To agent or not to agent? Few debates in cloud security have attracted more attention in recent years. In this blog, we will investigate the different scenarios that involves agent-based /agentless security, analyze the arguments for and against both sides and give implementation recommendations for your environment with Microsoft Defender for Cloud.
1. Introduction to agent-based/ agentless security:
What is agent-based protection
A cloud security agent is a piece of software installed on cloud-based or on-premises workloads. This agent enables organizations to attain in-depth visibility and defend their IT infrastructure and data against cyber-attacks and data breaches.
Security agents have been widely deployed since the inception of Endpoint Detection and Response (EDR) solutions to provide real-time threat protection and comprehensive monitoring of individual workloads. When combined with Security Information and Event Management (SIEM) software, such as Microsoft Sentinel, data gathered from these agents can be synthesized and correlated to investigate complex and cross-platform security incidents.
What is agentless protection
In the dynamic world of cloud security, resources can spin up rapidly, and workloads may be ephemeral. These aspects present significant challenges when deploying and maintaining agents on a scale, necessitating a new approach: agentless security.
Agentless security excels in this landscape. Rather than deploying an agent within the workload to gather and transmit information, security data is collected using non-invasive methods. These methods include cloud image analysis, log file analysis, and API connections. This approach significantly reduces management overhead and negates the need for constant maintenance of the deployed agent.
In recent years, more emerging cloud security technologies have started adopting an agentless approach. This shift is due to the advantages that this method offers, especially in large-scale and complex cloud environments. Agentless security solutions provide seamless scalability, efficient resource consumption, and reduced management complexity. Furthermore, for organizations that need to deploy hardened resources, and cannot install agents, agentless approach provides flexibility.
Microsoft’s Approach
Microsoft's Defender for Cloud leverages both agent-based and agentless security, offering a robust and flexible solution for a range of cloud security needs. The solution can adapt to the context, optimizing its use of agent-based or agentless security as needed. This makes it a versatile and powerful tool for securing cloud environments, embodying Microsoft's commitment to providing top-tier, adaptable cloud security solutions.
2. How to choose between agent-based and agentless protections
Agent-based and agentless approaches have merits in different scenarios and should be both considered case by case. Therefore, to maximize the efficiency of these methods, understanding their context and knowing when to utilize them is crucial.
An agent-based approach can be particularly beneficial when deep visibility and control over system processes are needed, such as in endpoints or mission-critical systems. These systems often require a level of detailed monitoring, management, and control that only an agent-based solution can provide.
On the other hand, agentless solutions, like the ones provided by Microsoft Defender for Cloud - Defender Cloud Security Posture Management, are ideal for situations where deploying an agent is impractical or inefficient. This could be due to a myriad of reasons such as resource constraints, scalability requirements, or cross-platform compatibility issues.
Agentless capabilities in Defender Cloud Security Posture Management excel in offering a broader, holistic view of your cloud security posture, providing benefits such as attack path analysis, vulnerability scanning, and sensitive data discovery without the need to install software agents.
Moreover, Defender Cloud Security Posture Management's agentless solutions enable seamless deployment and scalability across dynamic and widely distributed cloud environments. They offer efficient resource consumption by leveraging existing infrastructure and providing cross-platform compatibility, making them an ideal solution for hybrid or multi-cloud deployments.
The combination of both agent-based and agentless solutions allows organizations to create a flexible and robust cloud security strategy. By utilizing each approach where they offer the most benefit, practitioners can ensure comprehensive coverage of their cloud environments, from detailed monitoring of specific systems to broad surveillance of entire infrastructures.
As a cloud security practitioner, it's about using the right tool for the right job. Balancing the strengths of both agentless and agent-based solutions will enable you to leverage the best of both worlds, creating a robust, flexible, and comprehensive cloud security strategy. To better help you understand how to maximize the efficiency of both, here is the break down on how to best use them in different customer scenarios:
Capability categories |
Agent-based security |
Agentless security |
Deployment and maintenance |
Need deployment/ maintenance, but can be optimized to reduce overhead |
No deployment requirement |
Performance impact |
Performance impact depends on type of agent deployed |
No performance impact |
Asset discovery and inventory |
Can gain deeper insights into workloads for threat collection |
API-based, fast and complete discovery |
DevOps security |
Not Applicable |
DevOps Environment connectors helps community between DevOps security team |
Posture management and compliance |
Comprehensive visibility on details such as installed software and patches |
|
Real-time threat response |
Prevention, true real time threat detection& automatic response |
Not main use case there because don’t have continuous monitoring |
Data security |
Cloud native security |
|
3. How to maximize protection in different cloud security use cases
In this section, we will introduce agent/ agentless protection guidance in different Defender for Cloud plans.
