Not everything in the digital world is binary. Choices about how to approach security, for example, don’t always have to be either-or. Such is the case in the debate over agentless and agent-based protection in enterprise cloud security strategy.
The environments that many organizations operate and defend are substantially different from those of a decade ago. Now, they include a growing cloud ecosystem alongside on-premise resources—all of which must be monitored, scanned, and controlled.
Agent-based security aims to accomplish this by placing an agent on every host. In the on-premise world, this approach can provide sufficient coverage of corporate endpoints and enable organizations to monitor workloads without interruption. IT and security teams also need to prevent unauthorized access to file directories, detect malware, and block suspicious endpoints and images, and agent-based solutions enable this level of protection as well.
In the cloud, however, agent-based security is often insufficient and more problematic than it is on-premises. This reality stems from a central challenge inherent to today’s cloud environments: the pace of change. Not only are resources routinely spun up and down, but short-lived containers and other resources must be accounted for as they pop in and out of existence.
Complicating matters further is the fact that IT and security teams typically do not have access to, or control over, all the hosts in an environment and therefore can’t deploy agents on them. This lack of coverage creates security blind spots that attackers can exploit. Preventing these gaps, and gaining visibility into the hosts in your environment, is critical for defending the cloud.
Agent-based security can run smack into significant hurdles in complex and dynamic cloud environments. Agentless security aims to step up and fill in the gaps—but how effective is it?
What About Agentless Security?
Agentless scanning can address the aforementioned challenges and do it at scale, without affecting performance. This approach uses cloud provider APIs to deliver the visibility into the cloud environment that organizations need. Rather than installing an agent on every resource, agentless security uses the visibility of the cloud provider, allowing organizations to capture data from any workloads whether they are ephemeral or not.
One of the benefits of agentless security solutions is the lack of management and maintenance overhead. For cloud environments with a large number of assets, managing and updating agents is no small task. Services that don’t allow the installation of third-party security agents will slip under the radar. In addition, constant maintenance will be required to ensure agents can handle changes in a cloud environment. For example, with an agentless approach, there is no need to worry that an agent will not support an updated kernel and crash an application.
Agentless security has recently surfaced in cloud security discussions following news of the Log4Shell vulnerabilities disclosed in Dec. 2021. Because this issue affected countless assets and organizations, it became clear that the ability to broadly scan environments for the flaws, and ensure they were patched, was crucial in protecting organizations from exploitation.
Why Agentless Security Isn’t Enough
However, there is more to the story. While some cloud resources can be scanned via the cloud provider’s API calls, many still require endpoint detection and response (EDR) for the cloud to provide full runtime security. For example, apps running in a serverless function such as AWS Fargate need agents to enforce security so only trusted connections are allowed, and any suspicious connections are blocked.
As workloads evolve into various types such as containers, serverless, containers-as-a-service and more, some may be scanned using an agentless approach. However, defenders still need the ability to prevent unauthorized access, prevent malware from being deployed, proactively block connections to suspicious endpoints, and block images that fail compliance from running in their prod environment. For this, an agent-based approach is essential to provide proper runtime protection.
The bottom line is, cloud environments are dynamic and complex, as are their security needs. Modern applications are about mixed workloads, multi-cloud environments, and different runtimes. Why should one security approach be treated as the only answer to the challenges of protecting a complex environment? Sometimes, the answer is finding the best of both worlds.
A Mixed Approach Is Needed To Properly Defend The Cloud
In the face of today’s evolving threat landscape, organizations should look for a cloud-native security platform that uses agentless and agent-based scanning to meet their security needs.
Defending the cloud requires securing a rapidly growing attack surface. IT and security teams must enforce continuous monitoring and security from the development process to runtime. Legacy security tools are of little use here because they don’t provide the granular visibility into cloud-based events that organizations need. To protect hybrid environments, IT and security leaders need cloud-native technologies and a cloud-focused mindset—both of which must be rooted in maintaining flexibility, scalability, and consistency across their IT infrastructure.
Some will say agent-based security works best in data center environments where there is less change, but will fail to meet the security needs of modern businesses in the cloud. However, an agentless and agent-based approach can work together to give security and DevOps teams flexibility to deploy the type of protection they need regardless of their environment.
At CrowdStrike, Falcon Cloud Workload Protection agents gather event data generated by endpoints and cloud workloads. Our “Falcon everywhere” approach leverages agents deployed to cloud workloads and containers, and is bolstered with cloud-native indicators of attack (IOAs), machine learning, and proactive, hands-on threat hunting.
Falcon Horizon offers an agentless approach focused on cloud security posture management, providing visibility into potential risks and vulnerabilities, non-compliance, and control-plane protection. Falcon Horizon uses cloud-native, agentless posture management to reduce friction and complexity across multi-cloud environments and accounts.
In addition to cloud resource discovery and identifying misconfigurations, Falcon Horizon integrates with Security Information and Event Management (SIEM) solutions to gain visibility, prioritize threats, reduce alert fatigue, and respond and fix issues faster. These capabilities are fast and easy to deploy and serve as a foundation to a strong cloud security program. Further, integration with our agent-based approach provides security teams the end-to-end protection and insights needed to respond faster and enable DevOps teams to build safely in the cloud.
Having a flexible approach to security bolstered by up-to-date, integrated threat intelligence is critical for giving enterprises the proper level of protection against today’s adversaries. With adaptable capabilities, organizations can adjust their activity to meet the needs of their environment.