Over the past 20 years, I have implemented many different security solutions – from IDS in the 90s to browser protection in 2014, and just about everything else in between.
One thing that quickly became obvious during my time in information security is that security considerations are just one part of the equation for most organizations. Involving the departments who will be testing, managing and implementing your chosen security solution early in the assessment process will pay huge dividends in the long run.
It may even help you find a solution that – left to your own devices – you may not have chosen but is actually the best fit for your organization. One area where this is very apparent is when looking at solutions that offer agentless or agent-based alternatives.
This is a two-part blog post on some of the factors you might use to decide which flavor better suits your organization’s needs. Part 1 provides advice from a security perspective, and part 2 provides advice from the operations perspective.
The most important questions for security professionals to answer when considering agent-based and agentless security technology deployment are what are you trying to do and what is the best way to do it? Some points to consider:
1. Do you need point in time or always on?
An agentless system using scheduled or on-demand scans will give you the ability to understand your systems’ state at the time of the scan, but will not provide information outside of that. This is useful for reporting on compliance or looking for specific information in response to a request. However, if you need additional capabilities, such as file integrity management, system change management, or threat detection and response, then you will need the continuous collection capability that an agent based system provides.
2. How short is your point in time window?
If you have a large enterprise, network limitations, or mobile assets, your ability to return the state of all systems from a scan could span hours, days or even weeks. This may be sufficient to meet your particular reporting needs, but if you are looking for what happened across systems at a particular point in time, such as during an investigation, then you really need the continuous monitoring capability of an agent-based system.
3. When do you need the results?
While this is not necessarily a security objective per se, your choice may be severely limited if you find yourself needing a solution to help you with a fast approaching audit. The time for PoC, adoption and implementation is usually going to be much quicker for an agentless solution. This is not necessarily because of agent technology, but due to the cross-department resources that need to be organized to deploy agent-based solutions and the different requirements involved in testing the systems where agents are going to be deployed.
4. What kind of functionality do you need?
Functionality is also often a key difference between agentless and agent-based solutions. Once you have your agents implemented and agent management is dialed in, your capability can grow with the product. Agent-based solutions can provide real-time monitoring and alerting, and if the agent is hooked into OS subsystems, a wealth of information and capabilities that may not be available to an agentless solution are supported, such as file integrity monitoring, endpoint detection and response and real-time threat analysis.
5. Are you sufficiently resourced to manage it?
Again, not a security objective per se but security organizations can destroy themselves by owning the operational management of security solutions when they don’t even have enough resources to do the security side of things. If you are severely resource constrained then look carefully at the responsibilities your team will be taking on. Agentless solutions often require fewer resources because they are designed to solve a more limited set of problems and offer a smaller set of functionality.
Again, your aim at this point in the process is to understand what you are trying to do and how best to do it from a security perspective. Unfortunately, that is not the end of the story and in part 2 we will add some of the considerations from an operational point of view.
Title image courtesy of ShutterStock