Addressing the agent in the room

You had me at product. you lost me at agent. If only I had a penny for the number of times I heard the under-deliver over-promise of lightweight, featherweight, welterweight, ANY-weight agent… Usually when the other side is talking, you start thinking how will you, again, justify it to the endpoint/IT team, in addition to all the other 20 agents you asked for.

Yes, technologies have improved tremendously, native-API approaches are more common, and often better trusted over a “new and innovative approach” — eventually bringing the endpoint to its knees. In a remote world, the endpoint, directly impacting the employee productivity, became more critical than ever — joining a list of respectable assets within the enterprise.

With great power comes greater responsibility

Now don’t get me wrong, I understand that gaining access to the deep-space of your endpoint (a.k.a the kernel) can provide you with greater visibility and even the ability to take actions (run scripts/ commands). But at what price? It is not without reason that no IT practitioner wants to have yet-another-agent sitting on valuable asset real-estate for which they are eventually responsible for deploying, maintaining, and troubleshooting. For some, the scars have yet to heal.

Technology Gap

Let’s address the-agent-in-the-room. About a decade+ ago, agents were unavoidable, can’t argue that. For host scans, log collection, data loss and malware prevention (thank you AV’s). That escalated further around 2013–2016, when nation-state APTs were wreaking havoc. To name a few, there were a string of data breaches such as Yahoo!, Anthem, HomeDepot, Equifax, Marriott… and unfortunately, the list goes on. But welcoming today’s era, where a cloud-first model is desired and often required, a change is taking place. I/P/DaaS, network virtualization, containers and workloads were not built with agents monitoring them in mind. It simply won’t scale the agility model under which they operate.

Getting back to our point — would you deploy another agent-based tool on all your desktops, servers, and network devices? Let’s address what organizations should take into account before answering this question. While you read, try to identify what my opinion is on this topic (if you haven’t already :))

• Attackers don’t use agents. Period. Wondered how attackers are able to remain stealthy despite a variety of agent-based defensive controls you had in place, purposely-built to identify those same attacker movements.
• OS parity. Please see the following matrix from pages 28–64 of the user guide covering what functionality is supported on which operating system, and each respective configuration prerequisites. No thanks.
• Deployment & maintenance. A typical deployment can take weeks if not months. Building the plan, identifying the configuration required, actual dry-run testing(s), and assurances and sync between the security and IT/endpoint team. Rinse-repeat for every change or new version required.
• BSoD. Ever tried troubleshooting which of the agents tipped the endpoint? The one you recently deployed? The legacy one which competed over CPU/RAM resources? The recent patch to the OS? A config change breaking backward compatibility, …
• Coverage Gaps. “I have complete visibility and simulation capabilities as wide the network as my agent deployment is…” Can a sample testing imply the resiliency of an enterprise-wide network? Since, by default shadowed endpoints and network segments are excluded and hidden.
• Locked. Vendors call it stickiness, you call it stuckiness. Your ability to shift from a less performing vendor to a different one, after you already had their agents deployed across your enterprise network.
• Data Collection & Analysis. First, can’t you just take the data from the other 19 agents I already used to collect my — data? Second, pick what you hate less, risk of spiking endpoint resource consumption, or offline processing delaying the analysis and outcomes.
• Added risk. Running new, possibly vulnerable, software on all systems. Resulting in opening another security hole rather than securing one.

I want more agents. Said no one ever.

As you plan your 2021 security strategies, whether it is for your next Red Team or penetration testing exercise, emulating an attacker campaign to validate your blue team’s processes, or when building a purple team practice, make sure that an agent-based approach is not standing between you and success.