Ashish Pujari, CISSP CCSP, shares some of his personal experiences and challenges working with agents and endpoint security solutions, and explores the future of endpoint management.

Ashish Pujari, CISSP CCSPDisclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.

On-device agents have been the cornerstone of endpoint security, with solutions for every need, from basic antivirus to advanced endpoint detection and response (EDR), and user and entity behavior analytics (UEBA). With rising costs, increasing cybersecurity threats and the prevalence of remote work, modernizing endpoint security is critical for businesses today. This raises the question, are traditional agent-based security mechanisms still sufficient, or do we need a new approach to secure and manage the modern workforce effectively?

The Known Knowns

Performance Impact

CrowdStrike founder George Kurtz has been quoted saying how he was inspired to start the company when, on a flight, he watched the passenger seated next to him wait 15 minutes for McAfee software to load on their laptop. We've all been there: the spinning wheel of doom, the frozen screen, the agonizing wait for a simple program to load… all thanks to a dozen agents battling it out for system resources.

It's no secret that multiple security agents can cripple a device's performance. Despite the performance hit and user frustration caused by multiple on-device agents, we continue to accept them as the cost of security. However, as UX expert Jared Spool aptly stated: "If it’s not usable, it’s not secure."

Scalability Challenges

As organizations expand their device fleets, the complexity of managing these agents grows exponentially. Deploying and managing multiple agents across an organization can be a logistical nightmare. Troubleshooting conflicts, addressing performance issues and ensuring compatibility across diverse devices all consume valuable IT resources. A Forrester survey found that IT professionals spend 50% of their time on endpoint security, deployment and management. I've experienced this firsthand, spending more time troubleshooting agent performance than actual security issues.

The variety of devices and operating systems in modern workplaces, from Windows to macOS and beyond, adds another layer of complexity to agent management. Each platform may require specific configuration and troubleshooting approaches, creating extra work for IT administrators striving to maintain consistent security and performance.

The Known Unknowns

Software Supply Chain Risks

We tend to forget that agents have privileged access to devices, making them a prime target for attackers. The SolarWinds hack demonstrated how a compromised agent can become a conduit for widespread malware distribution. Even seemingly benign software updates can cause disruptions, as evidenced by a past CrowdStrike outage.

This reliance on agents creates a single point of failure that can compromise an entire organization’s IT infrastructure. This approach is particularly effective because security software is often granted extensive permissions and is typically exempt from security scans, allowing malware to be installed and executed without resistance.

The consequences of a successful supply chain attack on security agents can be far-reaching and severe. Once compromised, agents can be used to disable other security measures, exfiltrate sensitive data, or serve as a launchpad for lateral movement within networks. The trusted nature of security software means that such attacks can go undetected for extended periods, allowing threat actors to maintain persistent access and conduct espionage or data manipulation activities. As organizations increasingly adopt newer, cloud-based technologies, the potential impact of such attacks grows exponentially – highlighting the urgent need for alternative security approaches that don’t rely heavily on on-device agents.

The Unknown Unknowns

Industry Incentives

Yet many industry incentives perpetuate the idea that, if you don’t have an on-device agent, then, somehow, you are automatically insecure. Vendors often refer to their agents as low-impact, lightweight, etc. – which, in my opinion, is marketing jargon. Others term their agents “clients” or “sensors”. This is a rebranding exercise but, I admit, it gets the job done.

It's important to recognize that, for security vendors:

  • The presence of an agent on a device creates a direct, persistent connection with the customer. This makes it more challenging for that customer to switch to competing solutions.
  • Agents represent a lucrative upsell opportunity. Visibility into customer environments enables vendors to continuously refine their products, gather intelligence and upsell additional services or features.

Unfortunately for customers this can, over time, lead to a proliferation of agents, each addressing a specific need, rather than a holistic and integrated security approach.

The Elephant in the Room

A recent Forrester survey highlighted that 90% of IT respondents believe the future of end-user computing is web-based, with 78% stating that companies failing to embrace this shift will be left behind. This shift presents organizations with an opportunity to rethink their security strategy.

As more applications and services migrate to the cloud, the traditional on-device agent security model becomes less relevant, shifting the focus towards cloud-native security solutions. Think about it: as more applications and services move to the cloud, the need for traditional on-device security agents diminishes. Why? Because cloud providers are stepping up their game. They're investing heavily in robust security measures built directly into their platforms. This means you can leverage their advanced threat detection, data encryption and access controls without cluttering your devices with cumbersome agents. It's a win-win: you get top-notch security without the performance headaches and management overhead of on-device agents. This shift towards cloud-native security solutions allows organizations to streamline their endpoint security strategy and rely on the expertise and infrastructure of their cloud providers.

The growing use of web applications is also fueling a shift towards more sophisticated, API-based security solutions. These solutions offer a key advantage: they can provide robust security without requiring extra software on individual devices. This means easier deployment, simpler updates and less impact on device performance – all critical factors for managing security in today's distributed work environments.

The Path Forward

While it may not be feasible to eliminate agents entirely, I believe it's crucial to critically evaluate your security portfolio and explore agentless alternatives. I collaborate with my customer IT teams to help them leverage native OS and browser capabilities, optimizing security while minimizing reliance on on-device agents. Fun fact: the CrowdStrike outage did not impact ChromeOS because it is an agentless native integration.

While acknowledging that my approach may not work for every organization, I advise customers to prioritize security tools that:

My view: the time is ripe for a paradigm shift in endpoint security. Push your security vendors to think beyond traditional agent-based models. Challenge them to provide innovative, web-based solutions that embrace an open ecosystem. This will foster interoperability with your existing tools and promote a more collaborative and effective security approach. Adopting agentless and native solutions where feasible allows for the creation of a more secure and efficient environment for users, which is the fundamental objective of all security professionals.

Ashish Pujari, CISSP CCSP, has 15+ years of experience in information security and has worked across diverse sectors, including technology, media and consulting. He has held management and technical roles, with responsibility for cloud security, security architecture reviews and managing security operations in corporate and client facing environments.

Related Insights