As a baseline security prevention, agent-based scanning has become the norm for organizations that have WFH and BYOD policies. Because the endpoints for most organizations are on different networks it would be impossible for a network-based vulnerability scanner to have the capability of simultaneously scanning them. While agents serve a vital role in providing security for specific end points, they cannot be the end-all solution for effectively managing vulnerabilities and remediation processes and here is why:
The agent-based scanning approach has five areas of concern:
Deployment and Maintenance is Time Consuming and Labor Intensive: Installing agents on every device can be time-consuming and resource intensive. Updating those agents once they are installed is an arduous task.
Remediation Prioritization is Challenging Due to Accuracy Issues: Agent-based scanners tend to produce a more detailed view of the vulnerabilities present in a specific system. Despite the detail, these agent-based scans tend to produce a high number of false positives and negatives, which can make it difficult to identify and prioritize true vulnerabilities that need remediation.
The End Point Itself Becomes a Threat Vector: Agent-based scanners can also be targeted by attackers, as they represent a point of entry into the system, which could lead to a compromise of the entire network.
Slows Down Performance: Agent-based scanners are resource heavy and might impact the performance of a system or device it’s installed on.
Opens-up Compatibility Issues: IoT devices and specialized hardware on your network might be using an operating system that is unsupported by an agent. These devices will have an IP address though, enabling them to be scanned by a network-based scanner.
Agent-based scanning is a decent tool to defend certain endpoints, but it simply cannot scale and is not an effective solution for organizations that require large-scale vulnerability scanning and vulnerability management. Not to mention most scanners create a lot of noise and a security team beleaguered by false positives is unable to properly rate risk, remediate vulnerabilities, or keep their security posture in good standing.
Breaches most often occur in public-facing assets, with “web applications [being] the number one vector.”1 As Verizon points out, this fact highlights the value of continuously scanning public-facing assets, as these are the most used entry points for attackers. The performance impact of continuous agent-based scanning is quite significant when compared to the lighter touch of network-based vulnerability scanning. It’s important to employ agentless scanning alongside agent-based scanning to improve accuracy and breadth of coverage, while being conscious of your enterprise’s resources.
Verizon has coined the phrase “opportunistic attack sales funnel” to describe what has become best practice amongst bad actors and I think it is an accurate process description “[Hackers] start with scanning for IPs and open ports… then crawling for specific services… then testing for specific Common Vulnerabilities and Exposures (CVE)… [finally attempting] Remote Code Execution (RCE) to gain access to the system.”2
Think like an attacker and defend like one too
A network-based vulnerability scanner would more accurately emulate the workflow that most hackers are using, as described above. However, the Edgescan platform utilizes a hybrid approach that combines automation and expert validation from CREST/OSCP-certified pen testers. Afterall, hackers are humans, and it is important to use a similar combination of automation and human intelligence that they employ to monitor and safeguard your company assets – Edgescan’s hybrid approach to vulnerability management and penetration testing as service (PTaaS) provides that perspective.
See how we do it. Sign up for a demo today!
1. Verizon Data Breach Investigation Report, page 15
2. Verizon Data Breach Investigation Report, page 31