Analyst Chat #39: The Pros and Cons of Agentless Security

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts. My guest today is John Tolbert, my colleague from Seattle. Hi John. Great to have you in another episode, and today we want to talk about a topic that security vendors are more and more focusing on and talking about, we want to talk about agentless security. What does that mean as a concept?
You know, I think that that's an interesting question. Agent was tends to mean not having a piece of client software on a machine. You know, most of the, let's say endpoint security products today require a software client that has to be installed on every node in your network. Optimally, oftentimes companies have different reasons why some machines aren't uncovered with agents in the first place, but the, you know, th that can be a burdensome thing to do. So. Yeah, you're right. A lot of security companies are trying to think of ways to cut down on management. So the agent method can at least somewhat avoid the need to deploy and maintain agents on every, every machine in a network.
Right. If I was responsible for the it landscape of a larger corporation, I really would like to avoid having to install something on each and every box. Even if you have software distribution in place, what other problems that can arise with agents and do you see,
Well, yeah, you know, agents have to be specially created for each version and each patch of an operating system. So if you're you have a heterogeneous environment and you've got, you know, windows 10 and maybe some windows eight, or, you know, sometimes even things farther back from that or Mac and Linux, then that's where one way it starts to get more complicated because you have to have agents for each one of those. So endpoint security vendors tend to focus on the windows machines. And sometimes many of them now have cards for Mac. And many of them have clients that work on various forms of Lennox, but, you know, finding the right end point security solution that touches everything in your environment can be kind of difficult. But then, you know, they also have to be managed, you know, there are companies out there that are running in some cases up to 20 different kinds of agents on every endpoint.
So this, you know, it was very difficult to manage, like you were saying, if you've got some sort of software distribution console, then you know, that certainly helps, but having a whole lot of agents can be problematic. Sometimes agents are incompatible with other agents. So that's another thing that companies have to do when they're looking for different products that require software to be installed on a machine. They have to test to see if all the different agents they already have are compatible with a new one. And then just from a purely security perspective, there are forms of now, or out there that actually test for the presence of certain anti-malware packages. So, you know, there'll be looking for the names of some of the more common endpoint security products to see if they're running and if they are well, then, then they go dormant or try to actually disable the endpoint security product. So yeah, there's, there's a lot of architectural issues. We'll call them. Cause they're actually pretty well met by most of the endpoint security products that have agents, but there are things to be concerned about. And I think that's one of the drivers behind company security companies looking at providing agentless solutions
And the, and you also have to trust the vendor that provides each and every agent. And as you said, if you have more than one agent running and it's constantly updated, as you've mentioned, and you really just have to trust this piece of software that running on your machine in every version that is around. And of course that would be something that, that a malware provider would, would really love to have to, to really use this as an entry door, into a larger network using such a, such an agent. Not that I say that organizations are vendors have already gone through that, but that would be a great target. I think if we think of such an agent, of course, this agent has access to all the resources and all the information that the user is running under CA can look at if we compare that with an agent less security solution, which is obviously than outside the machine, how does that work? How does this really can achieve comparable results?
Well, I don't think you get fully comparable results. I think the agent was methods are somewhat less capable in general. So yeah, you're right. One, one way of taking an agentless approach is to be a passive listener. So you don't install anything on a machine, but you've got other machines or other agents on your network, and you'll just simply listen to what's going by on the network and try to figure out if there's any malicious activity that way that's one, one approach to agentless security. So yeah, it has some drawbacks to, you know, not being able to have full access to a machine and know exactly what's going on there, but sort of looking for secondary signs of malicious behavior, then there's processed injection. There are a few, this is not, not terribly common, but there are a few security products that will inject code into a running process on an, on a remote machine.
And, you know, put that into the address space of a particular process. The code probably comes in the form of a DLL and then depending on what target process it gets injected into, it can sort of inherit privileges from that process and then use that process space to sort of gather other information about what's running on the machine. So in that case, you don't have an agent that's actually been installed, but you put your security code into the context of another process on another machine and then use like named pipes or network communication to get information back to your console. This requires, you know, some sort of probably domain admin privileges or the ability to run as a service account on the machine. So already you can see that there are some security issues with the agentless security approach that, that aren't necessarily present in the traditional agent-based security approach. Okay.
But, but injecting a DLL with domain admin rights also sounds it's scary to me.
