NEW VIDEO: COVID-19: Securing newly remote users and admins (Paul's Security Weekly). WATCH NOW!

Taking Agents out of Security Fatigue

“Agent fatigue” is a term network and security teams use to describe the software-agent overload that often accompanies the implementation of numerous security vendor tools. From antivirus to vulnerability management technology, software agents are installed on users’ endpoints or on the operating system (OS) to collect data about the state of the network that networks, themselves, can’t. This host-level data is imperative to gaining true visibility and understanding of the network, which in turn helps organizations protect against modern-day cyber threats.

Because so many security tools today rely on agents, organizations’ systems can be impacted by their installation. Performance is the #1 concern. Although every vendor attempts to build a lightweight agent, some are better than others, plus combined compute needs can quickly add up to latency if the agents aren’t handled correctly. In addition, IT staff worry about increasing the attack surface through yet another piece of potentially-vulnerable software in the environment, configuration management challenges, and conflicts with other services. Weighing things down further is the need to keep track of every agent and managing/patching versions as the need arises. And because each agent serves a different purpose affecting both security and network performance, who manages what, when becomes problematic.

The cost of agent fatigue

Purchasing a new, agent-based security tool is only one aspect of the cost equation. While vendor licensing fees can range anywhere from a few hundred dollars to millions, latency added to network performance is a “cost” most business leaders won’t want to absorb. Digital transformation has increased speed, efficiency, and production output for employees; anything that runs counter to that must be justified with huge ROI for the business. Security improvement, in and of itself, is traditionally very hard to measure, especially in business terms, and uniquely when the absence of an action is the “improvement” security teams are trying to prove.

The cost of governance is another element of agent fatigue that worries organizations. Deploying and maintaining software agents often falls to already-overworked networking or security personnel. Managing yet more software, ensuring it doesn’t interfere with host behavior or other deployed software, analyzing disparate consoles or dashboards, and keeping up with versioning and patching levels are just more “to dos” on the long list of network and security teams’ responsibilities.

All of the above being said, it might seem easy to conclude that the solution to this problem is to simply do away with agents. On the surface, they appear to be a time, resource, and cost sink, especially because proving the security gains of installing a software agent to protect the network is a hard metric to establish.

Edgewise will be at AWS re:Inforce, June 25-26, 2019 in Boston. We hope to see  you there! <>

The software agent imperative

With the downsides of agents enumerated above, there is a flip side: agents collect data about the network that simply cannot be obtained by looking at the network. IP addresses only tell tech teams where a data packet is coming from or going to. Data packets, in their own right, only provide high-level information about applications or services communicating—information that may be insufficient to determine if a piece of software is a threat, for instance. Encrypted traffic can’t be inspected at all. And last but not least, cloud and container environments reduce their customers’ abilities to gain insight into and manage workloads unless a compensating control is applied.

The simple fact is this: companies need to be able to see and control what’s communicating inside the network. The “soft chewy interior” of organizations’ networks are riddled with threats, and a server-level agent is best equipped to provide the data that will offer requisite levels of visibility and control. If the point of network security is to protect data-rich and business-critical applications and services, there is no better viewpoint than that from the kernel. Attackers are most likely to target network-based assets, not the network itself (except in the case of a DDoS attack). Therefore tools that collect information about the validity of your applications and services, their communication patterns, their access permissions, etc. counterbalance the aforementioned costs, providing a security return on investment that can be measured in terms of fewer incidents, malware on the network, and disruptions to other network resources. Agentless solutions simply can’t achieve the same granularity.

What to look for in an agent

First and foremost, challenge vendor claims about the performance impact of their agent. While plenty of vendors have done a good job “lightening up” their software agent, any credible vendor will have actual stats on latency.

Second, understand where, exactly, the agent will be installed so you can determine how effective the agent will be at collecting relevant data and how it will interact with other network elements. Kernel agents have the greatest visibility but endpoint agents are most common.  

Third, ask how the agents will be installed (i.e., your responsibility vs. the vendor’s; what access is required), how long it will take for agents to be operational, and in what timeframe you can expect to start seeing results.

Fourth, ask the vendor how they handle upgrades or patches. Timely push notifications should be the baseline for keeping their agents installed in your environment secure.

Fifth, look for technology integrations with other security monitoring tools such as SIEM or tools that integrate into DevOps workflows. Any time a vendor can consolidate data about your environment without breaking processes, the better your ROI will be.

Agent fatigue is a real challenge in tech-heavy networks, but the reality is that agents provide critical security value. Look for providers that will reduce your administrative burden while increasing the amount of visibility you will receive from installing their agents. Only then will your investment feel less tiresome.


Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.