DevOps Security:
Using Microsoft Defender for DevOps, you can secure your code, discover secrets and Infrastructure as Code security misconfigurations, and determine if there are open-source security issues, all in your GitHub and Azure DevOps environments.
There are two main sources of security when using Defender for DevOps, and these are the MSDO (Microsoft Security DevOps) extension and the GitHub Advanced Security scanning capabilities.
Cloud Security Posture Management (CSPM):
Cloud Security Posture Management (CSPM) has seen significant evolution in response to escalating cyber threats and the advancement of cloud security technologies. Among these, agentless solutions, have emerged as a powerful tool, offering considerable advantages to enhance an organization's overall cloud security strategy.
By employing Microsoft Defender for Cloud - Defender Cloud Security Posture Management (DCSPM), organizations can leverage these advantages to achieve improved security outcomes. , with a preference for the former due to its inherent advantages.
Let us see how Agentless Security solutions are geared for the future and unravel their full potential in DCSPM.
Benefits of Agentless Security in Defender CSPM
- Simplified Deployment and Scalability
The initial point of comparison with agent-based methods lies in deployment and scalability. Installing and managing software agents on each individual cloud instance or virtual machine can be labor-intensive. However, DCSPM's agentless solutions circumvent this issue, allowing streamlined deployment and seamless scalability across dynamic and widely distributed cloud environments. The system can automatically include new instances in the security monitoring process, or exclude terminated ones, without requiring manual intervention.
- Efficient Resource Consumption
DCSPM's agentless solutions also offer a more resource-efficient approach. Unlike agent-based solutions that require dedicated resources on each cloud instance, agentless solutions leverage the existing infrastructure and resources. This efficiency minimizes the impact on performance and resource availability, enabling organizations to maximize the utility of their cloud environment while ensuring robust security.
- Cross-Platform Compatibility and Flexibility
As organizations increasingly adopt hybrid or multi-cloud deployments, the cross-platform compatibility and flexibility of agentless solutions, as provided by DCSPM, become paramount. Designed to operate seamlessly across multiple cloud platforms and service providers, these solutions ensure consistent security policies and monitoring capabilities, irrespective of the diversity of cloud services used.
- Reduced Management Complexity
Managing software agents on numerous cloud instances can be challenging, especially in dynamic cloud environments. DCSPM's agentless solutions alleviate this issue by eliminating the need for managing agent updates, version control, and agent-specific configurations. This reduction in management complexity allows organizations to focus on enforcing security policies and responding to security incidents.
Capabilities that Leverage Agentless Security
-
Attack Path Analysis
DCSPM leverages agentless solutions for a comprehensive attack path analysis, enabling the identification of potential attack vectors that may go unnoticed in traditional systems. Furthermore, DCSPM also offers security risk analysis capabilities, contributing to an organization's ability to anticipate and manage potential threats effectively.
- Vulnerability Scanning
Another significant advantage of agentless solutions is their capability for vulnerability scanning for virtual machines (VMs) and container images. DCSPM's agentless solutions excel in vulnerability scanning for virtual machines (VMs) and container images. They offer automatic scanning capabilities, identifying potential vulnerabilities even before deployment. By integrating with the DevSecOps and CI/CD pipelines, they can provide real-time feedback, enabling developers to address security issues during the earliest stages of development.
- Discovering Sensitive Data
There is an exponential movement of sensitive data to the cloud, making cloud resources that contain sensitive data a primary target for adversaries. When it comes to data, especially sensitive data, DCSPM's agentless security shines. An agentless solution can traverse through various data repositories, identify, and classify sensitive data, all without the need for software installation on the storage mediums. This helps reduce the attack surface and mitigates the likelihood of accidental exposure.
The advantages of agentless solutions for CSPM become even more evident when examining specific scenarios. For instance, a financial services organization dealing with high-volume transactions can leverage an agentless solution to gain continuous visibility and control over its entire cloud infrastructure, including scanning for vulnerabilities, identifying insecure configurations, and detecting anomalous behavior.
Similarly, healthcare companies managing sensitive patient data can use agentless solutions to ensure data protection by discovering and monitoring sensitive data, providing audit trails and ensuring regulatory compliance.
Moreover, in complex hybrid cloud environments, which are often riddled with potential blind spots, agentless solutions provide a unified view of the security posture. They identify misconfigurations, perform vulnerability assessments, and monitor network traffic across multiple cloud environments, all without needing to install software on individual resources.
