Whether you build, buy, borrow, or steal it, you need a security agent on your endpoints. We can already hear your cries of "agent fatigue" and we sympathize. Any agent, no matter how lightweight, has costs associated with running it. Minimize those costs and get an agent, because you need the information that only an agent can harvest from the endpoint. We talk about various types of security agents, including their respective strengths and weaknesses. We explore how agents can interact and interfere with each other, and provide some tips for evaluating agents. We cover open-source, custom-built, and vendor perspectives, from cloud to IoT. We need information to do our jobs, and we need agents on our digital assets to provide that information.
Original presented at SOURCE Boston 2017: https://drive.google.com/file/d/0B26q0H40PvdZeVJyVGdXNmprUGM/view?usp=sharing
2. @ncooprider@threatstack
2
• often find yourself booting into safe mode?
• regularly look for programs in the taskbar to kill?
• look for reasons why your computer seems sluggish?
• wonder why you pay for that thing on your computer?
• get employee complaints about installed software?
• look for ways to meet compliance requirements?
• care about security?
Do you
AGENT FATIGUE
8. @ncooprider@threatstack
8
Agent fatigue
"The term agent fatigue is widely used to describe this
phenomenon on the desktop. Are viruses a problem? Here is
an antivirus solution. Is command and control
communication the problem? Here is a Host-based Intrusion
Detection System (HIDS). Need to keep track of all the
software and versions installed on a system? Here is a
compliance agent. The list of agents goes on and on. Each
agent serves a different purpose, communicates to a
different control server, and is managed by a different group
within the organization."
Building an Intelligence Led Security Program
by Allan Liska
10. @ncooprider@threatstack
10
Agent fatigue
“I was talking to a financial services executive and he
was asked ‘How does a startup approach you with
something?’ and he said ‘Let me just tell you one hint:
Don't sell me an end- If you need to put an agent on
an endpoint. It's done’”
Michael Figueroa
Advanced Cyber Security Center
Startup Security Weekly #31
16. @ncooprider@threatstack
16
• Necessary features not available any other way
• The network cannot give us the data
• The host can give us the data
• The hosts host our valuable assets
• Not all agents equal
• Past experience not
indication of future #fail
• Learn how to judge
• Find best fit
Need for an agent
17. @ncooprider@threatstack
17
• Increased SSL/TLS usage
• NIDS blind to 70-80% of the traffic post-Snowden
• Needs specialized Network Processor hardware
• Not an option in with cloud providers
• NSS Labs paper documents situation
https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/
• Vanished perimeter
• Maginot line - defense in depth
• Bring your own device and the like
• Cloud - don’t let provider be SPOF
NIDS not enough
21. @ncooprider@threatstack
21
• Build vs buy
• Open-source vs proprietary
• Cloud, server, workstation, IoT
• Kernel vs user
• Visibility vs prevention
Agent choices
22. @ncooprider@threatstack
22
• Do you understand all
the issues that are
involved - all the
elements that go into
the TCO?
• Do you want to be a
security company or do
you want to be a
secure company?
Build vs buy
23. @ncooprider@threatstack
23
Open-source vs proprietary
Open-source Proprietary
Pros
• Free to try before you buy
• Free support
• Open standards
• Fewer bugs and faster fixes
• Better security
• Avoids vendor lock-in
• Usability
• Product stability
• Ownership
• Tailored support
Cons
• Reduced competitive advantage
• Minimal support leverage
• Usability
• Increased business risk
• Dependency
• Software opacity
http://www.optimusinfo.com/downloads/white-paper/open-source-vs-proprietary-software-pros-and-cons.pdf
29. @ncooprider@threatstack
29
• Total cost of ownership
• All the “ilities” - availability, scalability, reliability,
etc.
