Protection Tax

Thursday, October 25, 2012

Tripwire Inc


Article by Michael Thelander

I’ve been talking to customers a lot lately. And it’s true what they say: Customers are always right. Except when they’re wrong and just don’t know it yet.

A while ago I wrote this post on agents: Do you love ‘em? Do you hate ‘em? Why? It was a bit self-serving, because here at Tripwire we rely heavily on our lightweight, stable, agent-based technology to get some serious security stuff done. Like managing your security configurations….  like detecting unauthorized changes to user tables… like monitoring your other security controls for anti-forensic activity.

As I spoke with another customer this week he put it pretty succinctly: “You’ve always got to pay a tax.”

If you use agents you pay a tax that looks like:

  • Constantly negotiating with ops for space on a  box
  • Persistent requirements for space and processor capacity
  • Headaches when agents or their services stop for some unfathomable reason

In return for this particular protection tax you get to have instant visibility into systems and configurations, when and where you need it. You get to do thing like “continuous monitoring”   (shameless plug: here’s a webcast we just did on CM).

If you use agentless scans you pay a tax that looks like:

  • Periods of invisibility, where your security posture is on the dark side of the moon
  • Less granularity of inspection
  • Network traffic
  • No continuous monitoring

In return for this particular protection tax you get to remove your agent burdens (real or perceived) and focus on the task at hand.

Unfortunately, you don’t know what you don’t know. You don’t know what your security posture looks like between scans, you don’t what configuration-related exploit or breach indicators (“That’s odd… someone enabled a Telnet session yesterday”) you might be missing.

And my bottom line tends to be this: In today’s security-is-just-an-illusion threat environment, getting visibility and knowledge — and getting them fast — is everything.

Cross-posted from Tripwire's State of Security

Possibly Related Articles:
Enterprise Security
Information Security
Configuration Network Security Monitoring change management Network Scanning
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.