Agentless scanning is an important security tool. We discuss how it works, how it differs from agent-based scanning, and if your organization requires both.
What is Agentless Scanning?
Agentless scanning is a method of inspecting the vulnerabilities of a device without having to install software, instead reaching out from the server to the device. Benefits of agentless scanning include the following:
- No OS compatibility requirements
- Total network scanning (no missed devices)
- Additional data that agent-based scanning might miss
Agentless scanning protects your organization by allowing security teams to collect system profile and posture information relatively easily for vulnerability reporting. It provides organizations with better accuracy of their security vulnerabilities and performance metrics, enhancing the momentum toward proactive identification and remediation of vulnerabilities.
Agentless scanning is ideal for cloud-native workloads that need to be platform agnostic to flexibly operate with any cloud provider.
If there is agentless scanning, it stands to reason that its counterpart, agent-based scanning, also exists. Agentless monitoring was built to address the shortcomings and limitations of agent-based scanning.
Very often, the best way to understand a concept is to contrast it with something that it’s not. So, to better appreciate agentless scanning, we’ll start by juxtaposing it side by side with agent-based scanning.
What Is the Difference Between Agentless and Agent-based scanning? Do You Need Both?
Security practices continually evolve to address an ever-changing technological landscape. The normalization of remote work accelerated by the global pandemic means that organizations must contend with an expanded attack surface.
Vulnerability scanning is one of the first lines of defense against data breaches your organization may incur. However, one of the challenges facing organizations is determining the best tool that best aligns with their tech philosophy and fits in their existing computing infrastructure.
Vulnerability scanning basically comes in three options: agent-based, agentless, or a hybrid of the two. The choice you make is primarily driven by how you want to provide scanning coverage for your organization, and your needs in general.
Both agentless and agent-based systems have the same objective: To collect data and security information about their host, which is sent back for data protection and other regulatory compliance requirements.
What Is Agent-based Scanning?
Agent-based scanning runs “agents” on your machine and devices that subsequently report back. These agents are essentially software packages or applications deployed to the device or machine that needs to be tested. Once deployed, they collect data on vulnerabilities and other security flaws, which are sent back for review.
The two main characteristics that distinguish agent-based scanning is that you don’t need to install a node agent on the target system and transmit sensitive information over a network in order to scan it.
Agent-based scanning is ideal for conditions with poor or intermittent network connectivity.
Limitations and Disadvantages of Agent-based Scanning
Agent-based systems only work on machines and devices with agents actively running on them; agentless systems, however, do not suffer from such limitations. Moreover, the agents can be disabled locally, whether purposefully or inadvertently, which affects the security team’s ability to gather reliable security information.
In addition, new devices, perhaps rouge machines, can be introduced surreptitiously into the system without detection and may very well remain invisible.
Four of the main disadvantages of agent-based systems are:
- Administrative overhead. There is an obvious need for manpower resources and time to install the agents and oversee their management and maintenance on an ongoing basis.
- Issues of software compatibility. Agent-based systems are frequently operating system dependent, hardly supporting multiple OS. So, they can’t operate and perform vulnerability scans on firewalls, and other incompatible network assets like switches and routers.
- Impacting performance. Agents consume computing resources, which ultimately impact the performance of cloud workloads. As more agents are added to the IT environment, their costs add up, negatively impacting the overall system performance.
- Increase security risks. Agents inadvertently introduce new security risks to their hosts, making them less secure. For starters, they often require user access credentials on every operating system they are deployed on. Moreover, some of them are installed with high privileges, which makes them susceptible to risks such as unauthenticated Remote Code Execution (RCE) and Local Privilege Escalation (LPE).
The Advantages of Agentless Scanning
Agentless scanning is immensely beneficial when, for one reason or the other, you can’t or don’t directly access the underlying IT infrastructure. This is especially true if you have managed cloud environments or clusters with no access to host machines.
In such situations, it is best to use the cloud service provider API calls in conjunction with agentless scanning to gain visibility into underlying risks in the system. Here are some of the other advantages of agentless scanning:
- Discovering shadow and rogue IT: With agentless systems, it is difficult for rogue machines to hide under the radar for long because it provides a deeper view of the network. In addition to executing effectively without installation, agentless systems perform network scanning. This enables them to identify connected devices because they monitor the entire network.