Threat Protection
The combination of both agent-based and agentless methods provides an in-depth approach to cloud workload protection. In working together, they can provide comprehensive alerting and threat detection. Microsoft Defender for Cloud’s workload protection includes both agent-less and agent-based capabilities to secure your workloads.
Server Protection:
In the ever-evolving landscape of cybersecurity, the importance of robust server vulnerability scanning cannot be overstated. Traditional agent-based security solutions have been the norm, requiring software installations on each server to be monitored. This often leads to increased complexity and potential compatibility issues. Revolutionizing this concept, Microsoft Defender for Server provides an 'agentless' approach, simplifying this procedure significantly.
The agentless server vulnerability scanning offered by Microsoft Defender for Server is a standout feature. It identifies vulnerabilities and misconfigurations on your servers and provides in-depth remediation advice to rectify these issues, all without the need to deploy traditional agents. This ensures a streamlined, non-intrusive security process.
This shift in security strategy provides numerous advantages:
- Enhanced Scalability: Agentless security solutions allow businesses to scale their security with ease. Microsoft Defender for Servers seamlessly integrates new servers into its protective coverage without additional installations or modifications.
- Optimized Performance: The agentless approach, not running directly on the server, leaves server performance unaffected. This leads to no slowdowns or resource conflicts, ensuring your servers always perform optimally.
- Seamless Compatibility: As part of the broader Microsoft ecosystem, Defender for Servers provides effortless integration with other Microsoft platforms and various third-party services, enhancing the user experience without burdening your resources.
While the agentless model carries significant benefits, agent-based security solutions offer unique advantages that deserve equal attention. These solutions provide more comprehensive and in-depth security scanning, ensuring your server environment is thoroughly safeguarded against potential threats.
Let's explore the benefits that make agent-based solutions an attractive choice:
- Deep Threat Protection: Agent-based solutions excel in their ability to provide deep threat protection. With Microsoft Defender for Servers, the agent installed on each server allows for thorough scanning and robust protection by actively monitoring system changes, detecting unusual behavior, and responding instantly to potential security threats.
- Frequent Scanning: Agent-based solutions enable more frequent scanning of servers. Since the agent is directly installed on the server, it can conduct real-time, continuous scanning, ensuring threats are detected and addressed swiftly.
- Leveraging File Integrity Monitoring (FIM): File Integrity Monitoring is a vital feature of Microsoft Defender for Servers. FIM enables you to track and record any changes made to critical system files, configuration files, and content files. It helps identify unexpected or unauthorized changes that may signal a security breach.
- Utilizing Adaptive Application Controls: A distinguishing feature of Microsoft Defender for Servers, Adaptive Application Controls, uses machine learning to analyze running applications on your servers and create a list of safe software. When these controls are configured, they alert you when any application runs outside those identified as safe. This enhances your server security by aiding in the identification of potential malware, maintaining compliance with local security policies, recognizing outdated or unsupported applications, and increasing oversight of apps accessing sensitive data.
- Deep System Insights: An agent-based solution provides detailed insights into the server’s system processes. The agent's access to and monitoring of server activities on a granular level aid in understanding intricate patterns and anomalies that could indicate potential threats.
- Actionable Remediation: Agent-based solutions often offer immediate and effective remediation actions during a security event. Because the agent is housed within the server, it can take rapid corrective measures, minimizing the potential impact of a security breach.
Navigating an era of escalating cyber threats in complexity and frequency requires a security solution that's both robust and adaptable. Microsoft Defender for Servers, offering both agentless and agent-based architectures, presents a comprehensive and resilient solution. The agentless model provides a unique blend of convenience, scalability, and broad protection, accommodating growing server environments. Conversely, the agent-based model offers deep threat protection, continuous surveillance, detailed insights, and swift remediation actions. Both models have distinct strengths, collectively ensuring a secure, agile server environment ready to tackle the evolving threat landscape. With Microsoft Defender for Servers, regardless of choosing an agentless or agent-based approach, you can rest assured your digital assets receive comprehensive protection.
Data Security (Storage and Databases) Protection:
With Defender for Storage agentless malware scanning and data-aware threat detection, security teams will be able to detect and respond to malware distribution and sensitive data breaches in Azure Storage.
Defender for Storage analyzes telemetry streams and synthesizes cloud object store activity against Microsoft’s threat intelligence research to detect anomalous and potentially malicious activity such as suspicious access and data exfiltration. Customers benefit from contextual security alerts that deliver investigation details, security recommendations, and automated response workflows to protect storage resources.
