The truth revealed – agentless security is not real security

At last the truth has been revealed and the enduring ‘agentless vs. agent’ debate is over. The inevitable result: if an organisation wants cloud workload security, it needs an agent.

Amir Jerbi, co-founder and CTO at Aqua Security, explains that although many security professionals knew this from the start, plenty were misled into believing in the overhyped promises of agentless security. But why is this news? Because two of the leading agentless-only vendors finally gave in and announced partnerships with agent-based runtime security and CWPP vendors.

These are the companies that have claimed that agents are ‘old school’ and ‘agent-based security is dead.’ Such views have always been a puzzle to me.

But why does it matter?  Amid all the industry hype around agentless security, many organisations were misled into believing that by deploying agentless solutions they have protected and secured their cloud environments completely.

Such is not the case, of course. Agentless has passed the ‘peak of inflated expectations’ and is screaming towards the ‘trough of disillusionment.’

In the real world, an agentless-only approach is fundamentally flawed since it gives a false sense of security and leads to blind spots. Don’t be deceived by certain security vendors that suggest, “You’re secure because you have no misconfigurations in your public cloud environment and you’re PCI compliant.”

What about the 50% of memory resident attacks that agentless can’t even see? Without an agent, tech is not able to see these attacks let alone block them.

An agentless-only approach is fundamentally flawed as it gives a false sense of security and leads to blind spots. The fact that there are no misconfigurations in a public cloud environment, does NOT mean it is secured!  Without an agent, an organisation is unable to see 50% of attacks, including memory resident attacks, that agentless security can’t see, let alone block them.

So why is agentless security alone insufficient ?  Because agentless security solutions deliver visibility, basic compliance and posture management, although they’re unable to protect applications at runtime or stop attacks in production – in contrast, agent-based security. Here’s why:

#  Point-in-time visibility: Agentless scans usually run once in 24 hours, showing the lie of the land for the point-in-time when the scan was done. The rest of the time, an organisation is running blind and has no clue about what’s happening in its environment.

#  Due to the the high speed and ephemeral nature of cloud workloads, by the time of the next scan, the workload will no longer be running. The attackers will have infiltrated the environment and vanished, having taken what they came for within minutes, if not within seconds of the attack.

#  No real enforcement: When agentless solutions take a copy of a disk image, they do not look at the actual running code. Once a snapshot is taken, they have no connection of any kind to the running workload.

If they are able to identify an attack from a disk image snapshot, they can only alert about the problem, and have no mechanism for interdicting the attack. An agent is required for that. As a result, customers are left to stop the attacks on their own.

#  Sophisticated fileless techniques: Attackers are becoming increasingly sophisticated and often use fileless malware to evade detection and leave no footprint.

Recently my company’s security research team detected a global campaign attacking Redis servers with custom-made fileless malware called HeadCrab. Agentless solutions miss such sophisticated threats because they can’t see the process running in memory from a static disk image. Once more, another blind spot.

So, agentless visibility is great to have since it’s fast and easy. In fact it is just a single piece of the puzzle. In the production environment, the stakes are high, and an organisation’s mission-critical and sensitive workloads require real-time security and protection. Hence, an agent.

In the real world, organisations need both agentless and agents. Recent partnership announcements validate that to achieve effective protection in the cloud, they need to use both agentless and agents in their security strategy. My company has long been advocating for this and we are pleased that even ‘pure agentless’ vendors have finally realised it as well.

Yet it’s not enough simply to deploy both agentless and agents. In the complete picture, there has to be a strong connection, unified visibility and correlation of the risks between the two. Otherwise, there will be a lack of the context to understand the risk and prioritise security issues.

This can’t be achieved by trying to bolt third-party runtime agents – the core and most technically difficult part of workload protection – on to a platform. Combining multiple vendors will lead to further tool sprawl, siloed visibility and fragmented runtime protection.

For a cloud native application protection platform (CNAPP) to be an integrated platform and not a suite of siloed capabilities, an agent must be an integral part of the solution rather than a bolt-on. This is possible only with a single platform from a single vendor.

One platform ties it all together

Since its inception, my company’s vision has been crystal clear: to deliver a single end-to-end security solution for the entire application lifecycle in one holistic platform. We’ve put our faith in the belief that to be a true CNAPP, a solution must include strong runtime controls and stop attacks in progress.

So we have built a runtime security solution completely in-house, now enhanced with eight years of field experience and customer learnings. Based on eBPF technology, our Lightning agent is faster, lighter and easier to manage at scale than the agents of yesterday.

Customers also benefit from our focused cloud native security research, which studies thousands of attacks in the wild and produces behavioural signatures to help identify and protect against new threats.

What’s more, our platform was the first CNAPP to combine active protection with agentless workload visibility. Built together from the ground up, agents and agentless are enriching each other and sharing the context across the application lifecycle, allowing security teams to detect, prioritise and fix the highest risks rapidly, and to stop attacks in progress.

Given the growing sophistication of cloud attacks, visibility alone is insufficient. Don’t compromise on security posture because of any vendor’s technical constraints; robust protection requires both agents and agentless, and a single, comprehensive and integrated platform.

In seeking a real CNAPP, the most important question that business or security leaders can ask is: “Am I protected from bad things happening to my cloud applications in production, and can I detect and stop an attack in real time if it comes to that?”