Scheduling on Sandfly works differently than what you may be used to. Instead of fixed times, Sandfly uses a unique random scheduling mechanism. Setting up Sandfly to use a random schedule is simple and automatic.

Scheduler view.

Scheduler view

Random Schedule and Random Sandflies

Sandfly allows you to setup a random time window for Sandflies to run. Additionally, you select the percentage of active sandflies to run each time that will be sent out.

The idea behind this is simple. Say you pick a time between 30-60 minutes. Then you pick a random number of sandflies to run such as 20%. Sandfly will take that schedule and pick a random time in the future between 30-60 minutes (e.g. 39 minutes). When 39 minutes elapses, Sandfly will select 20% of the sandflies in the active pool and use them to investigate your systems. Then Sandfly will select a new time 30-60 minutes in the future and repeat the process with another 20% of the sandflies selected at random.

The reason Sandfly does this is three-fold.

Reason One: Lower Impact

Random and small scheduling lowers the impact of the system because we are doing many small fast scans throughout the day instead of huge monolithic scans once a day (or less) as you may be used to.

Reason Two: Superior Coverage

By doing many small random scans we get superior coverage for attacks. A typical schedule can easily get 1000% coverage with sandflies. Instead of checking for a problem once a day, Sandfly can check for the same problem dozens of times each day. This creates a much smaller window for an attacker to remain undetected.

Reason Three: Evasion Resistance

By being random, it increases the evasion resistance of Sandfly. Attackers can evade scheduled scans with some effort. Since Sandfly is random however, it makes evasion by a set schedule very difficult.

Previous Article:

Next Article: