Increasing attack volume and sophistication are making threat detection and response more difficult than ever. The problem is compounded by the worldwide shortage of cybersecurity skills; there are more threats and fewer people to defend against them.
Against this backdrop, the topic of agent or agentless deployment arises. It’s an ongoing debate about which approach is best in today’s ever-changing threat landscape. However, when it comes to detection of in-network threats, particularly using endpoint-based distributed deception as a strategy, an agentless approach is significantly safer and more effective.
Reduced endpoint costs
A classic example of an agent is antivirus software that scans a computer to check for malware. The traditional approach to endpoint data collection involves similarly installing agents on all computers from which data is needed. Agents are a significant burden for IT teams to manage. They require installation (and if uninstalled, they must be reinstalled), upgrades and continued maintenance. Updates, of course, saturate the network.
Typically, there is more than one agent on each machine. This creates high endpoint overhead. Then there is the problem of “agent conflict,” as each agent wants control over the same machine resources. In a cybersecurity example, you may have agents from a DLP software, antivirus system and others, which creates conflicts and sometimes causes system crashes. The more agents you have, the more complexity to keep all systems up and running. An agentless solution provides robust security that is much easier to manage—without the hassle of deploying and managing security agents.
The cost of maintaining agents is also higher. In contrast, agentless deployments have a lower total cost of ownership (TCO) and lead to faster rollouts than software products that require agents on a substantial number of computers, such as in a large enterprise.
Advantages of going agentless
Agents incur additional security risks, too. They are detectable by and vulnerable to cyber attackers. The most significant vulnerability is that agents communicate to an attacker that their functionality is present on a machine. The presence of an agent tells an attacker what you are doing to stop them. If attackers gain access to a machine, they can access agents and disable them or, more disturbingly, modify agents to cover the tracks of their attack or to cause other havoc.
Consider this scenario: an attacker has access to two machines. One does not have many lateral movement options (i.e. with low privileges), and the other has privileged credentials and connections to other workstations. An attacker can create a burst of activity on machine #1 to distract the agent, hiding the attack activity in a fog of alerts and noise. Alert volume is noisy enough in the typical security operations center (SOC); attackers are leveraging this fact to cover their attack needles with a haystack of alerts that grows ever bigger.
The bad actor can sidestep an agent that is left running if the actor has enough knowledge about how the agent operates. If an attacker knows what behavior will trigger the agent to alert, they can simply avoid carrying out that behavior so the agent won’t warn defenders about their presence.
There’s another point to be made specifically about deception technology. Cybercriminals can trace deception solutions that require an agent to get full deception and forensic capabilities from the solution due to the agent’s presence on all endpoints. Agents are also susceptible to reverse-engineering, where attackers learn how the agent works and how to circumvent or break it.
Deception vendors often use honeypots, honey tokens and honey breadcrumbs. Bad actors use tools like Honeypot Buster to identify and evade decoys and other types of deception technology. Using agentless automation capabilities, you alleviate the need to spend time tweaking and refreshing deceptions so that programs like Honeypot Buster can’t find them; the footprint is so light that Honeypot Buster has no way to detect them. Because there are no resident agents running on the endpoints, there’s nothing for advanced attackers to spot or circumvent.
Protecting devices that can’t use an agent approach
Some companies have endpoints that can’t be protected with an agent based approach. Internet of Medical Things, or IoMT, devices are a good example.
Insulin pumps that connect wirelessly to a phone allow for easy adjustment of insulin delivered according to the user’s status. However, the FDA warned in July 2019 that someone “could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings.” This could quickly result in death if the settings lead to too much or too little insulin being delivered.
An effective defense for IoMT devices is to use deceptive device emulations, as noted above. The emulations mimic not only the device but also its communication patterns through a network. The hospital IT team can plant these fake devices like a minefield, so an attacker just needs to come across a fake device to trigger an alert. This approach is deterministic, meaning every alert is a real attacker that can be immediately acted upon to remove it from the network.
An intelligent approach to security
If the agentless model is coupled with intelligent automation, it will have a light operational footprint to minimize the impact on IT. This benefits both IT administrators and security teams.
Here are some of the multiple benefits to the intelligent agentless approach:
- Lower operational expense
- Low endpoint overhead
- Rapid deployment and ease of operation
- Reduced need for operational staffing and support, releasing resources for higher-value activities
- Scales to support organizations of any size
- Inconspicuous to authorized end users
As cyber-attacks grow in volume and complexity, and as the cybersecurity skills gap widens, organizations need a better and less labor-intensive way to keep their networks secure. The agentless approach makes sense in terms of lowered costs and IT burden, as well as more effective security. Clever attackers can bypass and even shut down agents, but agentless security solutions like distributed deception have no such issues. An added bonus is that the IT team doesn’t have to address agent conflict. The agentless security approach is well-suited for today’s ever-changing threat landscape.
Wade Lance, Illusive Networks