You are probably familiar with the debate about which approach is best in today’s ever-changing threat environment. However, when it comes to detecting threats within networks, especially when using endpoint-based distributed deception as a strategy, an agentless approach is much more effective and secure.
Endpoint overhead reduction
A popular example of an agent is antivirus software that resides on a computer to scan it for malware. The traditional approach to collecting endpoint data is to install agents in a similar manner on all computers from which data is required.
Managing agents is a significant burden on IT teams. They require installation (and if uninstalled, they must be reinstalled), upgrades and ongoing maintenance. Of course, updates also put a strain on the network.
In most cases, there are multiple agents on each machine. Deploying multiple agents causes a high overhead on endpoints. Then there is the problem of “agent conflict”, since each agent wants to have control over the same computer resources. In a cybersecurity example, you may have agents from a DLP software, an antivirus system, and others, causing conflicts and sometimes system crashes. The more agents you have, the more complex it becomes to keep all systems running. An agentless solution provides robust security that is much easier to manage – without the tedious deployment and management of security agents.
The cost of maintaining agents is also higher. Agentless implementations result in faster rollouts and lower total cost of ownership (TCO) than software products that require agents on a significant number of computers, as is typically the case in a large enterprise.
Untraceable and impenetrable to attackers
It is not only the IT overhead. Agent-based systems also bring with them additional security risks. Agents are vulnerable and easy for cyberattackers to find.
The major vulnerability is that agents tell an attacker that their functionality is present on a machine. The presence of an agent tells an attacker what you are doing to stop him. When attackers gain access to a machine, they can access agents, disable them, or, more worryingly, attackers can modify agents to cover the tracks of their attack or cause other havoc.
If an agent is active, the attacker with sufficient knowledge of how the agent works can evade it. If an attacker knows what behavior is causing the agent to alert him, he can easily avoid that behavior so that the agent does not warn defenders of their presence.
The downside of evasion is that agents can also be manipulated and “distracted”. Let’s assume there are two machines that an attacker can access, one without many lateral movement options (i.e. with low privileges) and the other with privileged permissions and connections to other workstations. An attacker can create an activity burst on machine #1 to distract the agent and hide the attack activity in a fog of alarms and noise. The volume of alarms is loud enough in a typical SOC; attackers take advantage of this fact to cover their attack needles with a haystack of alarms that is getting bigger and bigger.
Finally, a word specifically about deception technology. Deception solutions, where an agent has to extract complete deception and forensic capabilities from the solution, are understandable to attackers because of the presence of the agent at all endpoints. Agents are also vulnerable to reverse engineering, where attackers learn how the agent works and how it can be circumvented or broken.
With CYBERTRAP’s agentless deception technology, organizations spend less time optimizing and updating deceptions. With no agents running on the endpoints, there is nothing for advanced attackers to discover or circumvent.
Agentless, adaptable and easy to deploy
The agentless approach of CYBERTRAP benefits both IT administrators and security teams. It is based on intelligent automation and is designed to have a small operational footprint to minimize the impact on IT.
Among the advantages of CYBERTRAP
- Easy to use and ready for use in a few hours
- Easy, agentless deployment without the need to install or uninstall anything on a protected machine
- Discreet and invisible to legitimate end users
- Available for organizations of all sizes
- Low endpoint overhead
- Low operating costs
- Reduces operational staffing and support requirements, freeing valuable resources for more strategic activities.
Recommended reading: What is Deception Technology?
About the author
Sales Director Northwest Europe at CYBERTRAP
What is CYBERTRAP?
CYBERTRAP is an Austrian company providing cybersecurity software, which is specialized in active defense and deception. Using Deception Technology, attackers are redirected into a specially created IT infrastructure before they can move further into the actual infrastructure of the company and cause damage.