I’ve been talking to customers a lot lately. And it’s true what they say: Customers are always right.
Except when they’re wrong and just don’t know it yet.
A while ago I wrote this post on agents: Do you love ’em? Do you hate ’em? Why? It was a bit self-serving, because here at Tripwire we rely heavily on our lightweight, stable, agent-based technology to get some serious security stuff done. Like managing your security configurations…. like detecting unauthorized changes to user tables… like monitoring your other security controls for anti-forensic activity.
As I spoke with another customer this week he put it pretty succinctly: “You’ve always got to pay a tax.”
If you use agents you pay a tax that looks like:
- Constantly negotiating with ops for space on a box
- Persistent requirements for space and processor capacity
- Headaches when agents or their services stop for some unfathomable reason
In return for this particular protection tax you get to have instant visibility into systems and configurations, when and where you need it. You get to do thing like “continuous monitoring” (shameless plug: here’s a webcast we just did on CM).
If you use agentless scans you pay a tax that looks like:
- Periods of invisibility, where your security posture is on the dark side of the moon
- Less granularity of inspection
- Network traffic
- No continuous monitoring
In return for this particular protection tax you get to remove your agent burdens (real or perceived) and focus on the task at hand.
Unfortunately, you don’t know what you don’t know. You don’t know what your security posture looks like between scans, you don’t what configuration-related exploit or breach indicators (“That’s odd… someone enabled a Telnet session yesterday”) you might be missing.
And my bottom line tends to be this: In today’s security-is-just-an-illusion threat environment, getting visibility and knowledge — and getting them fast — is everything.