They can scan a range of IP addresses and report on machines discovered, even when those systems cannot be directly accessed. Through this process, security teams are alerted to machines and devices to which they may have otherwise been unaware.
- Reduce management overhead: Agentless systems are lightweight. Without the need for installation, agentless scanning provides quick and easy deployment and management solutions. This is especially relevant with organizations managing thousands of machines and continually scaling out their machines.
- Lower the cost of ownership: With no installation requirements agentless scanning significantly reduces the human, material, and time resources needed, therefore making it cost-effective to maintain vs agent-based solutions. System and network administrators can scan their systems within minutes with agentless scanning.
- No compatibility requirements or issues: Agentless scanning is platform agnostic, so OS compatibility doesn’t affect its execution.
- Provides additional data: Agentless scanning fills in data gaps not provided by agent-based monitoring such as locating information not typically stored on the device like SSL certificates.
Agentless and agent-based scanning both have their advantages and limitations. Together, they can provide the best of both worlds. Their combination offers organizations more in-depth data collection capabilities and comprehensive visibility.
How Does Agentless Scanning Work?
Agentless scanning is based on a centralized design and push technology. To perform its duties, agentless scanning needs to have a proxy agent that receives instructions from what is known as the “Master Server”. Since it's obviously an agentless approach, the node or proxy agent has to be installed on a system other than the target host.
More often than not, these agentless solutions are deployed at the cluster or cloud account level. Once the Master Server commands it to scan, the agentless proxy establishes a secure connection to the target host it needs to scan. To achieve this, it utilizes the target host's native APIs and services.
There is, therefore, a strong dependence on the cloud provider’s specified functionality in the form of APIs but also role schemes for accessing valuable information. However, the agentless services and the protected assets share no common resources.
Why Agentless and Agent-Based Protection Need To Work Hand-in-Hand
Most modern technology stacks and infrastructure operate on mixed workloads, with multi-cloud, even hybrid environments operating runtimes on different operating systems. In essence, they need flexible deployments with platform-agnostic approaches. The best technology and economic model is not to be too dependent or tied to a specific provider.
Likewise, an organization does not need to compromise its security needs because of a vendor’s architecture. So, both agent-based and agentless protection should complement each other. This is because having one or the other is probably insufficient for addressing all diverse security needs.
That being said, agentless and agent-based monitoring should ideally be used in a mixed environment where this combined approach is best leveraged to provide full coverage.
Here are the scenarios where a combined approach is needed for an organization to have complete security coverage:
- There are different and diverse access levels across the IT environment: These are situations where the security team lacks access to hosts to deploy agents, yet need to have visibility across the IT landscape.
- Where there are workloads of different sensitivity levels: Organizations often need to separate workloads due to the sensitivity of the information they carry and convey. For instance, financial institutions that are compelled to enforce strict PCI compliance won’t use the same host that stores sensitive financial information to run public-facing web services exposed to the internet.
- Incomplete coverage: Cloud environments are dynamic as new servers and resources can easily be spun up and provisioned. However, this constant change makes deploying agents a monumental task. Combined with the ephemeral nature of some devices, it becomes clear that agents can’t be installed everywhere, thereby leaving gaps in coverage. As such, the need to supplement the coverage with effortless, network monitoring that agentless scanning provides becomes necessary.
Learn How Lightspin’s Agentless Solutions Can Fortify and Improve Your Scanning Coverage
Agentless scanning is one of the best methods to leverage during the discovery phase of vulnerability management. However, it is still insufficient in providing an accurate, reliable assessment of the threat environment.
Lightspin is able to fill in the security gaps with its graph-based technology that deepens both your understanding and context of security risks. Lightspin provides the depth and focused, actionable insights that organizations require to better understand the potential vulnerabilities in their dynamic cloud environments. Our agentless SaaS solution provides security management that prioritizes critical attack paths, freeing your team to work more effectively and efficiently.
How can you get started? Try Lightspin’s free demo today.