Why agentless security is not real security
Many security professionals have been misled into believing in the overhyped promise of agentless security. But it looks like the long-lasting 'agentless vs. agent' debate is finally over and the result is finally in -- if you want great cloud workload security, you need an agent.
This noteworthy outcome arose when two of the leading agentless-only vendors finally gave in and announced partnerships with agent-based runtime security and CWPP (cloud workload protection platform) vendors. This is big news, because both of these companies had previously, and persistently proclaimed, that agents are 'old school' and that 'agent-based security is dead'.
Security professionals should sit up and take note. Because amid all the industry hype around agentless security, many organizations were misled into mistakenly believing that by deploying agentless solutions they have fully protected and successfully secured their cloud environments. Unfortunately, however, this is not the case.
Agentless-only -- a flawed approach
Many a security professional has been lulled into a false sense of security by vendors touting the agentless-only approach. The mantra of these false prophets went something like this, "You’re secure because you have no misconfigurations in your public cloud environment." A misleading assumption that takes no account of the 50 percent of memory resident attacks that agentless monitoring solutions can’t see, let alone block.
While it’s true to say that agentless solutions deliver visibility, basic compliance and posture management, unfortunately they lack the comprehensive capabilities needed to protect applications at runtime or stop attacks in production. Let’s explore why.
- The issue of point-in-time visibility
Since agentless scans typically run once every 24 hours, these will only deliver a snapshot of that specific point-in-time alone. Given the dynamic and ephemeral nature of cloud workloads, by the time of the next scan a workload will no longer be running. Which means attackers have plenty of time to infiltrate the environment and vanish, taking what they came for within minutes or seconds of an attack. Unfortunately, the harsh reality of agentless-only solutions means you’re effectively running blind most of the time.
- Evading detection is easy
Today’s highly sophisticated attackers are using techniques like fileless malware to evade detection and leave no footprint. Agentless solutions miss these types of threats because they are unable to 'see' the process running in memory from a static disk image.
- Lack of proactive enforcement
Agentless solutions take a copy of a disk image rather than the actual running code and, even in the event of successfully identifying an attack from this image, will only provide an alert to the problem rather than proactively blocking the attack.
A combined and unified approach for truly robust protection
Despite its limitations there’s no denying that agentless visibility offers a fast, low friction and less intrusive method of security monitoring that is great to have.
But in a production environment the stakes are high and sensitive workloads require real-time security and protection. Using agent-based security will not only deliver the real-time monitoring and reporting that’s needed, it will also provide the automated and proactive response to security incidents that are mission-critical for a truly robust security stance.
Organizations should take heart from the fact deciding which approach is best isn’t an either-or decision. Depending on their specific needs and requirements, a combination of both agent and agentless security is the ideal way forward that delivers the best of both worlds.
However, trying to bolt on third-party runtime agents to handle the most difficult part of workload protection risks further tool sprawl, siloed visibility and fragmented runtime protection. So ideally, if organizations want to enable optimized and comprehensive security that protects applications against attacks, from development through to runtime and wherever they are deployed, they should utilize a single integrated platform that features both agents and agentless protection.
A step in the right direction
With other vendors announcing partnerships with firms that provide agent-based solutions, the dispute over agentless vs. agent security finally appears to be over. This is great news, as it delivers much needed clarity for security professionals on what’s needed to detect and prevent bad things happening to cloud applications.
The recent announcements we’ve seen have finally confirmed once and for all that, when it comes to achieving truly effective protection in the cloud, organizations should look to combine both active protection (agents) that can stop attacks in progress and agentless security monitoring solutions.
Marking a watershed moment that will benefit security professionals everywhere, this delivers much needed validation of what an effective protection and security strategy should look like. Ideally, rather than just deploying agents and agentless technologies, organizations should opt for a single platform that combines frictionless cloud workload visibility and active protection across the entire lifecycle. Delivering the unified visibility and all the context security teams will need to understand risk and prioritize security issues.
Image Credit: Wayne Williams
Amir Jerbi is Co-Founder and CTO at Aqua Security.