Last updated at Wed, 27 Dec 2023 20:48:16 GMT
The corporate IT environment has drastically changed. In the past, network environments were largely on-premises and physical, so it was easy to know when new servers or workstations were being added because you could see the delivery truck backing up to the loading dock. Every day, users came into the office and sat at their same desk with their same workstation and accessed data stored within the premises of the office building.
Today, we no longer operate within the comforts of a defined perimeter or a single office. Our users are global, accessing critical networks and assets at hotels, coffee shops, and on the road. Some users rarely—if ever—connect to the traditional network.
This is why traditional security measures aren’t enough to protect our modern environments. Today we must monitor all our assets, which include traditional on-premises devices, along with remote, sensitive, and virtual assets that are part of scalable cloud environments.
Want a TL;DR version of our discussion on the the importance of endpoint security? Check out our latest Whiteboard Wednesday video featuring two of our favorite solutions managers:
Ready to drill down to the technical stuff?
This is where endpoint agents come in
In an effort to reduce risk in your organization, you are likely operating a vulnerability management and incident detection and response program. To better integrate these traditionally siloed operations and implement SecOps practices, you can leverage endpoint agents. How? Here are a few use cases:
- Real-time monitoring: Defenders need to detect compromise as it happens—endpoint agents provide that real-time detection.
- Remote monitoring of global assets and workers: Endpoint agents can identify risk across devices that will never join your on-premises network but pose security risk all the same.
- Monitoring of cloud and other virtual infrastructure: As your environment continues to evolve, the right endpoint agent can allow you to keep tabs on new devices as they are spun up.
- Ability to take action through the agent: It’s not enough to know there is a problem—you also need to be able to do something about it. This includes remote threat containment.
- Assessment that does not require credential scanning: Bypass the need for privileged credentials, making it easier to evaluate sensitive assets for vulnerabilities or active compromise.
- Limited resource impact: A small footprint ensures the agent isn’t a burden on your environment.
- Streamlined deployment options: If you can standardize to one agent, it can then be replicated and deployed across the rest of your environment much faster.
- Interoperability: A unified agent should solve multiple use cases, giving you the most value for your deployment efforts.
Let’s cover these in more depth:
Remote and real-time monitoring of global assets and workers
Risk can show up anywhere, from within your networks and applications to that inherent in your people (aka user error). Agents provide deep and wide visibility into that risk by providing continuous and remote monitoring of global assets and workers. In other words, agents serve as your eyes and ears everywhere you can’t be in your expansive environment.
Monitoring of cloud and other virtual infrastructure
Ephemeral assets are the modern environment’s Achilles heel. Systems can come online and be exposed before the security team is even aware of their existence. Furthermore, devices can evaporate before they are assessed, making root cause analysis impossible.
Agents can be embedded into VMware golden images or Amazon AMIs, so that as new assets are spun up or down, they will be automatically assessed for potential risk.
The ability to take action through the agent
With real-time visibility into your global, remote, and virtual infrastructure, an ideal endpoint agent allows you to act immediately on the intel it collects. If a malicious process is found on a remote asset, for example, an agent should help you contain the threat by killing the process, quarantining the asset from your network, or via forensic jobs for investigation artifacts. Having the right agent on your endpoint allows you to take action and even automate many of these response actions as soon as a threat is detected.
Put simply, agents are a smart way to overcome traditional assessment challenges while getting the benefits of visibility, threat detection, and control across your corporate endpoints.
Vulnerability assessment that does not require credential scanning
An ideal agent does not require you to provide credentials in order to perform a detailed assessment of vulnerabilities in your environment. This solves a real pain point for organizations with multiple teams managing assets (a common practice), since many teams are reluctant to release local administrator privileges to a centralized security or IT team. Because swapping credentials is less than preferred, having an agent that automatically has the access to perform a full assessment on a device is a big win for security.
Furthermore, sensitive assets can exhibit undesired behavior when they’re hit with a traditional vulnerability assessment scan engine. Instead, if an agent is installed on those assets, it’s possible to have real-time monitoring without the traditional risk of disruption.
What to consider when evaluating an endpoint agent: Footprint, deployment options, interoperability, and more
There are several factors to consider when selecting an endpoint agent. They can determine how easy and effective it will be to deploy with minimal impact on end-user resources.
Footprint
First and foremost, you’ll want to consider the footprint that the agent is going to have on your devices. Footprint refers to things such as:
- How much RAM memory is this going to use?
- How much CPU does this agent consume?
- How much disc space does it take up?
- How much network bandwidth does it consume?
You’ll also want to look at the various operating systems supported by an agent. You don't want an agent that only supports one of the operating systems you have in your environment; you’ll need one that supports everything. That way, you can minimize the reliance on multiple tools to get a baseline of organizational visibility.
Agent deployment options
Next, you’ll want to consider available deployment options for agent rollout. Because you’ll be sending it to so many assets, you want to ensure that you can deploy and patch in a programmatic way. As we mentioned above, if you can standardize to one agent, it can then be replicated and deployed across the rest of your environment, saving you weeks—even months—of time.
Put simply, your goal should be to find an agent that's going to interface well with your existing deployment solutions so that you don't need to reinvent the wheel to get the agent out.
Interoperability of agents
Finally, you should look at the interoperability of the agents, or the ability for one unified agent to serve across multiple use cases. This can help you get the most value out of your deployment efforts.
Gone are the days where agents can only perform a single function, meaning you’d have to deploy many in order to get you the functionality you need. Many agents help with multiple use-cases, gathering you more intel with less effort. If you can find agents that have high interoperability, that’s a win.
In Part 2 of this series, we outline how the considerations above helped us build the powerful Rapid7 Insight Agent.