Agent and Agentless: A Comprehensive Approach to Security

There are two common approaches to security observability, vulnerability management, and workload protection: agent and agentless. We often hear from our customers and partners, “How do they compare? Which one does Deepfence use? Which way should I go?”

The industry is filled with strong opinions on both sides. In this article, we’ll take an unbiased look at both approaches, cover the pros and cons of contemporary solutions, and explore an alternative methodology that uses lightweight sensors. 

What Is Agent-Based Security?

Agent-based security is an approach in which agent code is deployed directly to a cloud, container, virtual machine, or bare-metal server to capture deep telemetry about the security of an environment and its workloads. 

What Is Agentless Security?

Agentless security is an approach in which no code is deployed on the workloads to capture information about the security of an environment and its workloads. Instead, telemetry is gathered using non-invasive methods, such as through cloud APIs or by processing log files.

Agentless vs Agent-Based Security: What’s the Difference?

Now that we have a basic introduction to both methods, let’s look at some of the key differences between the two.

[wptb id=3055]

In summary, here are the main pros and cons of each approach:

Agent-based pros and cons

• Pros: deeper visibility, capable of providing runtime security
• Cons: require automation and support for deployment and maintenance, might impact system performance if not configured properly

Agentless pros and cons 

• Pros: quick and easy to deploy and maintain
• Cons: rely solely on cloud APIs, which limit coverage and may incur rate limiting; won’t work outside of cloud environments; cannot provide runtime security. Deeper cloud hooks often do not scale for large enterprise with many hundred accounts and users

Lightweight Sensors: The Best of Both Worlds

In the middle of the great agent debate is another approach – lightweight sensors – a middle ground that delivers on the best of these alternatives. Lightweight sensors function the same as contemporary agent-based solutions, except for in their deployment model. Unlike traditional agent-based solutions, lightweight sensors are completely separate from applications but run on the same infrastructure. 

Considering the table above, deployment and maintenance of lightweight sensors differ from agent-based and agentless solutions as follows.

[wptb id=3056]

Using lightweight sensors provides a straightforward, automated way to observe your workloads, without the need for heavy deployment and maintenance efforts that are associated with agent-based solutions. Lightweight sensors can inspect running containers to gather telemetry, pull manifests, and take advantage of features, such as extended Berkeley Packet Filtering (eBPF), on the underlying Linux kernel. Essentially, this approach offers the same functional benefits and depth of visibility that agent-based approaches do, but without requiring application modifications or installation of software within an application itself.

The Deepfence Way

Deepfence ThreatMapper and ThreatStryker, in most cases, use lightweight sensors. Both products support and protect Kubernetes, Docker, and AWS Fargate environments. They can also be used to observe and secure bare-metal and virtual machine workloads by installing a Docker runtime on the host. For services where lightweight sensors cannot be deployed, like AWS Lambda, Deepfence uses an agentless approach. 

Deepfence’s lightweight sensors provide unparalleled activity monitoring, workload discovery, and manifest retrieval. All of this data is then sent to the management console for analysis. Through this architecture, ThreatMapper and ThreatStryker provide detailed security insights into the configuration and runtime behavior of your applications without slowing system performance.

Recommendations for Security Professionals

There are benefits and drawbacks to both agent and agentless solutions. Both provide insight and value to professionals who are responsible for securing increasingly complex and distributed environments. While agentless tools excel at providing quick and easy visibility, agent-based solutions are capable of going much deeper to provide vulnerability management along with exploitability triaging. And in the middle, sometimes lumped into one category or the other, is the lightweight sensor approach. 

There is no right or wrong answer (except for not using any of these solutions). By incorporating agent-based, agentless, and the lightweight sensors that fall in between, organizations can achieve a mature security strategy. Each offers insight into the well being (security) of your environments. Similar to how doctors use a variety of tools, such as x-rays and MRIs, each offering different levels of visibility, to diagnose an ailment or injury, agent, agentless, and lightweight sensors offer different and complementary perspectives for a holistic understanding of your security posture.

To learn more about Deepfence, schedule a 15 minute demo with one of our security experts. Or, take a look at open source ThreatMapper on GitHub.