by Anton Chuvakin | March 28, 2013 | Comments Off on RSA 2013 and Endpoint Agent Re-Emergence
Here is one more thing I picked a RSA 2013 (belated blog post alert! ): the agents are back. No, not the intelligence agents (those never really left), but the agents that sit on endpoints (mostly computers, but also mobile devices, at some future point) and “collect stuff”. For a while, "we use an agent for that" was a death spell for many security tools and "agent-less" was the only game in town worth playing. Yes, people tolerate AV and device management agents, but that is where many organizations seemed to draw the line. Even endpoint DLP faces resistance in many cases. And an agent just to collect logs? – You’ve got to be kidding!
It appears that this is starting to change. Virtualization, cloud (IaaS, in this case) and – more importantly – advanced attacks (APT) all have given various types of agents a boost.
As I pointed out in my post, "A Quiet Assumption", endpoint is a battleground that many people consider lost. However, if you think of a compromised endpoint as a great source of intelligence on the attacker, a place where an adversary treaded and left traces, suddenly you stop thinking “win/lose” and start thinking of gaining an advantage. Specifically, an advantage you get by collecting all the traces, indicators, processes, etc from that owned box. Next, if you capture a malware specimen, you can run it through the sandbox and extract more indicators you can now look for on all other endpoints. However, in most cases, you need an agent for that.
It used to be that only the Mandiant folks with their MIR tool were playing that game (well, Guidance kind of did too), but now more vendors are tooling up for the same battle on an endpoint. It sure makes you wonder why the major AV folks are asleep at the wheel? Some lesser anti-malware vendors have shown us their upcoming data collection capabilities as well as centralized (“cloud”) analysis of the data. Entirely new vendors, such as Crowdstrike, launched with endpoint collection linked to cloud analytics (both automated and human-driven). Grabbing live processes, connections and being able to either poll or even monitor in real time (for select indicators) is an approach that is expected to expand and grow to more tools. Some dissolvable agents, such as those used by vulnerability assessment vendors, have also been retooled to look for running processes, hash the files and perform other endpoint observation tasks.
Philosophically, is this part of network to host and back again pendulum? It sure seems that way…
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.