Skip to content ↓ | Skip to navigation ↓

My title at Tripwire is “Evangelist”. I evangelize about Tripwire solutions for security, compliance and IT operations. My goal is always to explain how we do what we do and why that is important to a particular IT business problem. Sometimes I try to contrast our approach to competing solutions and let the audience draw their own conclusions. After attending a competing vendor’s webcast on their security solutions—and Security Configuration Auditing in particular—I realized I needed to go beyond basic evangelism and deliver an out-and-out mini-sermon on the topic of security effectiveness using an agentless vs. agent-based architecture.

My mini-sermon title: Agentless architectures can tell you that you died, just not why or when. Agent-based architectures can tell you when you are sick, what is causing your illness and what it will take to bring you back to full health. Which architecture will you choose to save your data?

It’s a long title for a short sermon but I hope it causes you to read on; this won’t take long.

In the vendor’s webcast part of the discussion was on their Secure Configuration Auditing solution. Tripwire has a competing solution called Security Configuration Management. The difference between agentless and agent-based products begins right here—Auditing vs. Management. About the only thing you can do with agentless security products is check the then-current state of configurations at the time of the audit. That’s the part about finding out you are already dead, or so badly damaged there is little hope of a full recovery. I know, I know, this kind of talk is a bit aggressive….but it’s true, and I know large organizations that can testify to this fact. Here’s why.

Agentless means you do not install any of the security configuration software—the stuff with the secret sauce—on the devices where you are trying to maintain a secure state of configurations. Instead, a request is periodically made to a device-resident utility to collect a copy of every configuration. All of those configurations—whether they have changed or not since the last check—are sent across the network to where the secret sauce security application can do its work.

With an agentless architecture you have to make this request for “all” configuration data and repeat this process for “every” device you are trying to secure. Each request for the configuration data consumes device resources, especially since the utility doing the harvesting work is not purpose-built for this task. In a typical organization less than 1% of configurations change over short intervals so this random, mega-copy-and-compare approach is not only incredibly inefficient, it is, frankly, a massive waste of time and resources. So much so that the larger the environment being managed the longer interval between configuration checks and the greater the odds that security-risks are introduced into the environment. In other words, the larger the environment the less security value the agentless architecture provides when trying to maintain—continuously maintain—configurations in a secure state.

The agentless architecture is the typical approach to security configuration solutions from a majority of solution providers. Not so with Tripwire; we do it completely different. For starters, our solution is called Security Configuration Management. Our purpose is to help organizations “continuously maintain” a known and trusted state of configurations, regardless of the size of their environment. Referring to my previous medical analogy, Tripwire wants to notify the patient when they are in a susceptible state to getting ill rather than letting their next-of-kin know they have died from a preventable illness. We are able to do this because Tripwire employs an agent-based architecture that places critical intelligence at the device. Here is how it works and why that is important.

The Tripwire agent is purpose-built to detect change to configuration settings. The change information can be sent to the Tripwire application server as it is detected—in real time—or at any desired interval based on business need. The agent has a very small footprint and consumes negligible device resources. The power of this architecture comes from the fact that the “intelligent” agent only sends the data that matters—configurations that have been changed—to the Tripwire application server where it is immediately retested against policy and alerts are issued upon test failures. Since there is typically less than 1% of configuration change over short intervals, there is minimal data being transferred across the network. And when data is transferred it is done as the change occurs rather than all at once from all devices. If there are no changes, no data is transferred and no testing is required.

Tripwire’s intelligent agent-based approach is incredibly efficient and it consumes negligible time or resources allowing the solution to scale to any size environment. And equally, if not more, important, the Tripwire agent only sends and tests configuration data that is already suspect because it has been changed. In addition to the test results and immediate notification on test failures against policy, Tripwire provides deep and detailed forensics data about the offending change. This information allows failing configurations to be quickly restored to their known and trusted.

So that’s my mini-sermon—short, sweet, and hopefully to the point. And the point is — to move the security needle when managing security configurations an intelligent, device-based agent is required. It is the only architecture that supports seamless scaling to virtually any size environment because it is the only architecture that focuses only on configurations that change rather than every configuration, on every device, every time you want to audit their state.

How products work really makes a difference.

Hacking Point of Sale
  • jackmarsal

    <!–
    /* Font Definitions */
    @font-face
    {font-family:"Cambria Math";
    panose-1:2 4 5 3 5 4 6 3 2 4;
    mso-font-charset:0;
    mso-generic-font-family:auto;
    mso-font-pitch:variable;
    mso-font-signature:-536870145 1107305727 0 0 415 0;}
    @font-face
    {font-family:Calibri;
    panose-1:2 15 5 2 2 2 4 3 2 4;
    mso-font-charset:0;
    mso-generic-font-family:auto;
    mso-font-pitch:variable;
    mso-font-signature:-520092929 1073786111 9 0 415 0;}
    @font-face
    {font-family:Cambria;
    panose-1:2 4 5 3 5 4 6 3 2 4;
    mso-font-charset:0;
    mso-generic-font-family:auto;
    mso-font-pitch:variable;
    mso-font-signature:-536870145 1073743103 0 0 415 0;}
    /* Style Definitions */
    p.MsoNormal, li.MsoNormal, div.MsoNormal
    {mso-style-unhide:no;
    mso-style-qformat:yes;
    mso-style-parent:"";
    margin-top:0in;
    margin-right:0in;
    margin-bottom:10.0pt;
    margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:Calibri;
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:Calibri;
    mso-fareast-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    a:link, span.MsoHyperlink
    {mso-style-priority:99;
    color:blue;
    mso-themecolor:hyperlink;
    text-decoration:underline;
    text-underline:single;}
    a:visited, span.MsoHyperlinkFollowed
    {mso-style-noshow:yes;
    mso-style-priority:99;
    color:purple;
    mso-themecolor:followedhyperlink;
    text-decoration:underline;
    text-underline:single;}
    .MsoChpDefault
    {mso-style-type:export-only;
    mso-default-props:yes;
    font-size:11.0pt;
    mso-ansi-font-size:11.0pt;
    mso-bidi-font-size:11.0pt;
    font-family:Calibri;
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:Calibri;
    mso-fareast-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    .MsoPapDefault
    {mso-style-type:export-only;
    margin-bottom:10.0pt;
    line-height:115%;}
    @page WordSection1
    {size:8.5in 11.0in;
    margin:1.0in 1.25in 1.0in 1.25in;
    mso-header-margin:.5in;
    mso-footer-margin:.5in;
    mso-paper-source:0;}
    div.WordSection1
    {page:WordSection1;}
    –>

