The most effective CNAPP leverages agentless and agent-based security

And not all agents are built the same

Abstract architectural photo shot from the ground. Features a lot of modern windows and steel.

I’ve said it before and I’ll say it again – cloud security is hard. Most organizations are adopting the cloud and accelerating their pace of delivery, leading to security teams struggling to keep up with the dynamic (almost chaotic) landscape. It’s not enough to rely on a single layer of security when it comes to protecting your cloud infrastructure, your customer’s data, and your reputation.

That would be like having a single security guard protecting your home. Are you 100% confident that there would be NO way to get around a single guard or layer of security? You want security measures that assure safety by providing multiple safety nets to protect your business. When it comes to cloud security, a layered approach includes both agentless and agent-based capabilities.

Why layered security matters

In order for organizations to win in their market, they need to delight customers with their services and capabilities, innovating frequently, and all while ensuring that their organization is protected from cyber threats. As we’ve all seen in the last few years, cyber threats continue to evolve and persist. A part of the reason for this is that the public cloud is very different from a traditional datacenter. And legacy security practices simply don’t translate to the cloud.

Security for a datacenter was traditionally focused on protecting the perimeter of your corporate network by denying all entry and only permitting trusted entities. This was done using a firewall and associated firewall rules. But in the public cloud, there is no longer the concept of a perimeter to protect. Many cloud services can be misconfigured and exposed to the entire world. The scale and complexity that’s introduced when using the cloud makes it extremely difficult to secure. So what’s the first layer of security to get in place?

Agentless security is a great starting point

In the cloud, you need a way to gain complete visibility of the resources that are deployed, their configuration, and the activity taking place at the cloud control plane. A security solution that offers a quick and easy integration into your cloud provider can easily interrogate APIs to gather configuration information about all of the resources and assets in your cloud accounts. This type of security is typically referred to as cloud security posture management (CSPM) and can give you visibility into misconfigurations of cloud resources, which can be an easy entry point for attackers.

You can also use an agentless scanning method to check workloads for vulnerabilities and exposed secrets — without needing to deploy any agents. This gives you a fast, frictionless way to see where your biggest risks are across workloads.  But not all agentless workload scanning solutions are the same. Lacework uniquely delivers this capability in an innovative and least-privileged approach where the privacy of customer data is our primary concern.

Lacework takes it a step further by correlating multiple risk factors from configuration data, activity data (i.e. CloudTrail), and runtime data to show potential attack paths. In a single alert, you not only see critical risks from vulnerabilities, misconfigurations, etc. on a host, but you also see if there’s any unusual activity that could signify an exploit.

These agentless capabilities set the foundation for a layered security approach, but organizations need more. As your security practice matures, what you’ll want next is increased visibility into the workloads that a cloud provider API or agentless snapshot scanning has no access to. And that requires a mature security agent.

Aren’t agents bad for the cloud? That depends on the agent

Historically, security agents have always had a bad reputation. There’s a knee-jerk reaction when someone hears the word “agent” because for some, it can remind you of a time when agents were responsible for crashing a mission critical application server, interrupting a business, impacting customers, and stressing out the IT personnel who were responsible for getting things running again.

Although this may have been the case a decade or two ago, times have changed. Security agents have evolved and some modern agents have been built specifically for cloud workloads. For example, the Lacework security agent is lightweight, reliable, mature, and updates itself automatically for easy ongoing maintenance. Our 7+ years of development yield an agent with extensive coverage across 15 Linux distributions (and 5 Windows operating systems), providing customers with continuous, unparalleled visibility into all security related events that occur in your workload environment – telemetry that simply isn’t available to cloud APIs and agentless-only security solutions. This deep visibility is a significant benefit for customers who want to detect active threats in their workload environments. So agents aren’t all bad, as long as they’re designed and built properly, as the Lacework agent is.

Some security vendors may even try to avoid the “agent” stigma by naming their agent a sensor, a data collector, or a host scanner. However, like Shakespeare (or Romeo) once said:

“What’s in a name? That which we call a rose, by any other name would smell as sweet.”

Essentially, it doesn’t matter what you call that piece of software that needs to be deployed into your workload environments. What matters is its maturity, efficiency, reliability, and the value derived from it.

The best of both worlds (agentless + agents)

A comprehensive, layered security approach requires both agentless and agent-based capabilities. This combination of deployment types ensures that organizations have the best coverage for their cloud-native workloads. It also draws a similar parallel to an emerging security category – cloud-native application protection platform (CNAPP). A CNAPP solution combines cloud security capabilities into a holistic, integrated platform that provides the most possible benefits to organizations.

You could satisfy CSPM, vulnerability management, and cloud infrastructure entitlement management (CIEM) through an agentless cloud security solution, collecting data from cloud provider APIs. For a cloud workload protection platform (CWPP), an agent is required to achieve continuous, deep visibility into cloud workload runtime environments. CNAPP also includes the ability to scan container images for vulnerabilities, as well as scan Infrastructure as Code (IaC) configuration files to help shift security left, identifying security issues earlier in the software development lifecycle. Ultimately, a CNAPP solution can be leveraged to implement a layered security approach for the cloud chaos organizations may experience.

The CNAPP revolution is becoming so prevalent that recently, Frost & Sullivan released their inaugural Frost Radar Report that rated 15 vendors on their growth and innovation within CNAPP. Lacework was positioned as one of the leaders in both the innovation and growth index, further reinforcing our combined approach – providing an agentless solution that detects misconfigurations, vulnerabilities, and threats in your cloud accounts, with an agent-based approach that continuously monitors your applications and workloads for active threats. Interestingly enough, all the leaders in CNAPP (for both growth and innovation) provide agent-based security capabilities.

Modern cloud security requires a holistic security approach with a breadth of coverage that layers security capabilities for accounts, services, and workloads. Only this combination of abilities can help you get secure – and stay secure. For additional information on how Lacework delivers a layered security approach, please check out our white paper or read more on our blog.