Illusive Blog August 3, 2020

The Agentless Advantage in Cybersecurity - Lower IT Burden and Risk

By Jason Silberman

Agent vs. agentless: you’re likely familiar with the debate about which approach is best in today’s ever-changing threat environment. However, when it comes to detection of in-network threats, particularly using endpoint-based distributed deception as a strategy, an agentless approach is significantly more effective and safe. 

Reducing endpoint overhead

A popular example of an agent is antivirus software that resides on a computer to check for malware. The traditional approach to endpoint data collection involves similarly installing agents on all computers from which data is needed.

Agents are a significant burden for IT teams to manage. They require installation (and if uninstalled they must be reinstalled), upgrades and continued maintenance. Updates of course saturate the network.

In most cases, several agents sit on each machine. Multiple agent deployments cause high endpoint overhead. Then there is the problem of “agent conflict,” as each agent wants control over the same machine resources. In a cybersecurity example, you may have agents from a DLP software, antivirus system and others, which creates conflicts and sometimes causes system crashes. The more agents you have, the more complexity to keep all systems up and running. An agentless solution provides robust security that is much easier to manage—without the hassle of deploying and managing security agents.

There is also a higher cost to maintaining agents. Agentless deployments result in faster rollouts and lower total cost of ownership (TCO) than software products that require agents on a substantial number of computers like in a large enterprise.

Undetectable and impenetrable to attackers

It’s not only IT overhead. Agent-based systems come with additional security risks as well. Agents are vulnerable and detectable by cyberattackers.  

The major vulnerability is that agents communicate to an attacker that their functionality is present on a machine. The presence of an agent tells an attacker what you are doing to stop them. If attackers gain access to a machine, they can access agents, disable them, or more disturbingly, attackers can modify agents to cover the tracks of their attack, or to cause other havoc.

If an agent is left running, with enough knowledge about how the agent operates the attacker can sidestep it. If an attacker knows what behavior will trigger the agent to alert, they can simply avoid carrying out that behavior so the agent won’t warn defenders about their presence. 

The flip side of evasion is that agents can also be manipulated and “distracted.” Let’s say there are two machines an attacker can access, one without a lot of lateral movement options (i.e. with low privileges), and the other with privileged credentials and connections to other workstations. An attacker can create burst of activity on machine #1 in order to distract the agent, hiding the attack activity in a fog of alerts and noise. Alert volume is noisy enough in the typical SOC; attackers are leveraging this fact to cover their attack needles with a haystack of alerts that grows ever bigger. 

Finally, a word about deception technology specifically. Deception solutions that require an agent to get full deception and forensic capabilities from the solution are traceable by attackers due to the agent’s presence on all endpoints. Agents are also susceptible to reverse-engineering, where attackers learn how the agent works and how to circumvent or break it.

Attackers leverage tools like Honeypot Buster—a tool used to identify honey tokens, honey breadcrumbs, and honeypots commonly deployed by deception vendors—to evade decoys and other types of deception technology. Illusive’s agentless automation capabilities alleviate organizations’ need to spend time tweaking and refreshing deceptions so that Honeypot Buster can’t find them; Illusive’s footprint is so light that Honeypot Buster has no way to detect them. Because there are no resident agents running on the endpoints, there’s nothing for advanced attackers to spot or circumvent. 

Agentless, adaptive, and easy to deploy

Illusive’s agentless approach benefits both IT administrators and security teams. Built on intelligent automation, it is designed to have a light operational footprint to minimize the impact on IT. 

Illusive benefits include:

  • Easy to operate and deploys in a matter of hours
  • Light, agentless deployment with  no need to install or uninstall anything on a protected machine
  • Unobtrusive and invisible to legitimate end users
  • Scales to support organizations of any size
  • Low endpoint overhead
  • Low cost to operate
  • Reduces operational staffing and support requirements, freeing up valuable resources for more strategic activities.

To learn more about Illusive’s capabilities, and how we can help with you your security needs:

  • Request a demo with one our security experts
  • Read about our Attack Detection System, an agentless, noiseless deception technology for early cyberattack detection and lateral movement prevention 
  • Learn about Forensics-On-Demand, our comprehensive attack intelligence offering to accelerate incident investigation