Five Reasons Endpoint Agents Do Not Offer Enough Protection on AWS

Security and operations have always relied on agents for threat detection, backups, vulnerability analysis, and more. Endpoint agents are widely used in securing IT environments, but deploying, updating, and managing them can be difficult. In cloud environments, the complexity increases as IT teams may only control some deployed workloads (due to Zero Trust), requiring constant effort to ensure that developers deploy agents.

In this blog, we discuss five security limitations of endpoint security agents: lack of coverage, deployment difficulties, an increased attack surface, high susceptible privileges, and ease of avoidance by attackers. We also cover how adding agentless solutions can improve your AWS environment’s threat detection, response, and recoverability.

Security agents fail to provide full coverage.

DevOps teams primarily focus on performance and operability, and are typically responsible for managing cloud resources. Although security is important, it isn’t their primary focus and can get overlooked. Without proper attention to security, workloads may be deployed without a security agent, creating vulnerabilities in cloud workload protection and hindering the achievement of complete coverage. Our research shows that less than 25% of the instances in AWS are covered by an endpoint protection agent.

a meme about aws endpoint cloud protection

Security agents are susceptible to supply-chain attacks.

Supply chain attacks are rising and will continue to be in 2023. An advanced attacker can infiltrate an agent vendor’s production environment, introducing harmful code into the product’s source code. Once the infected updates are installed, the customer’s environment becomes compromised. An example is the widespread SolarWinds attack, which impacted thousands of networks globally. Another example is the ransomware attack on Kaseya, an IT management software company, in which a previously unknown vulnerability in their management servers enabled attackers to push malicious software updates to the devices of the MSP’s customers. The attacker then used this privileged access to spread ransomware to hundreds of networks.

Security agents are present on a company’s most valuable resources, often running with elevated permissions that can be easily exploited. Additionally, the agent activity may not be closely monitored, making it less likely for an attacker to be caught, otherwise known as “Dwell Time”. As a result, sophisticated adversaries may view security agents as desirable targets for a supply chain attack.

Agentless solutions rely on cloud permissions for their analysis, giving you control over their access level. Additionally, every action they perform is recorded and monitored by the cloud platform logs, making it less likely for them to be exploited.

Security agents are searched for and bypassed by attackers.

When attackers gain access to a AWS workload, they first check all the running processes and services, specifically which security agents are present. After identifying the security agents, attackers can better plan their next steps based on their knowledge of how the agent operates. For example, Grasshopper, a nation-state malware framework, scans for specific personal security products (PSPs) installed on the target operating system before executing its modules to avoid being detected.

An intelligent attacker can avoid detection or even completely neutralize any security agent. Bypass techniques and proof of concepts are constantly published by security researchers and used by attackers, making it easier and easier to avoid all of an agent’s sophisticated detection and prevention mechanisms. Most of them are design flaws that persist in all the endpoint protection agent versions and can therefore be consistently bypassed.

Our research shows that out of all the VMs that were infected with malware, 27% of them had security agents deployed (meaning the agent either proved ineffective or was bypassed by the attacker).

Security agents require resources and time to deploy.

The effort to deploy and maintain an agent-based solution is linear to the size of the AWS environment, whereas agentless solutions are deployed once per cloud organization. Consider, for example, the deployment of an agent-based solution when protection against ransomware and malware threats is needed — the time required to achieve full coverage with an agent is too long, a time in which you are unprotected and could be easily breached.

In diverse environments, you have Windows servers, Linux servers running various AWS workloads, some customer-facing, many built-in applications and configurations on those workloads, and so on. When you deploy, patch, or upgrade an endpoint agent directly on the machine, the result is only sometimes 100% successful since the agent software is incompatible with existing configurations.

Conversely, an agentless solution is immutable, easy to deploy, cost-effective, and provides immediate visibility and actionability when needed.

Security agents increase the attack surface.

Any additional software, program, or agent on AWS workloads extends the attack surface for possible attackers. Rather than forcing malicious actors to rely solely on the limited attack surface with built-in operating system features, each additional piece of software expands that attack surface to include more proprietary code on the machine.

Vulnerabilities in security agents can be even riskier due to the high privileges the agents require for running processes on the operating system. And when one considers the difficulty in maintaining security agents, it is expected that many agents deployed in cloud environments must be updated with the latest available version, leaving unpatched agents exposed and vulnerable.

Conclusion: AWS environments require cloud-native cyber recovery

Endpoint security agents still have an essential role in an organization’s security. But as technology evolves, environments change, and threat actors learn how to evade and even utilize agents to their own needs. Agent-based security solutions alone are insufficient, especially in dynamic and complex cloud environments. Currently, emerging scanning techniques pave the way to a new agentless cyber recovery approach that has zero impact on the production environment.

About Elastio

Elastio detects and precisely identifies ransomware in your data and assures rapid post-attack recovery. Our data resilience platform protects against cyber attacks when traditional cloud security measures fail.

Elastio’s agentless deep file inspection continuously monitors business-critical data to identify threats and enable quick response to compromises and infected files. Elastio provides best-in-class application protection and recovery and delivers immediate time-to-value.