Agent and Agentless: A Comprehensive Approach to Security

Jamie Gale
Jamie Gale
Agent a d Agentless

There are two common approaches to security observability, vulnerability management, and workload protection: agent and agentless. We often hear from our customers and partners, “How do they compare? Which one does Deepfence use? Which way should I go?”

The industry is filled with strong opinions on both sides. In this article, we’ll take an unbiased look at both approaches, cover the pros and cons of contemporary solutions, and explore an alternative methodology that uses lightweight sensors. 

What Is Agent-Based Security?

Agent-based security is an approach in which agent code is deployed directly to a cloud, container, virtual machine, or bare-metal server to capture deep telemetry about the security of an environment and its workloads. 

What Is Agentless Security?

Agentless security is an approach in which no code is deployed on the workloads to capture information about the security of an environment and its workloads. Instead, telemetry is gathered using non-invasive methods, such as through cloud APIs or by processing log files.

Agentless vs Agent-Based Security: What’s the Difference?

Now that we have a basic introduction to both methods, let’s look at some of the key differences between the two.

Category

Agent

Agentless

Level of visibility

Agent-based solutions provide deep visibility.

Agentless solutions offer shallow but broad visibility for public clouds.

Level of information gathered

Real time information at runtime. Agents can assess your production environments to provide runtime security.

Point-in-time security. Agentless solutions provide a snapshot of what’s happening at a specific time.

Type of information gathered

Information comes from various sources and can include real-time traffic data (inbound and outbound), TLS data, system-level calls, and API data.

Information comes from what the APIs expose.

Deployment and maintenance

Although non-invasive, agent-based solutions are deployed through code that needs to be managed and maintained.

Although non-invasive, agentless solutions have no code to deploy or maintain; quickly connect to cloud APIs.

Infrastructure covered

All infrastructure types, including IoT, public cloud, containers, VMs, bare metal.

Usually top three public clouds only.

Best use cases

✓ Runtime security: protect against attacks as they are happening in real time

✓ Vulnerability management and exploitability management

✓Quick compliance at a point in time

✓Vulnerability management

In summary, here are the main pros and cons of each approach:

Agent-based pros and cons

  • Pros: deeper visibility, capable of providing runtime security
  • Cons: require automation and support for deployment and maintenance, might impact system performance if not configured properly

Agentless pros and cons 

  • Pros: quick and easy to deploy and maintain
  • Cons: rely solely on cloud APIs, which limit coverage and may incur rate limiting; won’t work outside of cloud environments; cannot provide runtime security. Deeper cloud hooks often do not scale for large enterprise with many hundred accounts and users

Lightweight Sensors: The Best of Both Worlds

In the middle of the great agent debate is another approach – lightweight sensors – a middle ground that delivers on the best of these alternatives. Lightweight sensors function the same as contemporary agent-based solutions, except for in their deployment model. Unlike traditional agent-based solutions, lightweight sensors are completely separate from applications but run on the same infrastructure. 

Considering the table above, deployment and maintenance of lightweight sensors differ from agent-based and agentless solutions as follows.

Category

Agent

Lightweight Sensors

Agentless

Deployment and maintenance

Although non-invasive, agent-based solutions are deployed through code that needs to be managed and maintained.

Lightweight sensors can be deployed in many ways (with or without an agent, as a sidecar, or as a privileged container).

Although non-invasive, agentless solutions have no code to deploy or maintain; quickly connect to cloud APIs.

Using lightweight sensors provides a straightforward, automated way to observe your workloads, without the need for heavy deployment and maintenance efforts that are associated with agent-based solutions. Lightweight sensors can inspect running containers to gather telemetry, pull manifests, and take advantage of features, such as extended Berkeley Packet Filtering (eBPF), on the underlying Linux kernel. Essentially, this approach offers the same functional benefits and depth of visibility that agent-based approaches do, but without requiring application modifications or installation of software within an application itself.

The Deepfence Way

Deepfence ThreatMapper and ThreatStryker, in most cases, use lightweight sensors. Both products support and protect Kubernetes, Docker, and AWS Fargate environments. They can also be used to observe and secure bare-metal and virtual machine workloads by installing a Docker runtime on the host. For services where lightweight sensors cannot be deployed, like AWS Lambda, Deepfence uses an agentless approach. 

Deepfence’s lightweight sensors provide unparalleled activity monitoring, workload discovery, and manifest retrieval. All of this data is then sent to the management console for analysis. Through this architecture, ThreatMapper and ThreatStryker provide detailed security insights into the configuration and runtime behavior of your applications without slowing system performance.

Recommendations for Security Professionals

There are benefits and drawbacks to both agent and agentless solutions. Both provide insight and value to professionals who are responsible for securing increasingly complex and distributed environments. While agentless tools excel at providing quick and easy visibility, agent-based solutions are capable of going much deeper to provide vulnerability management along with exploitability triaging. And in the middle, sometimes lumped into one category or the other, is the lightweight sensor approach. 

There is no right or wrong answer (except for not using any of these solutions). By incorporating agent-based, agentless, and the lightweight sensors that fall in between, organizations can achieve a mature security strategy. Each offers insight into the well being (security) of your environments. Similar to how doctors use a variety of tools, such as x-rays and MRIs, each offering different levels of visibility, to diagnose an ailment or injury, agent, agentless, and lightweight sensors offer different and complementary perspectives for a holistic understanding of your security posture.

To learn more about Deepfence, schedule a 15 minute demo with one of our security experts. Or, take a look at open source ThreatMapper on GitHub.


Related Posts