Skip to content ↓ | Skip to navigation ↓

Neil MacDonald is an agent hater.

I know this because I attended a presentation last October at Gartner Symposium in which the vice president, distinguished analyst and Gartner Fellow flatly stated,

“I hate agents. You hate agents. We all hate agents.”

Before I’m accused of misrepresenting his statement or taking it out of context, let me add that I know exactly what Neil is saying. I don’t hold it against him. He said this in a presentation about cloud security, but the “ugly downside” of agents is known throughout the physical and virtual infrastructures:

  • They’re expensive
  • They take too much personnel overhead to manage
  • They take up too many system resources
  • They’re intrusive and cause issues with critical processes
  • They cause constant headaches with connection issues, restarts and real-time checks

As the marketing chief for an agent- based IT security product I took a little offense at his statement.  How could he malign something we take so seriously?

When I got over it — and got over my wounded techno-pride – I realized that Neil was right. Vendors of persistent security agents have not done a good job of either articulating the benefits of agents or of ensuring their stability in increasingly complex and fragmented infrastructures.

A few weeks ago at our 2012 kickoff one of our customers — the CISO for a major card brand — stood in front of our fully assembled company and said, “Whatever you do, keep focusing on your agent.” From his perspective, the Tripwire agent is:

  • Faster
  • More reliable
  • More trusted
  • More stable
  • And more accurate

… than any other method he has for monitoring thousands of critical servers on multiple continents. For him, the reliability and trustworthiness of the tripwire agent clearly outweighs any issues that may come with reliance on agents. (And they do have these occasional issues – they’re working with our product management team to provide specs for Tripwire’s self-healing “agent of the future”.)

The CAESARS project (Continuous Asset Evaluation, Situational Awareness, and Risk Scoring Reference Architecture Report) from the Department of Homeland Security does a good job listing pros and cons of agent-based and agent-less architectures. (Go to the bottom of this post for the full breakdown.) Even a cursory count shows many more advantages to agent-based architectures.

So to sum up I have two challenges for us all:

SECURITY VENDORS: We need to keep building better, more stable, less manpower-intensive agents. We owe it to the customers who rely on what we provide — enterprise-wide and always-ready. Look for this challenge to be answered in Tripwire products of the future.

SECURITY BUYERS: Don’t throw the baby out with the bathwater.  Agents are like having diligent, all-access on-premise security guards, instead of the occasional drive-bys you get with scans or so-called “dissolvable” services.

Read the CAESARS report or review the Tripwire Take on agent-based vs. agent-less monitoring and decide for yourself.

And don’t be a hater.


From the CAESARS Reference Architecture Report: 

According to this research the advantages of AGENT-BASED system configurations are:

  • Near-real-time continuous monitoring – The endpoint agent resident in a computing asset can monitor security configuration parameters continuously or periodically and report compliance to the CAESARS Database/Repository Subsystem.
  • Deep visibility to security configuration compliance data – Because the agent resides locally on a computing asset and is executed as a system process, it usually has direct access to the security kernel; thus, it has greater visibility to privileged system configuration files.
  • Complex management tasking – The agent is a mission-specific software application; it may be programmed to perform complex management tasks such as checking the host platform on its security configuration settings, modifying security configuration parameters, and enforcing the installation of security patches.
  • Low network utilization – Agents can perform a programmed assessment process autonomously, without direct connection or instruction from the CAESARS Database/Repository Subsystem. Hence, the security compliance data can be collected and stored within the target computing asset until the CAESARS Database/Repository Subsystem requests them.
  • Security – Endpoint agents can establish their own trusted communications channel (via Secure Shell [SSH]) to the CAESARS Database/Repository Subsystem.

The disadvantages of AGENT-BASED deployment configuration are:

  • Higher operating costs – Endpoint agents are required to be installed on target computing assets. For a large enterprise, this entails greater operating costs installation and maintenance (i.e., patch and upgrade). This is one of key drivers to replace the existing IRS legacy solution, Policy Checkers.
  • Incompatibilities between agents – An endpoint agent is a mission-specific application that runs on top of an operating system (OS). A host may run multiple agents, such as one for anti-virus (e.g., Symantec Anti-Virus System), one for intrusion detection (e.g., ISS RealSecure or Check Point ZoneAlarm), and another one for configuration management (e.g., Tivoli Configuration Manager). Introduction of an endpoint agent may disrupt or interfere with existing agents.
  • Endpoint agents require configuration management– The agent is software, and so it may require software distribution services to manage configurations. Therefore, the CAESARS Database/Repository Subsystem requires an agent distribution program to track and maintain agent configurations throughout an enterprise.
  • Installation of an agent requires permission from system owners – The system owner may not wish to add complexity and dependency to his/her information system because information security is not his/her primary mission.
The advantages of an AGENTLESS deployment configuration are:
  • Ease of deployment – An agentless solution requires no software installation.
  • Non-intrusive – An agentless solution has no agent, and so it requires no CPU utilization from targeted computing assets.
  • Low operating costs – With no local agent, there is no maintenance or software distribution issue.

The disadvantages of AGENTLESS deployment configuration are:

  • Shallow/ limited visibility to security configuration compliance data – Agentless assessments can only be performed through interrogation of the target computing asset‘s OS. The CAESARS Sensor Subsystem cannot validate privileged system files such as: Windows actions and reports List Instant Messenger Applications report Users with Weak Passwords report Users with Password = User Name report Users without a Password report Users with Password Too Short report Set Disk Quota for User action Show User Quota for a Specified Volume report  // Windows security checks Accounts with Password Equal to Any User Name Accounts with Password Equal to User Name Accounts with Password Equal to Reverse User Name // Accounts with Short Passwords Accounts with Blank Passwords Instant Messenger Setting // Queries of the Port object // Any default port scan reports, such as the Port Scan (TCP/UDP Endpoints) report // Queries of the HKLM/Current User registry hive or any reports that rely on that hive
  • Encryption of data – The transmitted data, potentially sensitive in nature, are not guaranteed by the application running in agentless mode due to the dependence on OS settings. In agentless mode, the transmission of data is dependent on the OS‘s settings. For example, for the Windows Group Policy Object setting System cryptography, use FIPS-compliant algorithms for encryption, hashing, and signing.
  • Network reliance – Agentless security configuration compliance assessments require a network. Compared to an agent-based solution, an agentless solution requires a significant level of network usage.
  • Impact on other security mechanisms – Agentless security configuration compliance assessments may cause false alarms to an intrusion detection system (IDS), and, in some cases, compromise perimeter security if the target computing assets are external to the trusted network domain.