To start the Nano Agent:
sudo systemctl stop nano_agent.service
To stop the Nano Agent:
sudo systemctl start nano_agent.service