Defender for Databases let you protect your entire database estate with attack detection and threat response for the most popular database types within Azure, hybrid, and multicloud environments. Defender for Cloud provides protection for the database engines and for data types, according to their attack surface and security risks. Advanced threat detection capabilities and Microsoft Threat Intelligence data are used to provide contextual security alerts. The alerts include steps to mitigate the detected threats and prevent future attacks.
SQL vulnerability assessment is an agentless service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.
Microsoft Defender for SQL servers on machines extends the protections for your Azure-native SQL Servers to fully support hybrid environments and protect SQL servers hosted in Azure, other cloud environments, and even on-premises machines.
Containers and Kubernetes Protection:
As organizations embrace containerization for managing and deploying their applications, ensuring comprehensive security measures is paramount for protecting their container and Kubernetes workloads in the cloud. The complexity and architecture of Kubernetes requires a multilayered approach to security. Kubernetes clusters are unique in that they consist of multiple interconnected components such as the control plane and workload, each introducing different entry points for threats into the cluster.
An agentless and agent-based approach to Kubernetes security works together in detecting threats on multiple layers of the Kubernetes estate. In the case of agentless and agent-based security, Defender for Containers uses both approaches to securing your containers and Kubernetes clusters in the cloud and on-premises.
An agent-based approach to Kubernetes threat protection is critical in providing granular and real time monitoring of the containerized workload itself. This includes identifying suspicious running processes on the cluster as well as which parts of the Kubernetes estate were involved. Defender for Containers takes an agent-based approach to workload protection through deploying a Kubernetes native agent, the Defender profile.
The usage consumption myth
The Defender Profile is a Kubernetes native agent, a DaemonSet, which is deployed to each node on the cluster. DaemonSets effectively mitigate concerns related to excessive resource utilization and performance impact by consuming minimal resources. This aspect ensures that organizations can continue running their Kubernetes workload alongside the Defender Profile and maintain the overall performance of their Kubernetes cluster. Furthermore, the nature of DaemonSets ensures consistent security coverage across the entire cluster, regardless of the number of nodes or their dynamic nature, thus reducing the risk of blind spots. All the above characteristics of DaemonSets allow for seamless deployment and management of the Defender Profile and address typical concerns of using an agent to secure cloud environments.
Aside from its convenience, the Defender Profile is also critical in providing enhanced visibility of the cluster, including insights into running processes on the workload. Being integrated into the Kubernetes cluster, it collects inventory and security events from the Kubernetes environment and sends that information to the Defender for Cloud backend, allowing for near real time threat detection for runtime workloads.
Deleting a history file log in Kubernetes can be considered a security threat as it intrudes upon incident investigation. History file logs provide important records reporting on user activity and misconfigurations which can be helpful in identifying the root cause of an incident. An attacker may delete the history logs to cover their tracks. With the help of the Defender Profile, Microsoft Defender for Containers can detect that the command history file logs have been cleared through analyzing processes running within the container or on the Kubernetes node. The Defender Profile provides enhanced visibility in seeing which related Kubernetes entities were impacted by the security alert. In the example below, aside from viewing the suspicious process and command line detected, Defender for Containers also shows you entities such as the Namespace and Pod that was impacted.
An agentless approach leverages the fundamental infrastructure of Kubernetes by monitoring the API server. Defender for Containers provides agentless threat detection at the cluster level by monitoring audit logs and security events from the API server.
In the case of agentless vs agent-based threat detection in Defender for Containers, both methods are Kubernetes friendly as they leverage existing components and resources within the Kubernetes ecosystem. Both methods seamlessly integrate by using Kubernetes native methods to help collect and analyze data from the cluster.
Conclusion:
In thinking about a comprehensive cloud security approach, a combination of agent and agentless security lets you get the benefits of both worlds. An end-to-end Cloud Native Application Protection Platform can help you to unify your DevOps security management, management cloud security posture and protect cloud workloads.
Reviewers:
Yuri Diogenes, Principal PM Manager, CxE Defender for Cloud
Resources:
For information, please visit:
Security alerts and incidents in Microsoft Defender for Cloud | Microsoft Learn
Reference table for all security alerts in Microsoft Defender for Cloud | Microsoft Learn
Become an Azure Security Center Ninja (microsoft.com)
Microsoft-Defender-for-Cloud/Labs at main · Azure/Microsoft-Defender-for-Cloud · GitHub
Microsoft Defender PoC Series – Defender CSPM - Microsoft Community Hub
Overview of Cloud Security Posture Management (CSPM) | Microsoft Learn
What is Microsoft Defender for Cloud? - Microsoft Defender for Cloud | Microsoft Learn