cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

L5 Sessionator

Hi @Shashanksinha ,

 

Thank you for writing to live community!

 

Critical Environment version of Cortex XDR agent is released as a performance issues mitigation release for highly critical and highly regulated endpoints. Some examples of the same would include some "Do not Touch" servers which have to be decommissioned because of some OS functionality issues, application criticality issues etc, but that has not yet been prioritised and any install/uninstall or changes to the environment can lead to further damages(eg could be a use case where the OS patch got corrupted and has broken some registry modules and any new changes to registry can cause the server OS to crash). 

 

These devices are such where they do not interact much to the outside world as they are kept well secured and any changes on these servers could pose a high risk to production environment as they are already low scaled systems. In such situations where risks against the latest cyber attacks has to be sidelined to prioritise the business operations, CE version can come in handy as in circumstances, it provides support the agent functions and protection in form of content updates against all the attack vectors that can be included in a content version. The advantage of CE version is that is allows the agent to stand and get support for a very long period of time without the need to upgrade frequently.

 

However, the demerits follow. The CE version agents are released for specific versions only and they have a release cycle for almost more than 1 year. This means, that any feature or capability that is included in new versions of cortex xdr, which have the latest agent dependency will not work on the CE versions. Lets take example of 7.5 CE. As of today's date, if a customer is on 7.5 CE version on any agent, he loses following:

  • Java Deserialisation Protection for Windows will not work on 7.5CE as it needs a minimum of 7.6.2 for detection and 7.7.1 for protection
  • Linux agent scanning  and isolation would not be available
  • New OS versions support will not be applicable for 7.5CE
  • ASPX webshell tracking is available only with 8.0 and above and will be missed on 7.5CE
  • Certain Forensics triage for Windows 10 will not be available
  • disable prevention rules would not work
  • Some new modules and capabilities of BTP included with agent 8.0.* and above will not be available(though this stands for agent versions lower than this),

The above list can go on....

 

Hence, as a use case as for organisations to opt for CE versions would not be organization specific and has to be used only in very very limited use cases considering the fact that security on the endpoint with help of cortex agent will not be a top notch priority. It has to be taken into consideration that there will be some manual regulation beyond the purview for Cortex XDR agent for maintaining a balance between confidentiality, integrity and availability.

 

In short, the CE version will provide stability and balance to prevent the natural regulation of agent management because of higher End of Life cycles, but at the cost of protection and new security enhancement based capabilities in today's fast paced evolving cyber world with new technologies and new adversaries.

 

Hope this helps!

 

Please mark the response as "Accept as Solution" if it answers your query.

View solution in original post

Who rated this post