2.2.1. Architecture

There are three components of a Cyber Triage^® Team deployment:

• Cyber Triage^® Server: Where the processing and analysis occurs. This contains the REST API used by clients and other integrations.

• Cyber Triage^® Clients: Runs on examiner systems and interacts with the Cyber Triage^® Server.

• Database: Where the collected data is stored. There are a few options for this, which are addressed in the next section. One main concept though is that the database can run on either the same host as the server or on its own host. Every Cyber Triage Server needs its own database server.

Cyber Triage^® Team cluster

All three components should be on the same private network. The Cyber Triage server and database should NOT be on a public-facing address. You can run Cyber Triage in a cloud environment, but all components should be within a Virtual Private Cloud (VPC) and in the same region.

If you have multiple Cyber Triage Server licenses, each will need its own database server.

2.2.1.1. Deciding on Cloud vs On-Premise

If you have the option of using both on-premise or cloud, here are our guidelines:

• We recommend that Clients and the Server should be on the same network and region. Either all on-premise or all in the cloud. Hybrid setups can work if you have a high performance VPN.

• The Team Server should not be public facing. So, it will only be able to receive direct connections from suspect hosts on the same network (cloud or on-premise). If you want to collect using direct connection methods, you should pick a location based on where the most direct connections will happen.

  • Example direct connection methods are Network - PsExec and Deploy via EDR, PowerShell, WMI, etc..

  • To get data from suspect hosts on different networks, you will need to use cloud-based storage (see Configuring Cloud Storage Services) or similar methods to temporarily store the data.

• We do not recommend the cloud-native PostgreSQL databases. We recommend you run PostgreSQL on the same server as the Cyber Triage Server.

• Otherwise, if all of the above recommendations can be met with both cloud and on-premise, it’s purely a financial and policy decision.

2.2.1.2. Database Options

Each Cyber Triage Server will need its own database and there are three options to choose from:

• PostgreSQL on the same host as the server: This is our recommended initial setup. With this setup, a single computer will have both the Cyber Triage Server and PostgreSQL. This setup minimizes the number of hosts to maintain and can be more secure because PostgreSQL access can be restricted to the local host. However, this scenario requires more memory and storage resources on a single host.

• PostgreSQL on a different host: If your server does not have enough resources, you can setup a dedicated PostgreSQL server or a managed PostgreSQL service from a cloud provider. The server can be Windows or Linux. This setup has additional network configuration complexities.

• SQLite: The server can use local SQLite databases. This is the easiest to configure, but has the worst performance. We recommend this only for basic evaluation purposes.

We recommend that you start your production environment with PostgreSQL on the same host as the Cyber Triage Server. If you do not get the needed performance, then use a dedicated host for the database.

Warning

There is NO data migration path between SQLite and PostgreSQL.

If you are going to run Cyber Triage in a cloud VPC, then you can refer to blog posts that we did where we tested various managed PostgreSQL services. For example, here is the post about AWS.