Thomas from Matasano recently posted some thoughts on agents (here), in a nutshell…
Enterprise security teams should seek to minimize their exposure to endpoint agent vulnerabilities, by:
- Minimizing the number of machines that run agent software.
- Minimizing the number of different agents supported in the enterprise as a whole.
Ryan has a great response (here).
I have been quite vocal about the failures of most agent architecures, AV in particular. They all lack a strong management instrastructure to support them and many introduce security vulnerabilities.
But the reality is that until we go back to a thin-client architecture, systems and security management agents are required. No other way to do all the things IT needs to do to the end-points, from a security or an operational perspective, no other way to gain real-time control over the end-points and real-time visibilty and control are key to improving security and operations effectiveness.
You need agents and you need strong network security. You need both. Anyone who tells you otherwise has an agenda. I agree that organizations need to limit the amount of agents deployed, there are far too many fighting for control of system resources. So the advice is really to eliminate redundant and insecure agents and realign disparate agents into a common management infrastructure.
Amen to that!