Shortfalls of Agent based security scanning

Shortfalls of Agent based security scanning

Introduction
Agent based security scanning is a popular way to improve security by adding an extra layer of protection to your environment. However, the fact that agents run locally on systems rather than remotely makes them vulnerable to attack. This post will cover some of the shortcomings of agent based scanning as well as potential solutions for overcoming them.

1. Agents can only scan what you install them on
The first and most important downside of agent-based security scanning is that it can only scan what you install. Agents cannot scan cloud assets, SaaS, IaaS and PaaS (public cloud applications), or other services running on top of the same infrastructure as your application.

This means that even if you have an agent installed in every environment where your application runs—such as on each server under development—agents will never find vulnerabilities in any other applications running in those environments.

2.Agents are blind to cloud assets (SaaS, IaaS, PaaS)
Agents are blind to cloud assets (SaaS, IaaS, PaaS). Cloud assets are often not discoverable by agents. The agent has no way of knowing about them and the values in them. Agents also cannot access the underlying components that make up these types of services; they only see how they present themselves on the surface: a web server with a URL or an API endpoint accessible via HTTP requests or by using a management console tool such as AWS CloudFormation.

Cloud resources have many layers of security built into them that make it difficult for attackers who do not have privileged access credentials to gain access through any other means than breaking into one layer at a time until they get through all levels where different sets of credentials might be required for each layer before being able to move on further up into higher privileged areas where sensitive data could be stored without detection from lower level users who do not need those privileges anyway!

3.Agents are not always up to date
Agents are not always up to date. They are updated manually by a human and sometimes, this process happens very slowly. This can lead to outdated information being passed on from one agent to another, which can cause problems for users who rely on scanning results for security purposes.
It's also possible that some agents will stop working altogether because they've been abandoned by their creators (or even just forgotten about).

4.Agents require local administrative rights to scan properly
Agents need to run as an administrator on the host they are installed on. This can be a security risk if the host is compromised, but it's also possible that your agent may be compromised by an attacker who has administrative rights on a different system.
The ability for an attacker to use an agent as a backdoor is another potential problem with this approach. An attacker could have access to both your agent and its data, allowing them full control over any other hosts where you have deployed agents (and possibly even giving them access beyond those).

5.Agents will increase the attack surface of a host
Agents are a potential attack vector. They require local administrative rights to scan properly, and they can be disabled or removed if necessary. In addition to these issues, agents may also be installed on systems that are not being scanned (or monitored).

Agent based security scanners add unnecessary risk with little additional value
Agent based security scanners are not always up to date. They can only scan what you install them on, which means that if a new vulnerability is discovered in one of your programs, the agent will be unable to detect it unless you update it (and sometimes even then). Agents also require local administrative rights to scan properly, so they may not work at all if they're running as a user account instead of an administrator account (which would be ideal). Agents add additional attack surface to hosts and expose them to potential risks from malware downloaded from the internet.

Conclusion
Agent based security scanners add unnecessary risk with little additional value. Agent - based solutions compete with compute resources of production systems. In addition, with the explosion of serverless adoption, there is no way place to install agents.