Skip to main content

Sensor Overview for Intezer Protect

  • Updated

Intezer Protect's sensor is a lightweight agent that monitors software and activity in the compute resource it's installed on.

The sensor supports Linux VMs, containers, and Kubernetes.

For supported OS see Installation prerequisites.

For deployment information see Sensor Installation.

Performance and reliability

The sensor is designed and built from the grounds up with security and performance in mind. Only a small amount of telemetry data is collected as the sensor only focuses on collecting process information and new executable code.

Using the Rust programming language

The sensor is developed using Rust, a programming language focused on performance and reliability. Unlike other high-performant low-level programming languages, Rust guarantees memory-safety and thread-safety, which is critical for creating safe system components for production environments.

Rust is sponsored by AWS and is widely used for building safe system components in both Microsoft and Google.

Performance impact

The sensor was designed and built for low resource consumption purposes.

  • Average CPU usage is 0.5%
  • Average memory usage is 50 MB
  • Average network usage is 5 MB per day per asset
  • Sensor CPU and memory impact is limited using Linux kernel cgroups to 2% CPU usage and 250 MB memory usage (those are hard limits that are unlikely to be reached)
  • The primary data collected is process information and new executable code from memory or disk. Therefore, there's no need to collect large amounts of telemetry data.

Userspace

Userspace is the memory area where application software is executed. Protects sensors operate in userspace with no kernel module installation is needed.

Process activity monitoring

Protect sensors are designed to monitor only specific auditd events in order to keep a low performance overhead.

Sensors rely on the Linux Auditing System, AKA auditd, to monitor process activity.

In case auditd is already in use, the sensor supports multicast configuration, where audit events are sent to multiple processes.

For environments where auditd isn't available, the sensor can run in no-auditd mode, monitoring process information directly from /proc.

Required privileges

The sensor requires root privileges but does not require any kernel module.

Communication with Intezer Protect's backend

The sensor authenticates with the backend using an account-specific key. All data sent to Intezer Protect's backend is encrypted in transit using TLS.

Return to top