The software agent imperative
With the downsides of agents enumerated above, there is a flip side: agents collect data about the network that simply cannot be obtained by looking at the network. IP addresses only tell tech teams where a data packet is coming from or going to. Data packets, in their own right, only provide high-level information about applications or services communicating—information that may be insufficient to determine if a piece of software is a threat, for instance. Encrypted traffic can’t be inspected at all. And last but not least, cloud and container environments reduce their customers’ abilities to gain insight into and manage workloads unless a compensating control is applied.
The simple fact is this: companies need to be able to see and control what’s communicating inside the network. The “soft chewy interior” of organizations’ networks are riddled with threats, and a server-level agent is best equipped to provide the data that will offer requisite levels of visibility and control. If the point of network security is to protect data-rich and business-critical applications and services, there is no better viewpoint than that from the kernel. Attackers are most likely to target network-based assets, not the network itself (except in the case of a DDoS attack). Therefore tools that collect information about the validity of your applications and services, their communication patterns, their access permissions, etc. counterbalance the aforementioned costs, providing a security return on investment that can be measured in terms of fewer incidents, malware on the network, and disruptions to other network resources. Agentless solutions simply can’t achieve the same granularity.
What to look for in an agent
First and foremost, challenge vendor claims about the performance impact of their agent. While plenty of vendors have done a good job “lightening up” their software agent, any credible vendor will have actual stats on latency.
Second, understand where, exactly, the agent will be installed so you can determine how effective the agent will be at collecting relevant data and how it will interact with other network elements. Kernel agents have the greatest visibility but endpoint agents are most common.
Third, ask how the agents will be installed (i.e., your responsibility vs. the vendor’s; what access is required), how long it will take for agents to be operational, and in what timeframe you can expect to start seeing results.
Fourth, ask the vendor how they handle upgrades or patches. Timely push notifications should be the baseline for keeping their agents installed in your environment secure.
Fifth, look for technology integrations with other security monitoring tools such as SIEM or tools that integrate into DevOps workflows. Any time a vendor can consolidate data about your environment without breaking processes, the better your ROI will be.
Agent fatigue is a real challenge in tech-heavy networks, but the reality is that agents provide critical security value. Look for providers that will reduce your administrative burden while increasing the amount of visibility you will receive from installing their agents. Only then will your investment feel less tiresome.