Arc overview
Arc™ is a host-based sensor that detects and defends against malicious or compromised endpoints, and insider attacks. You can use Arc sensors to aggregate data for analysis and reports, either on-premises, or in the Vantage cloud.
General
When detecting cyberthreats, identifying vulnerabilities, or analyzing anomalies in your processes, it is critical to have as much detailed network and system information as possible. More accurate and timely access to data leads to better diagnostics and a faster time to repair.
- Vulnerability assessment capabilities
- Endpoint protection
- Traffic analysis capabilities
- Accurate diagnostics of in-progress threats and anomalies
- Malware
- Rogue applications
- Unauthorized universal serial bus (USB) devices
- Suspicious user activity
Arc sensors are endpoint executables that run on hosts on these operating systems:
- Microsoft Windows
- Linux
- Apple macOS
Arc can run on workstations, or use Arc Embedded to run on embedded devices. For more information, see Arc Embedded.
The data that is collected can be sent to either Guardian or Vantage.
Use cases and deployment scenarios
Arc lets you:
- Incorporate air-gapped devices into the analysis and reporting system
- Gain deeper intelligence or insight on critical endpoint devices
- Continuously monitor endpoints
- Automatically deploy sensors across thousands of devices
- Use a low-impact process to scan air-gapped networks
- Deploy with mobile device management (MDM) solutions
Continuous monitoring
Because the Arc sensor is on the host, it can monitor traffic continuously, even when the device is not sending or receiving traffic.
User-specific activity monitoring
With more access to endpoint data, Arc lets you connect network traffic and anomalies with specific users. This helps to identify potential insider threats and makes corrective actions both easier and quicker.
Local behavioral analysis (Sigma rules)
Sigma is a common open-source standard that lets you analyze log files to identify malicious events. They are not necessarily related to network artifacts, and as such, would not be detected without residing on a machine. Nozomi Networks Labs curates all the Sigma rules that are loaded into Arc. A Threat Intelligence (TI) active license is needed to receive curated rules from the upstream Nozomi endpoint.
Temporary deployment
It is not necessary to keep the Arc executable on a host after you have collected information. This means that you can remove it after data has been collected to conserve host resources, and maintain a clean host environment.