Whether you build, buy, borrow, or steal it, you need a security agent on your endpoints. We can already hear your cries of "agent fatigue" and we sympathize. Any agent, no matter how lightweight, has costs associated with running it. Minimize those costs and get an agent, because you need the information that only an agent can harvest from the endpoint. We talk about various types of security agents, including their respective strengths and weaknesses. We explore how agents can interact and interfere with each other, and provide some tips for evaluating agents. We cover open-source, custom-built, and vendor perspectives, from cloud to IoT. We need information to do our jobs, and we need agents on our digital assets to provide that information. Original presented at SOURCE Boston 2017: https://drive.google.com/file/d/0B26q0H40PvdZeVJyVGdXNmprUGM/view?usp=sharing

1. @ncooprider@threatstack
1
Eyes on the Ground:
Why You Need Security Agents
Nathan Cooprider
Software Team Lead

2. @ncooprider@threatstack
2
• often find yourself booting into safe mode?
• regularly look for programs in the taskbar to kill?
• look for reasons why your computer seems sluggish?
• wonder why you pay for that thing on your computer?
• get employee complaints about installed software?
• look for ways to meet compliance requirements?
• care about security?
Do you
AGENT FATIGUE

3. @ncooprider@threatstack
3
My day job: agent team lead

4. @ncooprider@threatstack
4
The path to agent acceptance!
Acceptance
Fatigue Cost Need
Choices Evaluation

5. @ncooprider@threatstack
5
Security fatigue

6. @ncooprider@threatstack
6
Normalization of deviance
Incremental and gradual erosion of normal procedures

7. @ncooprider@threatstack
Normalization of deviance
http://gunshowcomic.com/648

8. @ncooprider@threatstack
8
Agent fatigue
"The term agent fatigue is widely used to describe this
phenomenon on the desktop. Are viruses a problem? Here is
an antivirus solution. Is command and control
communication the problem? Here is a Host-based Intrusion
Detection System (HIDS). Need to keep track of all the
software and versions installed on a system? Here is a
compliance agent. The list of agents goes on and on. Each
agent serves a different purpose, communicates to a
different control server, and is managed by a different group
within the organization."
Building an Intelligence Led Security Program
by Allan Liska

9. @ncooprider@threatstack
9
Agent fatigue

10. @ncooprider@threatstack
10
Agent fatigue
“I was talking to a financial services executive and he
was asked ‘How does a startup approach you with
something?’ and he said ‘Let me just tell you one hint:
Don't sell me an end- If you need to put an agent on
an endpoint. It's done’”
Michael Figueroa
Advanced Cyber Security Center
Startup Security Weekly #31

11. @ncooprider@threatstack
11
The path to agent acceptance!
Acceptance
Fatigue Cost Need
Choices Evaluation

12. @ncooprider@threatstack
12
• Licensing
• Price per installation
• Compliance complications
• Workflow adaptation
• Introduced latency
• Full-on road blocks
• Management
• Additional attack surface
• Interfering with host behavior
Cost of running an agent

13. @ncooprider@threatstack
13
Cost of running an agent
Monthly
AWS
BILL
$10 $100 $1,000 $10,000 $100,000
1% $0.10 $1 $10 $100 $1,000
5% $0.50 $5 $50 $500 $5,000
10% $1 $10 $100 $1,000 $10,000
25% $2.50 $25 $250 $2,500 $25,000
• Resource utilization
• Personel
• CPU, network, memory, disk

14. @ncooprider@threatstack
14
Security maturity model
AUDIT
Baseline Your Environment and Meet Security Best Practices.
CONFIGURATION AUDITING • ALERTING • WORKFLOW INTEGRATIONS
MONITOR
Continuously Monitor & Alert to Detect Vulnerabilities, Intrusion, & Meet
Compliance Requirements.
VULNERABILITY ASSESSMENT • FILE INTEGRITY MONITORING • USER ACTIVITY
MONITORING
INVESTIGATE
Automatically Analyze Security Events to Determine Root
Cause.
USER SESSION PLAYBACK • DEEP PROCESS MONITORING • THREAT
INTELLIGENCE
PREVENT
Prevent Progression on the Cyber Kill Chain.
ISOLATE COMPROMISE • PREVENT LATERAL MOVEMENT

15. @ncooprider@threatstack
15
The path to agent acceptance!
Acceptance
Fatigue Cost Need
Choices Evaluation

16. @ncooprider@threatstack
16
• Necessary features not available any other way
• The network cannot give us the data
• The host can give us the data
• The hosts host our valuable assets
• Not all agents equal
• Past experience not
indication of future #fail
• Learn how to judge
• Find best fit
Need for an agent

17. @ncooprider@threatstack
17
• Increased SSL/TLS usage
• NIDS blind to 70-80% of the traffic post-Snowden
• Needs specialized Network Processor hardware
• Not an option in with cloud providers
• NSS Labs paper documents situation
https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/
• Vanished perimeter
• Maginot line - defense in depth
• Bring your own device and the like
• Cloud - don’t let provider be SPOF
NIDS not enough

