Action1, a web-based endpoint protection solution, provides quick way to assess security vulnerabilities in an easy-to-use platform.

What do you really know about your environment? I am not talking about your servers. Most organizations I visit meticulously maintain their servers. I am referring to endpoints—devices in the field that often too many people manage. Can you quickly find out what's installed on a group of computers or which applications are connecting out on a specific port? If you can get this data quickly, how much sense does it make to you? Are you having to take a messy report from one window and cross-reference it in another?

I can't count the number of times I've searched for an answer only to face overwhelming data. To be more specific, there's too much noise in that data. And that is the problem with managing endpoints. There is too much noise and too many inconsistencies. Because of this, endpoints are often the weakest link in your security footprint.

A single management pane and lightweight client ^

Action1, founded by the same team that started Netwrix, is a relative newcomer to the software-as-a-service (SaaS) approach to threat detection. Their approach is novel, fast, and accurate. As a newer product, it comes without the typical traditional SaaS baggage found in other products.

Action1 management pane, clean and simple

Action1 management pane, clean and simple

Starting an Action1 instance is incredibly easy. In their single management pane, your first step is to enroll clients by installing a small (3 MB) agent on machines. You can do this through a connector (a dedicated machine that reaches out to online machines) or install it through normal deployment methods. Unfortunately, there's not a native MSI available, so Group Policy software deployment is a bit trickier. Hopefully, they'll package the standalone agent as an MSI in the future. The connector distribution is Action1's preferred method, and is similar to items like SCCM's client push ability. After installing the client in my test, it took about five minutes before data became available.

Action1 Agent runs as a single lightweight service under the SYSTEM account

Action1 Agent runs as a single lightweight service under the SYSTEM account

Action1 provides instant answers to your security questions ^

Before we dive any further though, let's talk about what Action1 is and what it isn't. Unlike traditional platforms, Action1 provides real-time data through its efficient polling protocol. When submitting a query to it, it actively collects and compiles data from clients.

This timely information can prevent small problems from turning into big problems. To see the power of this model, imagine quickly tracking down a ransomware outbreak by just asking where a process is running. This model also means that Action1's framework does not store important data.

Other than the information required to contact endpoints, Action1 does not store queried data. The opposite side of that coin is that there is no historical reporting. This may make detection or troubleshooting harder for you, since you might not have a baseline for comparison. Action1 provides the details and information when you need it. It is up to you to act on that information.

One standout feature of Action1 is the ability to perform Google-like searching for answers. Instead of sifting through a maze of reports or building custom queries, you just have to type in a question. Here are two examples I used: What computers have Firefox installed? or What startup programs were recently added?

The ability to query in a natural language makes Action1 incredibly intuitive. If you ask a vague question, it will lead you through breadcrumb categories to find the answers you need quickly. While this feature is already really good, I am excited to see how it evolves.

A second feature I enjoyed was the real-time alerts that provide insights into the overall organization. Action1 creates a handful of alerts by default, and they all help bring about a more consistent endpoint environment.

These default alerts can help you quickly stop a ransomware infection.

These default alerts can help you quickly stop a ransomware infection.

Editions and improvements to Action1 ^

Action1 is available in two editions: a free version and a subscription version. I've done all of my work in the free version, since it supports unlimited clients and any alerts. However, the free version has limited technical support and does not have scheduling features. The subscription version is licensed per client, has enhanced support, and provides additional details in alerts.

Subscribe to 4sysops newsletter!

While I love the benefits of their real-time reporting model and the fact that Action1's environment does not store data, I do wish that there was a method (even in the subscription version) to create baselines in your environment. I am hoping they add this as an in-house component in the future. However, Action1 is a wonderful tool to gain additional insight into your most vulnerable clients. If you have not done so, I would recommend setting up the free version of Action1, especially after you see how easy it is to find your answers and monitor your environment.


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account