In today's ☁️ 🔐 🧵, we wanted to tackle a divisive debate in the sec community between the need for Agent-based approaches for detection & response vs Agentless-based solutions.
We will tackle what the approaches are, their pros & cons, & how this affects the CNAPP space👇.
Agentless - What Is It:
It refers to security operations where no service, dameon or process needs to run in the background on the machine being monitored. They harness the power of the cloud, APIs, and other metadata to make security monitoring decisions.
Agentless - Pros:
a. Quick Deployment - prioritizes time to initial security scan with 1st deployment
b. Breadth of Visibility - goes for a mile-wide approach to scanning the ☁️
c. Lower Maintenance Costs - side effect of point A
d. Continuous Sec & Compliance for ☁️ services
Agentless - Cons:
a. Lack of Runtime Protection - remediation stops at configuration changes. This leaves more effective runtime protection lacking.
b. Lack of Visibility in Hybrid ☁️ - limited to public ☁️ .
c. Prioritize Deployment Speed Over Security Posture Tuning.
Agent - What Is It:
Agents are specialized software components that are installed on machines for performing security-related actions and operations. To read more about the agent tech @deepfence uses, check out our 🧵 on eBPF:
twitter.com/deepfence/status/1599782798771990528?s=20&t=q2rSS2d1J2tcIHRjrhDmtQ
Agent - Pros:
a. Enable Deeper Inspection on Hosts - can perform specialized scanning at the process level which is key for determining certain TTPs of threat actors.
b. Runtime Protection - blocking of traffic.
c. Attack Path Modeling and Protection - across hybrid ☁️
Agent - Cons:
a. Prioritize Tunability & Config of Security Posture Over Deployment - initial setup takes time but have deep granularity of control once setup.
b. Maintenance Costs - deployment in hyperscale environments can be challenging.
c. Performance Impacts on Host
Luckily, the sanest of the sec industry have come to the conclusion that you need both to adequately secure a ☁️.
These ideologies are still prevalent when looking at the CNAPP space. Platforms have consolidated feature sets but still prioritize one approach over another.
Deepfence believes one needs to be a mile deep on key security controls (vuln mgmt, CSPM, malware, secrets, etc) before spreading yourself thin.
This requires agent-based data to be correlated with agentless scans to get a deep understanding of attack vectors w/i the ☁️!
Only by identifying attack vectors can we accurately update our security posture in hybrid ☁️ environments to effectively implement security protections and controls to eliminate modern day TTPs threat actors are utilizing to move throughout our environments!
The extra CONTEXT agents provide in the cloud have tangible benefits to orgs:
a. Cost Management - Better tune security controls & spend
b. Alert Reduction - alert fatigue causes turnover; context key to reducing alerts
c. Consolidation of Sec Features - better ROI on alerts
To see how we combine time to security w/ agentless scans & deep packet inspection of ☁️ environments to offer attack path mapping & runtime protection in your hybrid environments, schedule a personal demo with @ryancsmith2222, our Head of Product:
go.deepfence.io/15-minute-demo
Deepfence
@deepfence
Securing your apps in production across the entire cloud native continuum – clouds, Kubernetes, containers, serverless, and more