• Talent
• Care and feeding
• Use what you get
• Deploy the software
• Look at the results
• Tune performance
Price and cost
31. @ncooprider@threatstack
31
• Easy to do wrong
• Environment specific
• Measure right thing
• CPU
• Memory
• Network
• Disk
• Weigh appropriately
Benchmarking
33. @ncooprider@threatstack
33
• More than just logging
"Right now, logging in the cloud is an absolute complete
unmitigated train wreck, as far as finding out where your data
is"
John Strand
Enterprise Security Weekly #37
• Alerting
• Severity
• Context
• Modification
• Autonomous?
Actuators
36. @ncooprider@threatstack
36
• Agent fatigue
• Real and valid
• Something we need to get over
• Agents provide critical value
• Vision on assets instead of around them
• Attackers want hosts, not your network
• Choose wisely
• Evaluate along all criteria:
Total cost, comfortable support, real benchmarks, useful
sensors, actions beyond logging, and integrations
Conclusion
I expect to have some time for questions at the end
Do not worry! I’m here to help and we can work through this.
First, a disclaimer:
I am not an independent observer! I have a horse in this race, but I still think I will make some good points. After all, I use other people’s agents too!
Now let’s talk about the path to acceptance!
Let’s start by taking a step back and look at security fatigue in general
Computer Weekly - 2007 - THAT’S SO OLD
The Washington Times - 2014 - that’s better
2016 is even better. . . but I never trust anything on April 1st
Oh, NIST from last fall. Seems legit.
January 28, 1986 Challenger launch
Leading up to that catastrophe
Problem with putty used to seal the O-rings on the boosters
Analysis to determine limits reinterpreted as within the bounds of acceptable risk
Acceptance of that risk led to the explosion
In other words
So now let’s move from security fatigue in general to agent fatigue specifically
2007 - it’s gotten better since then, right?
2017 - NOPE
More NOPE!
Agent fatigue is alive and well (but you probably knew that)
Here’s another anecdotal quote
Moving along the path . . .
Where does this fatigue come from? It comes from the cost of running an agent
Not just talking about money here
but let’s talk about the money
Amazon makes it easy to visualize this
Don’t over pay (with money or anything else) for agent features beyond your capability to utilize them
What do I mean by that? Consider this
An agent-based solution can help you progress in maturity
There’s no getting around the cost of an agent, but there’s also no getting around the need for one either
Lots of great stuff provided from Linux, Windows has similar. You have to be on the box to get it.
Brian Krebs
Individual workstation
Bots, Bitcoin, credentials, ransomware, data
There’s still lots of choices for agents
Then there’s all the different types of agent-based solutions out there!
None of these are “right” or “wrong” universally. It’s based on the situation!
We all hire the best and the brightest
I filled this out from a white paper. Does this actually make sense to anybody?
My point is that lots of the conventions traditionally applied to this choice do not apply
Would you really want the solution for your desktop on your router?
Sometimes the answer is yes, but we should be cognizant of our actual needs and environment
Living in user space, only limited amount of interference and damage can occur
Kernel space gives great power, but also great responsibility
Depends on environment
All seeing eye, defense in depth. Not mutually exclusive, but tend to be different mindsets
See and don’t touch vs get all up in your business
How to navigate all these choices?
How to decide?
We’ll talk about a number of things.
Let’s go over cost first.
All the features and support beyond the actual agent solution
Ask about it, evaluate it, if there are concerns then address them
Get the right amount for you
This can make a huge difference in successful deployment and utilization
Now let’s talk about the actual agent
Everybody will say it’s “lightweight.” Even me. They’re not lying, but that phrase is fairly meaningless.
Figure out what matters to you and how to measure it.
CPU utilization - contention, hiding in other systems or as other processes
Memory usage - free memory, Virtual Memory = part in physical memory + part on disk, resident set size
scanning vs monitoring
methods for subverting or getting around
What can we do with what the sensors see?
Information passing
Actions taken - blocking
Real power comes from integration
ChatOps, DevOps, SecOps, All of the Ops
What do you already use and will it work with that?
We’re here! Acceptance!
There are times when accepting risk becomes like the proverbial frog in hot water
Or, if you prefer
Despite how you may feel about the service you receive, these are people on the other side and they want you to find success!
Maybe it’s not a good match up, but try to find out before.