As we show in our Lumu Insights Deployment and Integration guide, organizations can enjoy full compromise visibility with Lumu, independent of whether users connect via VPN or straight to cloud-based applications.

The Lumu Agent runs silently while intentionally and continuously collecting network metadata to be analyzed by Lumu for measuring compromise in real time.

Figure 1 - Lumu roaming deployment architecture.

The Lumu Agent can be deployed easily to your entire user population, and you can control the installation groups and status of each agent at a glance through the Lumu Portal.

Figure 2 - Agent management area of Lumu Portal.

Requirements

The Lumu Agent is included with Lumu Insights. If you are a Lumu Free customer, the ability to deploy agents to monitor compromise across all devices in one single place can be enabled as an add-on. Alternatively, you can upgrade to Lumu Insights, which offers you additional correlation capabilities, spambox, and overall better compromise detection.

Read more about the Agent add-on for Lumu Free in our FAQ .

Installation Groups

In this section, you can manage all the installed agents in your company through installation groups. You can set installation groups by geography, domains, critical assets, or as needed. Each installation group will have a unique activation code for deploying agents.

Create Installation Group

1. To add an installation group, go to the Lumu Portal, navigate to the “Agents” menu, and click on the “Create group” button.

1. Name: a name for your installation group.
   
2. Label: select or create a default label which devices’ metadata will be associated with.
   
3. Agents: the number of agents (quota) you want to allocate to this installation group.
   

Figure 3 - Creating an installation group.

Labels give you the power to sort your traffic by geography, departments, business units, critical assets, or as needed. You can learn more about how to define rules and manage labels to segment the agent’s traffic in our documentation .

The agent quota is the number of agents you can activate for your company. You can see the information regarding your quota and activated agents in the Agent section of the Lumu Portal (1). The quota is set accordingly to your Lumu Insights subscription or on the number of agents you specified when enabling the add-on subscription for Lumu Free.

The company quota can be partitioned into installation groups, the sum total of the installation group quotas can be higher than the global quota assigned to the company. When the maximum number of activated agents in the group quota or the global quota is reached, a quota warning message will be shown (2), and you will no longer be able to install new agents. To continue activating new agents, you need to delete existing agents or contact a Lumu sales representative to discuss your needs.

Figure 4 - Agent quota.

In order to activate your installed agents, you must create at least one installation group.

Figure 5 - Activation code for an installation group.

Manage Installation Group

In this area of the Lumu Portal, you can change the status (1), edit (2), or delete (3) installation groups.

Figure 6 - Installation group management.

Understanding the Installation Group statuses:

1. Open: allows the installation group to activate agents until it reaches the number of agents specified. This is the default status when creating an installation group.
   
2. Closed: does not allow new agents to be activated using the group activation code, all previous agents activated previously will remain active and continue collecting metadata.
   
3. Full: the status will be set automatically to “Full” when the installation group reaches the maximum number of agents specified. Once the group status is “Full”, it is not possible to perform status changes or activate new agents for this group. To continue managing the status of a full group or activate new agents, you must increase the group quota or create a new group.
   

In this area of the Lumu Portal, you can also edit the installation groups’ data. You can change the group name, the label, and its agent quota. When you change a label for an installation group, all agents that are part of that group will have its label updated also. Notice that events already collected will not change the label information when updating group information, this only apply for new events.

When deleting an installation group, all agents that are part of the group will be deactivated.

Download Installation File

For downloading an agent installation file, go to the Lumu Portal, navigate to the Agents menu and click on the “Windows Client” button (1), then select the installation type according to your IT assets management system needs:

1. Online Installer (2): this installer downloads the latest available files and settings required for installation and keeps the agent updated. Recommended for single installations.
   
2. Offline installer (3): includes all files required for installation, no additional files are downloaded. Recommended for bulk deployments.

Figure 7 - Agent install files.

1. Lumu Agent for Windows
   

Agents View

In the Agents section of the Lumu Portal, you have information regarding all your agents at a glance. All the information is collected automatically from each device that runs the agent and visible at your Lumu Portal:

1. Hostname: the device identification on your network.
   
2. Agent: the agent version.
   
3. Group: the installation group from which this device was activated.
   
4. Label: the label that was set (for the installation group). You can also click edit and apply another label for this device.
   
5. Last Sync: the last date Lumu received sync data from this device.
   
6. Registered: the date/timestamp the device was activated.
   
7. Operating System: the operating system of the device.
   
8. OS Version: the version of the operating system.
   

In this area, you can filter the agents by installation groups or labels. For deleting an agent just select the agent and click on the button “Delete”. When an agent is deleted, it will be deactivated and stop to send metadata to Lumu for Compromise Assessment. After deleting an agent, we recommend uninstalling it from the device.

Figure 8 - Agents view.

Incident Response

We recommend being familiar with Lumu Incident Response Playbooks that are based on the National Institute of Standards and Technology (NIST) Framework and include best practices for how to use Lumu to respond to specific attacks.

1. Lumu Portal
2. Collectors
3. Lumu Agent for Windows
4. Deploy Lumu Agent using Group Policy (GPO)