Starting with Sandfly version 4.2, the Scheduler now consists of two different schedule types. The original (and default) Scan Hosts type is where scan schedules automatically run sandflies on hosts in the Sandfly database and the new Discover Hosts type, which automatically searches for new hosts on your network.
Host scan scheduling on Sandfly works differently than what you may be used to. Instead of fixed times, Sandfly uses a unique random scheduling mechanism. Setting up Sandfly to use a random schedule is simple and automatic.
Random Schedule and Random Sandflies
Sandfly allows you to setup a random time window for Sandflies to run. Additionally, you select the percentage of active sandflies to run each time that will be sent out.
The idea behind this is simple. Say you pick a time between 30-60 minutes. Then you pick a random number of sandflies to run such as 20%. Sandfly will take that schedule and pick a random time in the future between 30-60 minutes (e.g. 39 minutes). When 39 minutes elapses, Sandfly will select 20% of the active sandflies and use them to investigate your systems. Then Sandfly will select a new time 30-60 minutes in the future and repeat the process with another 20% of the sandflies selected at random.
The reason Sandfly does this is three-fold.
Reason One: Lower Impact
Random and small scheduling lowers the impact of the system because we are doing many small fast scans throughout the day instead of huge monolithic scans once a day (or less) as you may be used to.
Reason Two: Superior Coverage
By doing many small random scans we get superior coverage for attacks. A typical schedule can easily get 100% coverage with sandflies. Instead of checking for a problem once a day, Sandfly can check for the same problem dozens of times each day. This creates a much smaller window for an attacker to remain undetected.
Reason Three: Evasion Resistance
By being random, it increases the evasion resistance of Sandfly. Attackers can evade scheduled scans with some effort. Since Sandfly is random however, it makes evasion by a set schedule very difficult.
Host discovery schedules are principally, but not exclusively, intended for use with IP addresses and / or network blocks that have hosts that may change often / dynamically for any reason, yet exist long enough to benefit from security scans. A discover type of schedule searches the targeted addresses for new or changed hosts and updates Sandfly accordingly.
Discovery Scans enable the following use cases:
- Automatically monitor a DHCP address pool for new Linux hosts.
- Secure address ranges and dynamic workloads at your cloud provider.
- Find new hosts that may have appeared on your network which are unauthorized.