Agents have always been an inherent part of security and operations, finding a place in vulnerability scanning, threat detection, data loss prevention (DLP), remote management, virtual private networks (VPN), and more. We all know them, we all have them, and as a result, we are all faced with the burden of managing, deploying, and updating countless endpoint agents. In the cloud, this becomes even more complex since IT teams do not necessarily have control over all the deployed workloads, leading to an endless cat-and-mouse game of trying to get developers to deploy the various agents.
In this post, we discuss five security limitations of endpoint security agents: lack of coverage, deployment difficulties, an increased attack surface, susceptible high privileges, and ease of avoidance by attackers. We also cover how adding agentless solutions can improve your cloud environment security.
Security agents fail to provide full coverage
Cloud resources are mostly managed by DevOps teams, which usually prioritize performance and operability, whereas security is sometimes sidelined. When security isn’t front and center, resources could be deployed without a security agent. And this is a problem. Relying solely on agent-based solutions can create holes in your cloud workload protection and prevent you from reaching 100% coverage.
Our research shows that only 20% of the virtual machines (VMs) covered by Wiz have an endpoint protection agent deployed.
Also, a resource without an agent is undetected by various management systems, creating blind spots in your network. This becomes even more problematic in organizations where endpoint protection agents function as a patch management solution as well. A machine that is deployed without an agent is not monitored, so you have no way of knowing if it is vulnerable or not. This leads to machines remaining unpatched and vulnerable to exploitations and attacks.
When talking about patch management, the recent Log4Shell vulnerability is the perfect example for this scenario. This library is widely used by numerous applications. Using only an agent-based solution where most of the environment does not have the agent deployed makes it impossible to detect and address all your vulnerable instances. Failing to mitigate such a high-profile vulnerability that is exploited in the wild could lead to breaches, from ransomware attacks to advanced persistent threats (APT).
Besides the challenge and overhead of enforcing endpoint agent coverage on IaaS VMs, virtual appliances and marketplace VMs lack support for security agents. This creates a severe blind spot in environments that rely exclusively on agent-based solution— administrators lack visibility into malware and vulnerabilities on these VMs, which often have identity and network access to critical infrastructure. These VMs must be scannable or they will become a gap in security rather than a safeguard.
For example, F5 Big IP vulnerabilities are constantly discovered and exploited to initiate access to victim environments. In 2021, over 80 vulnerabilities that affected F5 Big IP were assigned CVEs. In fact, our research found that one of every seven companies covered by Wiz that have a VM running F5 BIG-IP Advanced Firewall Manager has at least one publicly exposed instance with exploitable vulnerabilities. These VMs are like a black box, since you cannot deploy an EDR or patch management solution there. Moreover, those appliances are usually exposed to the internet for obvious reasons, as their whole purpose is to act as a boundary between the public internet and the user environment, leaving them exposed to external attackers' exploitations.
Agent-based solutions alone provide security teams a partial-view of the environment, especially in dynamic cloud environments with ephemeral resources. And, the bigger the environment, the less effective agent-coverage becomes.
Security agents increase the attack surface
Any additional software, program, or agent that exists on your VM extends the attack surface for possible attackers. Rather than forcing malicious actors to rely solely on the limited attack surface that comes with built-in operating system features, each additional piece of software expands that attack surface to include more proprietary code on the machine.
Vulnerabilities in security agents can be even riskier, due to the high privileges the agents require for running processes on the operating system. And when we consider the difficulty in maintaining security agents, it is not surprising that, based on our data, 54% of the agents deployed in cloud environments are not updated with the latest available version, leaving unpatched agents exposed and vulnerable. Just recently, Palo Alto Networks published that Cortex XDR agents are vulnerable to CVE-2022-0015, a privilege escalation vulnerability that enables authenticated local users to execute programs with elevated privileges.
Another example for this is CVE-2021-1647, a CVSS 7.8 remote code execution (RCE) vulnerability published in January 2021 within the popular Microsoft Defender Anti-Malware Engine, allowing attackers to execute code on target systems. This vulnerability is listed in CISA’s known exploited vulnerabilities catalog and is actively exploited in the wild. As mentioned before, outdated software is very common in cloud environments, which is probably why we still see that 17% of the Wiz-covered VMs with Microsoft Defender are vulnerable.
Security agents must be granted high privileges in the operating system, otherwise, they are unable to prevent or detect threats. As such, they are more likely to be targeted by malicious attackers for local privilege escalation (LPE) vulnerabilities.
