Truth Revealed: Agentless Security is Not Real Security
Finally, the long-lasting “agentless vs. agent” debate is over. The inevitable result? If you want great cloud workload security, you need an agent. While many security professionals knew this from the start, plenty were misled into believing in the overhyped promise of agentless security. Why is this news? Because two of the leading agentless-only vendors finally gave in and announced partnerships with agent-based runtime security and CWPP vendors.
These are the companies who for a long time have loudly claimed that agents are “old school” and “agent-based security is dead.” From a marketing standpoint, I understand why one might say this. But from a security standpoint, this has always baffled me.
Why does it matter?
Amidst all the industry hype around agentless security, many organizations were misled to believe that by deploying agentless solutions they have fully protected and secured their cloud environments. This is of course not the case. Agentless has finally passed the “peak of inflated expectations” and is screaming towards the “trough of disillusionment.”
In reality, an agentless-only approach is fundamentally flawed – it gives you a false sense of security and leads to blind spots. Even though some security vendors will tell you, “You’re secure because you have no misconfigurations in your public cloud environment and you’re PCI compliant,” don’t be deceived. What about the 50% of memory resident attacks that agentless can’t even see? Without an agent, you’re not able to see these attacks let alone block them.
An agentless-only approach is fundamentally flawed – it gives you a false sense of security and leads to blind spots. The fact that you have no misconfigurations in your public cloud environment, does NOT mean you're secured! Without an agent, you’re not able to see 50% of attacks including memory resident attacks, agentless security can't see these let alone block them.
Why agentless security alone is not enough
Agentless security solutions deliver visibility, basic compliance, and posture management, but they’re not able to protect your applications at runtime or stop attacks in production – in contrast to agent-based security. Let’s review why:
- Point-in-time visibility: Since agentless scans usually run once in 24 hours, it shows the lay of the land for that specific point-in-time when the scan was done. The rest of the time, you’re running blind and have no clue about what’s happening in your environment.
Given the high speed, and ephemeral nature of cloud workloads, by the time of the next scan, the workload will no longer be running. Further, the attackers will have infiltrated the environment and vanished, having taken what they came for within minutes, if not within seconds of the attack. Yikes.
- No real enforcement: Since agentless solutions take a copy of a disk image, they are not looking at the actual running code. In fact, once the snapshot is taken, they have no connection of any kind to the running workload. If they can identify an attack from a disk image snapshot, they can only alert about the problem. There is no mechanism for interdicting the attack. You need an agent for that. As a result, customers are left to stop the attacks on their own.
- Sophisticated fileless techniques: Attackers are getting increasingly sophisticated and often use fileless malware to evade detection and leave no footprint. Just last month, our security research team, Aqua Nautilus, detected a global campaign attacking Redis servers with custom-made fileless malware called HeadCrab. Agentless solutions miss such sophisticated threats because they can’t see the process running in memory from a static disk image. Again, another blind spot.
To sum it up, agentless visibility is great to have, it’s fast and easy. That is why we have agentless. But it is just a piece of the puzzle. In the production environment, the stakes are high, and your mission-critical and sensitive workloads require real-time security and protection. Hence, an agent.
You need both agentless and agents
The latest partnership announcements validate that to achieve effective protection in the cloud, you need to use both agentless and agents in your security strategy. We’ve been long advocating for this and are glad that even “pure agentless” vendors have finally realized it as well.
However, it’s not enough to simply deploy both agentless and agents. To get the full picture, there must be a strong connection, unified visibility, and correlation of the risks between the two. Otherwise, you will lack the context to understand the risk and prioritize security issues.
Unfortunately, you can’t achieve this by trying to bolt third-party runtime agents – the core and most technically difficult part of workload protection – onto your platform. Combining multiple vendors will only lead to further tool sprawl, siloed visibility, and fragmented runtime protection.
For a Cloud Native Application Protection Platform (CNAPP) to be an integrated platform and not a suite of siloed capabilities, an agent must be an integral part of the solution and not a bolt-on. This is only possible with a single platform from one vendor.
Aqua’s vision: One platform to tie it all together
From day one, our vision at Aqua has been crystal clear: to deliver a single end-to-end security solution for the entire application lifecycle in one holistic platform. We’ve always believed that to be a true CNAPP, a solution must include strong runtime controls and stop attacks in progress.
That’s why we’ve built a runtime security solution completely in-house, now enhanced with eight years of field experience and customer learnings. Based on eBPF technology, our Lightning agent is faster, lighter, and easier to manage at scale than the agents of yesterday. Customers also benefit from the focused cloud native security research of Aqua Nautilus, who study thousands of attacks in the wild and produce behavioral signatures to help identify and protect against new threats.
Further, the Aqua platform was the first CNAPP to combine active protection with agentless workload visibility. Built together from the ground up, agents and agentless are enriching each other and sharing the context across the application lifecycle, allowing security teams to not only rapidly detect, prioritize, and fix the highest risks but also to stop attacks in progress.
Given the growing sophistication of cloud attacks, visibility alone is not enough. Don’t compromise on your security posture because of any vendor’s technical constraints – robust protection requires both agents and agentless – and on one, comprehensive and integrated platform.
Look for a real CNAPP
The single most important question you need to be asking yourself as a business or security leader is, “Am I protected from bad things happening to my cloud applications in production, and can I detect and stop an attack in real time if it comes to that?”
Given the growing sophistication of cloud attacks, visibility alone is not enough. So don’t compromise on your security posture because of any vendor’s technical constraints – robust protection requires both agents and agentless – and on one, comprehensive and integrated platform.
At Aqua, we’re fully committed to our mission of making your cloud innovation more secure and protecting your applications against attacks – from dev through runtime, on prem and in the cloud, wherever they are deployed.