by Wade Lance, field CTO, Illusive Networks
ESG research has found that 76% of organizations say threat detection and response is more difficult today than it was two years ago, the result of increasing threat volume and sophistication. In addition, 74% of cybersecurity professionals believe that the ongoing global cybersecurity skills shortage has impacted their organizations in a negative way.
In this gathering cybersecurity storm, one of the questions that arises is agent versus agentless. It’s an ongoing debate about which approach is best in today’s ever-changing threat landscape. However, when it comes to detection of in-network threats, particularly using endpoint-based distributed deception as a strategy, an agentless approach is significantly safer and more effective.
Lowering endpoint expense
Antivirus software that lives in a computer to check for malware is a standard example of an agent. The traditional approach to endpoint data collection involves similarly installing agents on all computers from which data is needed. Agents are a significant burden for IT teams to manage. They require installation (and if uninstalled, they must be reinstalled), upgrades and continued maintenance. Updates, of course, saturate the network.
Multiple agents reside on each computer, in most cases. Deployment of multiple agents causes high endpoint overhead. Then there is the problem of “agent conflict,” as each agent wants control over the same machine resources. In a cybersecurity example, you may have agents from a DLP software, antivirus system and others, which creates conflicts and sometimes causes system crashes. The more agents you have, the more complexity to keep all systems up and running. An agentless solution provides robust security that is much easier to manage—without the hassle of deploying and managing security agents.
Maintaining agents also costs more. Conversely, agentless deployments lead to faster rollouts and lower total cost of ownership (TCO) than software products that require agents on a substantial number of computers, such as in a large enterprise.
Benefits of the Agentless Approach
In addition to the added IT resources needed, maintaining agents incurs greater security risks as well. Agents are vulnerable and detectable by cyberattackers.
The major vulnerability is that agents communicate to an attacker that their functionality is present on a machine. The presence of an agent tells an attacker what you are doing to stop them. If attackers gain access to a machine, they can access agents, disable them or, more disturbingly, attackers can modify agents to cover the tracks of their attack or to cause other havoc.
Let’s say there are two machines an attacker can access, one without a lot of lateral movement options (i.e. with low privileges), and the other with privileged credentials and connections to other workstations. An attacker can create a burst of activity on machine #1 in order to distract the agent, hiding the attack activity in a fog of alerts and noise. Alert volume is noisy enough in the typical SOC; attackers are leveraging this fact to cover their attack needles with a haystack of alerts that grows ever bigger.
If an agent is left running, with enough knowledge about how the agent operates, the attacker can sidestep it. If an attacker knows what behavior will trigger the agent to alert, they can simply avoid carrying out that behavior so the agent won’t warn defenders about their presence.
In terms of deception technology, attackers can trace deception solutions that require an agent to get full deception and forensic capabilities from the solution due to the agent’s presence on all endpoints. Agents are also susceptible to reverse-engineering, where attackers learn how the agent works and how to circumvent or break it.
There is a class of tools that attackers use to identify honey tokens, honey breadcrumbs and honeypots commonly deployed by deception vendors. One of these is Honeypot Buster, used to evade decoys and other types of deception technology. Using agentless automation capabilities, you alleviate the need to spend time tweaking and refreshing deceptions so that programs like Honeypot Buster can’t find them; the footprint is so light that Honeypot Buster has no way to detect them. Because there are no resident agents running on the endpoints, there’s nothing for advanced attackers to spot or circumvent.
A safer bet
Built on intelligent automation, the agentless approach is designed to have a light operational footprint to minimize the impact on IT. This benefits both IT administrators and security teams.
Advantages to going agentless include:
- Low endpoint overhead
- Reduced operational cost
- Deploys in a matter of hours and easy to operate
- Light, agentless deployment with no need to install or uninstall anything on a protected machine
- Lowers operational staffing and support requirements, releasing resources for more strategic activities
- Inconspicuous and invisible to legitimate end users
- Scales to support organizations of any size
Today’s cyber skills gap and the increased sophistication of attacks requires an easier and more effective method of securing your network. With the reduced IT burden, cost savings and greater security involved, the agentless approach is well-suited to today’s threat landscape. Security solutions that are agentless, such as distributed deception, are free of the reverse-engineering concern that can shut agents down. Additionally, there’s no agent conflict to deal with. Agentless security is an effective, efficient method that addresses today’s constantly shifting threat environment.
About the Author
Wade Lance is the Field CTO of Illusive Networks. He has been productizing new technologies in education, healthcare and information security for over 20 years. He has diverse experience in solution design for global 1000 cybersecurity teams, an extensive background in advanced cyber-attack detection, and a specialty in cyber deception methods and platforms.
Prior to his career in information technology, Lance was a professional mountain guide. As Program Director at Appalachian Mountaineering he developed a new method for technical rock and ice climbing instruction that is still used today to teach advanced skills for the most dangerous environments.
Wade can be reached on TWITTER @wadelance1 and at our company website Illusivenetworks.com