18. @ncooprider@threatstack
18
Agent-only information

19. @ncooprider@threatstack
19
Protect the assets
https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

20. @ncooprider@threatstack
20
The path to agent acceptance!
Acceptance
Fatigue Cost Need
Choices Evaluation

21. @ncooprider@threatstack
21
• Build vs buy
• Open-source vs proprietary
• Cloud, server, workstation, IoT
• Kernel vs user
• Visibility vs prevention
Agent choices

22. @ncooprider@threatstack
22
• Do you understand all
the issues that are
involved - all the
elements that go into
the TCO?
• Do you want to be a
security company or do
you want to be a
secure company?
Build vs buy

23. @ncooprider@threatstack
23
Open-source vs proprietary
Open-source Proprietary
Pros
• Free to try before you buy
• Free support
• Open standards
• Fewer bugs and faster fixes
• Better security
• Avoids vendor lock-in
• Usability
• Product stability
• Ownership
• Tailored support
Cons
• Reduced competitive advantage
• Minimal support leverage
• Usability
• Increased business risk
• Dependency
• Software opacity
http://www.optimusinfo.com/downloads/white-paper/open-source-vs-proprietary-software-pros-and-cons.pdf

24. @ncooprider@threatstack
24
• On the one hand:
they’re all computers
• On the other hand:
REALLY?
Cloud, server, workstation, IoT

25. @ncooprider@threatstack
25
Kernel vs user

26. @ncooprider@threatstack
26
Visibility vs prevention

27. @ncooprider@threatstack
27
The path to agent acceptance!
Acceptance
Fatigue Cost Need
Choices Evaluation

28. @ncooprider@threatstack
28
Criteria
• Cost
• Service
• Benchmarking
• Sensors
• Actuators
• Integration
Evaluating agents

29. @ncooprider@threatstack
29
• Total cost of ownership
• All the “ilities” - availability, scalability, reliability,
etc.
• Talent
• Care and feeding
• Use what you get
• Deploy the software
• Look at the results
• Tune performance
Price and cost

30. @ncooprider@threatstack
30
• Training
• Helpdesk
• Management
Service

31. @ncooprider@threatstack
31
• Easy to do wrong
• Environment specific
• Measure right thing
• CPU
• Memory
• Network
• Disk
• Weigh appropriately
Benchmarking

32. @ncooprider@threatstack
32
• Targets
• Processes
• Files
• Network
• Users
• Configuration
• Consider reliability
• Perspective
• Persistence
Sensors

33. @ncooprider@threatstack
33
• More than just logging
"Right now, logging in the cloud is an absolute complete
unmitigated train wreck, as far as finding out where your data
is"
John Strand
Enterprise Security Weekly #37
• Alerting
• Severity
• Context
• Modification
• Autonomous?
Actuators

34. @ncooprider@threatstack
34
Integration

35. @ncooprider@threatstack
35
The path to agent acceptance!
Acceptance
Fatigue Cost Need
Choices Evaluation

36. @ncooprider@threatstack
36
• Agent fatigue
• Real and valid
• Something we need to get over
• Agents provide critical value
• Vision on assets instead of around them
• Attackers want hosts, not your network
• Choose wisely
• Evaluate along all criteria:
Total cost, comfortable support, real benchmarks, useful
sensors, actions beyond logging, and integrations
Conclusion

37. @ncooprider@threatstack
37
Questions?

38. @ncooprider@threatstack
38
http://www.computerweekly.com/blog/David-Laceys-IT-Security-Blog/Countering-the-Threat-of-
Information-Security-Fatigue
http://www.washingtontimes.com/news/2014/aug/7/hayden-security-fatigue-on-the-rise-as-public-feel/
http://www.securitymagazine.com/articles/87014-dispelling-the-dangerous-myth-of-data-breach-fatigue
https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-
hopeless-and-act-recklessly
https://sma.nasa.gov/docs/default-source/safety-messages/safetymessage-normalizationofdeviance-
2014-11-03b.pdf
http://www.networkworld.com/article/2293335/infrastructure-management/fighting-back-against-software-
agent-overload.html
https://www.forescout.com/company/blog/death-taxes-endpoint-agents/
https://community.spiceworks.com/topic/1917877-poll-software-agents-take-them-or-leave-them
http://wiki.securityweekly.com/wiki/index.php/SSWEpisode3
https://www.elsevier.com/books/building-an-intelligence-led-security-program/liska/978-0-12-802145-3
https://www.nsslabs.com/linkservid/13C7BD87-5056-9046-93FB736663C0B07A/
https://blog.threatstack.com/calculating-tco-the-real-cost-of-cloud-security
Resources

39. @ncooprider@threatstack
39
Extra slides

40. @ncooprider@threatstack
40
Normalization of deviance

41. @ncooprider@threatstack
41
CAN I HELP YOU?