CIA – Can I really trust Agents?
I received interesting feedback on some prospect calls over the last few weeks when discussing internal vulnerability scanning.
Customer: “How do Edgescan do internal scanning?”
Edgescan: “We use an agentless approach using a lightweight virtual appliance.”
Customer: “Great, I don’t want to end up like a crowdstrike customer.”
The fall out from the recent Crowdstrike issue has IT sysadmins reviewing not only disaster recovery plans but also every piece of vendor installed technology across their organization. When selecting a tool or service to conduct internal scanning and testing it is important to understand resource constraints, what tools you already have pre-installed or available and what you expect/want the vulnerability testing to achieve. At Edgescan we have always had the belief that an agentless approach is superior and most of our clients agree but let’s take a quick look at why we believe agentless is best.
First what’s the difference?
Agentless scanning provides visibility into the threats in your environments, without the need to install software-driven agents. In our approach the appliance acts as a secure landing point from our cloud-based SaaS to facilitate the VPN tunnelling of scan traffic.
Agent-based scanning is more traditional and involves deploying components on each of the hosts or targets that are to be tested. It is a common approach for air gapped networks or organizations not open to SaaS technologies as it keeps all data in house. (cough, cough)
What are the advantages of each with regard to continuous vulnerability scanning and penetration testing?
Agent advantages
- Vulnerability data is kept in house (local storage), for sensitive air gaped clients that don’t wish to send data to the cloud. (Just remember, your installed software still needs to call home somehow to get updates, unless your still doing updates with a floppy disk or CD. In which case you should look to upgrade from the 1990s).
- Because Agents are more traditional, they are sometimes better understood and sometimes align to more traditional expectations. ie they can feel familiar. (I’m not sure if CrowdStrike customers share this sentiment).
- Agents can be an active logger and with the right permissions can change policies and make config changes. (This can however be seen as out of scope for a VM tool, most clients in my experience don’t like to have attack and defence in one solution)
- Agents can operate independently and usually don’t require a central control point. This means they can be deployed onto devices without consistent connectivity such as WFH laptops. (How many WFH laptops in a modern organization are not built to a specific standard with permissions correctly enforced?) In reality, the practical utility here is minimal.
- Agents can run in real time and stop threats as they happen. (This is a bit of a sales pitch; good security is proactive not reactive. Find the issue and address it, well before it ever becomes an issue).
Agentless Advantages
An established egress VPN connection. This allows our penetration testing team to connect to internal resources and validate vulnerabilities which maintains the Edgescan unique offering, near false positive free vulnerability intelligence. It also allows our testing team to conduct penetration testing against any type of asset remotely.
No resource requirements. Both machine and human Our appliance runs on a machine with 1gb of RAM and has a minimal attack surface. In contrast a comprised agent could have unfettered access to a machine and be devastating.
Zero maintenance. No updates or config is required as Edgescan is still utilizing the same technology stack used for all assets both internal and external. With the established connection Edgescan handles any required updates.
Easy deployment. Install the image into your chosen hypervisor (on-prem or cloud) add in one firewall rule and you’re done. Edgescan starts discovery and testing. Segregated network based on geo lock? (easy, use 2,3 or 10 appliances, easier than 150,000 agents)
Authenticated scans. There are some mis-conceptions that agents are required for auth scanning. Authentication is configured in the scanning technology. Having cloud-based visibility in this regard means Edgescan will notify clients automatically if there is a problem with authentication.
Scalability. Again, as your network grows there is no need to install anything. Just add the target to Edgescan or let it collect it automatically.
No 3rd party updates… that turn your PCs into bricks.
In summary, Agents are becoming a legacy product. The value gotten from them is minimal and is quickly being fulfilled by preinstalled solutions such as MS defender. Agentless solutions provide so many advantages with little drawbacks. As we move towards DORA and the harder enforcement of compliance in general, do you really have time to waste installing and maintaining agents while trying to run continual testing along with the 1000 other tasks that need to be performed?