The following table lists some examples of high and critical severity vulnerabilities discovered in endpoint protection agents over the past two years:
|CVE-2021-31843||7.8||McAfee Endpoint Security for Windows||Improper Privileges Management|
|CVE-2020-7332||8.7||McAfee Endpoint Security firewall extension||Cross-Site Request Forgery|
|CVE-2020-7331||7.7||McAfee Endpoint Security||Unquoted Search Path or Element|
|CVE-2020-7320||6.8||McAfee Endpoint Security||Defense Evasion|
|CVE-2020-7319||8.0||McAfee Endpoint Security for Windows||Improper Access Control|
|CVE-2020-7265||7.8||McAfee Endpoint Security for Mac||Privilege Escalation|
|CVE-2020-7264||7.8||McAfee Endpoint Security for Windows||Privilege Escalation|
|CVE-2020-7250||7.7||McAfee Endpoint Security for Windows||Privilege Escalation|
|CVE-2020-7274||7.7||McAfee Endpoint Security for Windows||Improper Privilege Management|
|CVE-2020-7259||7.7||McAfee Endpoint Security||Permissions, Privileges, and Access Control|
|CVE-2022-0015||7.7||Palo Alto Networks Cortex XDR||Privilege Escalation|
|CVE-2022-0014||7.2||Palo Alto Networks Cortex XDR||Untrusted Search Path|
|CVE-2022-0012||7.0||Palo Alto Networks Cortex XDR||Privilege Escalation/Denial of Service|
|CVE-2021-3042||7.7||Palo Alto Networks Cortex XDR||Privilege Escalation|
|CVE-2021-3041||7.7||Palo Alto Networks Cortex XDR||Privilege Escalation|
|CVE-2020-2049||7.7||Palo Alto Networks Cortex XDR||Privilege Escalation|
|CVE-2021-42298||7.7||Microsoft Defender||Remote Code Execution|
|CVE-2021-34471||7.7||Microsoft Defender||Privilege Escalation|
|CVE-2021-34464||7.7||Microsoft Defender||Remote Code Execution|
|CVE-2021-34522||7.7||Microsoft Defender||Remote Code Execution|
|CVE-2021-31985||8.7||Microsoft Defender||Remote Code Execution|
|CVE-2021-24092||7.7||Microsoft Defender||Privilege Escalation|
|CVE-2021-1647||7.7||Microsoft Defender||Remote Code Execution|
|CVE-2020-1461||7.0||Microsoft Defender||Remote Code Execution|
|CVE-2020-1170||7.7||Microsoft Defender||Privilege Escalation|
|CVE-2020-1163||7.7||Microsoft Defender||Privilege Escalation|
|CVE-2020-1002||7.0||Microsoft Defender||Privilege Escalation|
|CVE-2020-5837||7.7||Symantec Endpoint Protection||Privilege Escalation|
|CVE-2020-5836||7.7||Symantec Endpoint Protection||Privilege Escalation|
|CVE-2020-5823||7.7||Symantec Endpoint Protection||Privilege Escalation|
|CVE-2020-5822||7.7||Symantec Endpoint Protection||Privilege Escalation|
|CVE-2020-5821||7.7||Symantec Endpoint Protection||DLL Injection|
|CVE-2020-5820||7.7||Symantec Endpoint Protection||Privilege Escalation|
Unlike endpoint protection agents, agentless protections do not increase your attack surface, giving you one less thing to worry about.
Security agents are susceptible to supply-chain attacks
Supply chain attacks are on the rise and will continue to be in 2022. A sophisticated attacker can gain access to an agent vendor production environment, implant malicious code in the source-code of a product, and once the malicious updates are installed – the customer environment is infected. This, for example, is what happened in the notorious SolarWinds attack that affected thousands of networks all over the world. Another example is the ransomware attack on Kaseya, an IT management software company: a zero-day vulnerability in their management servers allowed attackers to deploy malicious software updates on devices of the MSP’s customers. The attacker exploited this privileged access to infect hundreds of networks with ransomware.
Security agents are everywhere, deployed on the most valuable resources of a company, running with high permissions that can be easily abused, and on top of that— an attacker is less likely to get caught since the agent activity is not monitored. Therefore, highly resourceful adversaries might consider security agents to be a worthwhile target for a supply chain attack.
Agentless solutions use cloud permissions to perform the analysis, giving you control over their access level. Moreover, this means that every single action they perform is being audited and monitored by the cloud platform logs, and are therefore less likely to be exploited.
Security agents are searched for and bypassed by attackers
When attackers gain access to a VM, one of the first things they check are all the running processes and services, and specifically which security agents are present. After identifying the security agents, attackers can better plan their next steps based on their knowledge of how the agent operates. For example, Grasshopper, a nation-state malware framework, scanned for specific personal security products (PSPs) installed on the target operating system before executing its modules. Knowing this, attackers could avoid being detected.
A smart attacker can avoid detection or even completely neutralize any security agent. Bypass techniques and proof of concepts are constantly published by security researchers and used by attackers, which makes it easier and easier to avoid all the sophisticated detection and prevention mechanisms of an agent. Most of them are design flaws that persist in all the endpoint protection agent versions and can therefore be consistently bypassed.
Our research shows that out of all the VMs detected by Wiz as infected with malware, 27% of them had security agents deployed (meaning the agent either proved ineffective or was bypassed by the attacker):
As long as attackers find ways to manipulate these security agents, even VMs with endpoint protection agents are not completely safe. Cloud-based agentless solutions, on the other hand, are much harder to detect. When adding a layer of protection that attackers are unaware of, they are more likely to make mistakes and get caught.
Security agents require resources and time to deploy
The effort to deploy and maintain an agent-based solution is linear to the size of the fleet, whereas agent-less solutions are deployed once per cloud organization. Consider for example the deployment of an agent-based solution when you want to mitigate your organization against the Log4Shell vulnerability— the time required to achieve full coverage with an agent is, simply put, too long; time in which you are unprotected and could be easily breached.
In diverse environments, you have Windows servers, Linux servers running various distros, a multitude of built-in applications and configurations, and so on. When you deploy, patch, or upgrade an endpoint agent directly on the machine, the result might not always be 100% successful since the agent software could be incompatible with existing configurations.
Conversely, an agentless solution is immutable, easy to deploy, cost-effective, and provides you immediate visibility and actionability when you need it the most.
Conclusion: Cloud environments require cloud-native security
Endpoint security agents still have an important role in an organization’s security. But as technology evolves, environments change, and threat actors have learned how to evade and even utilize agents to their own needs, then agent-based security solutions alone are insufficient, especially in dynamic and complex cloud environments. Now, emerging scanning techniques pave the way to a new agentless security approach that has zero-impact on the environment.
Wiz scales to any cloud environment with zero impact on resource or workload performance, greatly improving security, availability, and most importantly— without slowing down your developers or business operations.