    <!–
    /* Font Definitions */
    @font-face
    {font-family:"Cambria Math";
    panose-1:2 4 5 3 5 4 6 3 2 4;
    mso-font-charset:0;
    mso-generic-font-family:auto;
    mso-font-pitch:variable;
    mso-font-signature:-536870145 1107305727 0 0 415 0;}
    @font-face
    {font-family:Calibri;
    panose-1:2 15 5 2 2 2 4 3 2 4;
    mso-font-charset:0;
    mso-generic-font-family:auto;
    mso-font-pitch:variable;
    mso-font-signature:-520092929 1073786111 9 0 415 0;}
    @font-face
    {font-family:Cambria;
    panose-1:2 4 5 3 5 4 6 3 2 4;
    mso-font-charset:0;
    mso-generic-font-family:auto;
    mso-font-pitch:variable;
    mso-font-signature:-536870145 1073743103 0 0 415 0;}
    /* Style Definitions */
    p.MsoNormal, li.MsoNormal, div.MsoNormal
    {mso-style-unhide:no;
    mso-style-qformat:yes;
    mso-style-parent:"";
    margin-top:0in;
    margin-right:0in;
    margin-bottom:10.0pt;
    margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:Calibri;
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:Calibri;
    mso-fareast-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    a:link, span.MsoHyperlink
    {mso-style-priority:99;
    color:blue;
    mso-themecolor:hyperlink;
    text-decoration:underline;
    text-underline:single;}
    a:visited, span.MsoHyperlinkFollowed
    {mso-style-noshow:yes;
    mso-style-priority:99;
    color:purple;
    mso-themecolor:followedhyperlink;
    text-decoration:underline;
    text-underline:single;}
    .MsoChpDefault
    {mso-style-type:export-only;
    mso-default-props:yes;
    font-size:11.0pt;
    mso-ansi-font-size:11.0pt;
    mso-bidi-font-size:11.0pt;
    font-family:Calibri;
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:Calibri;
    mso-fareast-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    .MsoPapDefault
    {mso-style-type:export-only;
    margin-bottom:10.0pt;
    line-height:115%;}
    @page WordSection1
    {size:8.5in 11.0in;
    margin:1.0in 1.25in 1.0in 1.25in;
    mso-header-margin:.5in;
    mso-footer-margin:.5in;
    mso-paper-source:0;}
    div.WordSection1
    {page:WordSection1;}
    –>

    As a NAC vendor we come
    across the agent vs. agentless debate all the time.  We offer both models
    for NAC, and while our solutions are different, I thought it might make sense
    to share some of the business and technical requirements that can prevent an
    organization from deploying an agent based solution:

     

    1)   
    Some
    endpoints do not support agents (eg. embedded systems, video surveillance)

    2)   
    Some
    endpoints have agent conflicts (happens all the time)

    3)   
    Some
    endpoints are not owned by the company (eg. Personal mobile devices)

    4)   
    Some
    endpoints have existing services (eg. WMI) that you can tap from the network

    5)   
    Endpoint
    agents do not have full network visibility

    6)   
    Endpoint
    agents when corrupt can not tell you anything

    7)   
    Endpoint
    agents only support managed devices ­ you need dynamic agent enrollment

    8)   
    Endpoint
    agents add management overhead and have deployment/maintenance costs

     

    We support both agentless and agent (persistent and dissolvable)
    approaches for network access control, mobile
    security and endpoint compliance. We suggest
    folks use a layered approach with regards to agent and agent less based
    real-time monitoring and automated control.  We don't disagree with you
    regarding the value of agents, but have found that the above conditions apply
    to a large percentage of our customers, which led to ForeScout offering both
    agent and agentless deployment options.

    • The primary subject of the topic was server configurations (mentioned multiple times in the text). Tripwire, as you, handle network devices using agentless technology since installation of an agent is impractical or impossible. As mentioned in the posting, we continue to work with organizations who have tried agentless (copy/transfer/compare) solution for managing critical configurations (servers, desktops, PoS devices, directory services, databases) and have not been able to "move the security needle". Tripwire's SCM solution addresses the issues that agentless solutions cannot.

  • adam

    So that’s my mini-sermon—short, sweet, and hopefully to the point. And the point is — to move the security needle when managing security configurations an intelligent, device-based agent is required