Yeah. Yeah. I would tend to agree. That's why I think it's something that, you know, security vendors have to be very careful about taking this approach when they develop a product in this way. And in many cases, I think it's much safer to stick with the traditional agent-based approach because yeah, there's a potential for misconfiguration or abuse in this process, injection method. Okay.
If you compare these two types of agentless security that you've already mentioned, so the passive listening mode and the process injection, what are the pros and cons for these
Well, for passive it's, it's a bit easier. I think, you know, obviously there's no agent, you know, depending on licensing, it may not be any more expensive to sort of turn on listening on different parts of your network and be able to collect some telemetry that can be useful since it can only detect and alert on what it believes to be malicious. It's considerably weaker because without an agent there, no way to say terminate processes that you think are that the software thinks that are malicious or stop it from spreading or, you know, quarantining. And so it doesn't do things like ransomware where it may encrypt the file. So the past of approach, just like you might think of it sounds is necessarily weaker than, than having an active agent on a machine for process injection. You know, I think there probably is a benefit maybe in, in very, very specific circumstances with that malware that looks for the presence of security products.
This is kind of a stealthy approach. So, you know, in those cases, the, the sophisticated malware would not see this coming. You know, that that may offer just a modicum of security benefit in certain circumstances. But you know, it also may be an approach that companies that are looking to fill the gaps and let's say IOT and medical device security may explore a lot of IOT and medical devices. Don't run operating systems where you can build agents. So, you know, this might be something that they could explore to be able to provide some security in those environments where it's really difficult to get security today. They are, you know, IOT devices are subject to malware. So being able to put some kind of an agent, even if it's, you know, injected via a process, you know, may be able to offer some security where there really isn't any today.
But then also since it has to run in the context of the process into which it is injected, you know, that may be a limitation too, just depending on what that process can do. So it kind of suffers from some of the same limitations that even passive listening does. But, you know, again, you can't really caution enough about the methodology behind agentless security. I mean, MITRE attack calls out process injection is a major means for taking over machines in different kinds of apt or cyber crime campaigns. So it's, it's kind of a case of using a malicious technique to look for signs of malware.
Right? So to go back to what you mentioned, you mentioned the protection of, of IOT and especially medical devices. This is something that is very close to us right now. Is this something that, is this a primary use case?
I think it's an area of interest or area of exploration. I don't think that the, I wouldn't call it a primary use case. I think there are, you know, a couple of vendors out there that are taking this approach with agent-less security and they also do things like, you know, vulnerability assessments and asset management. It's one way to do a quick of a, of a network and everything on it, and then provide some rudimentary security. But no, I don't think that this is a primary use case as of yet, but I think it's interesting and, you know, maybe worth exploring is a means to protect those kinds of environments. I guess I would say in short that ageless security's kind of curiosity, but it's, there's also a trade off between the functionality that this kind of solution can have, but they're also realms in which it may work.
Maybe the only kind of protection and environment can have. And, and I think, you know, agent agent-based traditional agent-based security is going to be here to stay. There's just much greater advantage to being able to have software on a machine and, you know, to address where the points you had earlier about being able to trust it, you know, there are means for having signed code and certified code. You know, I think as long as a lot of those practices are adhered to, we can have a pretty high level of trust in the security software that we install on our machines.
That's really sounds like an interesting topic. And also there is more to come in that area. I expect if we look at our research in that area, you cover that as well, and that you cover agentless and agent-based security together.
Yeah. Yeah. We'll be continuing to report on products as they come up and look at the capabilities, especially, you know, I see this as being of particular interest in the asset management and vulnerability management realm. So yeah, we'll definitely continue to keep our eye on this market and see how things develop.
So if any member of the audience is interested in learning more about that, my usual recommendation is to go to Kuppinger cole.com and look for more information on that fire our search engine there surely is lots of information, especially around endpoint protection about security in general, if you want to use this as well, just use the search for John Tolbert was our author for many of these reports. So John, thank you very much for joining me today for telling me more and having me learn more about agent as security, any final things you want to add here?
Oh, no, thanks for having me again. And yeah. Happy to talk to anyone who wants to explore the subject in more detail. Yeah.
Just get in touch info at KuppingerCole dot com is the main address which really would help you there. Thank you very much again, John, and bye-bye