“An agent-less solution still performs critical functions but is only present and active while doing its work. It is lightweight and delivers deep network and host assessments with no compatibility requirements to detect and scan assets”, says Sanjay Raja, VP of strategy and technical marketing at Digital Defense, Inc., in an exclusive interview to ITSW.
ITSW Bureau- Why do you consider a combined scanning strategy to be the best?
Sanjay Raja- Actually, I would suggest an agent-less vulnerability and threat scanning, if done efficiently and highly customized for the specific asset, to be superior for consistently connected systems. It provides a much lighter footprint, less negative performance impact, and drastically reduces false positives. However, for systems that are frequently not directly connected to the corporate network (e.g., laptops, mobile devices, or even applications hosted in the cloud), agent-based scanning can fill in those gaps to provide a comprehensive real-time view of at-risk systems. This is especially important with the increase in employees working remotely – many organizations are now dealing with an attack surface that has expanded beyond traditional network bounds. Installing and managing additional agents is not ideal for most administrators, but at times is necessary for better coverage. Using both agentless and agent-based methods helps ensure all network-connected assets are scanned and secured.
ITSW Bureau- What are the best ways to fill the gap in an organization’s security posture due to remote endpoints?
Sanjay Raja- There are less oversight and control over remote endpoints, which places them at greater risk as they connect to corporate networks. Ensuring that these endpoints have the right patches, security controls, software, etc., to protect them from being compromised and spread the infection to corporate networks when they are connected is critical to preventing breaches. Remote or cloud-based scanning is not necessarily viable due to performance and network limitations and often requires an agent to monitor systems properly. It is best to do this is by watching for changes versus continuous monitoring and perform scanning or threat assessments based on understanding how these changes can affect the system. This also reduces the amount of performance-sucking active monitoring on a remote asset. When dealing with remote workers, potential BYOD devices, and systems with varying performance capabilities, non-intrusive lightweight security is the best way to fill the gap.
ITSW Bureau- How practical is a vulnerability assessment for an organization?
Sanjay Raja- Vulnerability assessment should be the first line of defense for any security organization. The majority of attack campaigns exploit some form of operating system or application vulnerability even as they use techniques like phishing attacks for the initial compromise. For example, many ransomware attacks have vulnerability exploitation built into their overall campaigns and advantage of legacy vulnerability management solutions or gaps in coverage. The problem is that legacy solution, even as they add-on pieces or claim cloud-capable solutions, are rooted in technologies not designed for today’s hybrid cloud environments and do little to help security teams with the volume of vulnerabilities and threats data that pour in. As more vulnerabilities are found and weaponized, attack campaigns become harder to detect. Most vulnerability scanning is done too infrequently, does not provide enough context, and fails to help teams prioritize remediation efforts. This has made vulnerability assessments necessary, but not as beneficial to security programs in a meaningful way.
ITSW Bureau- What is the difference between agentless and agent-based scanning?
Sanjay Raja- An agent-less solution still performs critical functions but is only present and active while doing its work. It is lightweight and delivers deep network and host assessments with no compatibility requirements to detect and scan assets. This leads to minimal performance and storage impact on a system and reduces the agent’s management (security risks, updates, troubleshooting, etc.). However, an obstruction to this method is that it requires every device to be connected to the network for detection by agentless scanners.
An agent-based solution requires installing a permanent, and hopefully low-impact, piece of software that can monitor aspects of the system or act in a non-intrusive way, filling in the gaps created by remote endpoints with intermittent connectivity. That is, ideally, how an agent should be executed anyway. An agent-less approach is much more desirable for systems that regularly connect to a network and maintain good connectivity to maximize IT resources. The limitation with this method is that agents reside on external devices and require operating system compatibility, limiting agent ability to scan network assets.
ITSW Bureau- Which industries can benefit the most from agent-based vulnerability scanning?
Sanjay Raja- Any organization concerned about remote workers and the risk associated with endpoints that are not connected to the corporate network while active, or often employed for personal use should augment scanning using an agent-based solution. However, most security administrators agree that if they can get as good or better security of assets without an agent that is preferable. The need to support agents is simply a “necessary evil.”
While any organization can benefit from fewer agents and on-demand scanning, industries like manufacturing, utilities, telecom, healthcare, and etc. with mission-critical systems and tiny maintenance windows struggle with agent-based solutions. These operational networks cannot afford security issues, performance impacts, or downtime. Being offline directly for any period can cost millions, and potentially even more when dealing with regulatory compliance or customer dissatisfaction. However, while the devices are less prone to direct attack, the management systems have vulnerabilities to exploit and are susceptible to traditional attack campaigns. When customized for the asset, Agent-less scanning and prove to have a minimal performance impact, can be ideal for these environments.
Sanjay Raja- Is the VP of strategy and technical marketing at Digital Defense, Inc., a provider of vulnerability and threat management solutions, Sanjay Raja runs strategic technical partnerships for the company. Before Digital Defense, Sanjay was CMO for Lumeta Corporation, where he led the company to a successful acquisition in two years. Sanjay brings over 20 years of marketing, product management, partnerships, and engineering experience in cybersecurity and networking, focused on network security, network forensics, threat detection and response, SIEM, security testing, and cloud and virtualization security. Sanjay holds a B.S.E.E and an MBA from Worcester Polytechnic Institute. Sanjay is also a CISSP.