Anastasia Kuznetsova, Security Vision
In this series of articles we will dive deeper into the study of agents - we will tell you why they are needed, their capabilities and nuances of working with them. The current article, as an introductory article, will give a general understanding of this phenomenon, briefly touch on the types of agents and common formats for their implementation in a network structure.
When building a security system, organisations use a variety of technologies and combinations of technologies to create a secure environment for their assets, whether they are information or physical. Each category of organisation has its own ‘rules of thumb’ by which the quality of security is assessed and regularly audited. Consequently, quality security requires complete input data. In simpler terms, the completeness and timeliness of the information received determines the decision made by security personnel. Without the proper level of information and general awareness, it can be impossible to make the right decisions and even to fulfil certain procedures. Nowadays there are many methods of data collection, and even more tools, but the greatest completeness is provided by such entities as agents. They have become widespread in the IT sphere because they do not require remote connection to a machine, authorisation and manual execution of commands, and are implemented in many solutions with different purposes: antivirus, event management systems and even vulnerability scanners.
But the aforementioned ease of support and the advantage of information completeness are not the only features that make agents popular. Depending on the agent's functionality and configuration, the list of basic tasks that can be solved include:
- Network device monitoring (NOC) - node response time, service response times and codes, collection of network service logs.
- Information security (SOC) - collection of logs, telemetry from the node (ensuring confidentiality, integrity, reliability of data, increasing the guarantee of successful data delivery), detection and blocking of malicious activity through interception of system events using signature analysis, as well as Machine Learning (ML) technologies (antivirus, EDR solutions), detection and prevention of leaks through the use of mathematical statistics and ML mechanisms.
An agent is a service or an intermediary programme that collects operational information from a research target and sends it to the ‘head office’ - a data processing/storage server. For example, we retrieve the contents of a host's security log using an agent that has read access because it has been granted the appropriate permissions. Then the agent transmits the collected data to the system, from where the administrator already observes it. In the case of single host management the agent method may seem impractical, or at least not the easiest, but if we are talking about a modern organisation with a complex infrastructure, agents make the work of information security specialists much easier.
There are two methods of data collection by an agent:
- Passive collection
- Active collection
A passive agent does not initiate collection on its own, but waits for new events to be received at the monitoring node, after which it sends data to the server at a certain frequency. Such agents are simpler to implement and often may not have an interface. This method is suitable for collecting certain types of data that do not need to be monitored regularly. For example, the maximum number of simultaneously supported OS processes, statistics on incoming/outgoing traffic or DNS server health.
The active method, on the contrary, independently interrogates the target using specific management/data collection protocols (WMI, RPC, WinRM) and sends it to the main server according to policies or a specified schedule. Such an agent is considered more complex and requires preliminary configuration by the administrator. It is often used by monitoring systems or when regular monitoring of the host state is required. It is appropriate for such cases, when for one reason or another it is impossible to install additional services or applications on the target device.
Besides the collection method, there is another format based on end-device-agent communication that can be used when introducing agents into the infrastructure - it is about agent and end host communication. In common parlance, there are two approaches to data collection. The first is when the agent is an internal package of the machine under investigation, i.e. literally installed on a particular host. The second is when the agent itself is an intermediate host/server that relays information from remote end devices.
The first case can be represented by the following scheme:
The agent is installed on the endpoint device as a programme and collects data directly from inside the machine. It is convenient for constant monitoring of critical assets, but only when there are few of them. Deploying multiple agents on each machine of interest will require certain rights and quite a lot of time, and in case of agent updates it will become a regular problem. Only when using third-party tools (like AD) can this process be automated.
When using an agent as an intermediary, part of the infrastructure will look like this:
Here, the agent is installed directly on a collector server (e.g. WEC/WEF technology), which first collects data from several machines at once and then passes it to the agent for further transmission to the master server. This allows you to cover a larger network area and probably save on licence costs.
For a more illustrative comparison, let's consider an agentless method of data collection. In this communication concept, data is transmitted to a processing centre using various collection protocols (indicated in the diagram). It in its turn filters and systematises the received data into a more general format for further analytics in the core of the system. This method is suitable for small networks and is most often used in SIEM-type products with all-in-one installation.
To summarise the introductory part of this article series, we can already highlight the main advantages and disadvantages of working with agents:
+ One-time initial setup
+ Security and the ability to control data flow
+ Scalability
+ Collection automation
+ Solving the issue of closed loop and inability to connect remotely
- Endpoint performance consumption
- Require reconfiguration for atypical endpoint configurations/atypical collection requests
- Incompatible with all possible device types and infrastructure OSs
- May not meet security requirements
The choice between agent-based and agentless collection methods is individual to each organisation and is based primarily on the size of the organisation, security requirements, equipment capacity and human resources.
