Here is one more thing I picked a RSA 2013 (belated blog post alert! ): the agents are back. No, not the intelligence agents (those never really left), but the agents that sit on endpoints (mostly computers, but also mobile devices, at some future point) and “collect stuff”. For a while, "we use an agent for that" was a death spell for many security tools and "agent-less" was the only game in town worth playing. Yes, people tolerate AV and device management agents, but that is where many organizations seemed to draw the line. Even endpoint DLP faces resistance in many cases. And an agent just to collect logs? – You’ve got to be kidding!
It appears that this is starting to change. Virtualization, cloud (IaaS, in this case) and – more importantly – advanced attacks (APT) all have given various types of agents a boost.
As I pointed out in my post, "A Quiet Assumption", endpoint is a battleground that many people consider lost. However, if you think of a compromised endpoint as a great source of intelligence on the attacker, a place where an adversary treaded and left traces, suddenly you stop thinking “win/lose” and start thinking of gaining an advantage. Specifically, an advantage you get by collecting all the traces, indicators, processes, etc from that owned box. Next, if you capture a malware specimen, you can run it through the sandbox and extract more indicators you can now look for on all other endpoints. However, in most cases, you need an agent for that.
It used to be that only the Mandiant folks with their MIR tool were playing that game (well, Guidance kind of did too), but now more vendors are tooling up for the same battle on an endpoint. It sure makes you wonder why the major AV folks are asleep at the wheel? Some lesser anti-malware vendors have shown us their upcoming data collection capabilities as well as centralized (“cloud”) analysis of the data. Entirely new vendors, such as Crowdstrike, launched with endpoint collection linked to cloud analytics (both automated and human-driven). Grabbing live processes, connections and being able to either poll or even monitor in real time (for select indicators) is an approach that is expected to expand and grow to more tools. Some dissolvable agents, such as those used by vulnerability assessment vendors, have also been retooled to look for running processes, hash the files and perform other endpoint observation tasks.
Philosophically, is this part of network to host and back again pendulum? It sure seems that way…