Insider Threat Management

Agent-based vs. Agentless User Activity Monitoring

Agent-based vs. Agentless User Activity Monitoring

(Updated on 11/04/2020)

User Activity Monitoring solutions generate logs and screen videos of all user actions on company servers and desktops. In terms of how this kind of system is deployed, there are actually two approaches: agent-based and agentless. This post presents the pros and cons of each approach, and share two customer stories that demonstrate how some of the inherent issues played out for those customers.

Agent-based vs. Agentless Monitoring

Before getting to the nitty-gritty, it is important to emphasize that both agent-based and agent-less systems can record screen video user activity and log user actions. It’s just that each approach has certain advantages or disadvantages relative to the other. It’s also important to realize that there are cases where it makes sense to deploy a combination of the two, something that is straightforward with any good User Activity Monitoring solution.

Agent-based User Activity Monitoring

An agent is a small software program that is installed on each computer to be monitored. The agent’s primary functions are collecting data on user activity in all applications, webpages and system areas, and transmitting the data it collects about each session to a central server for processing, analysis and storage.

Because, in this approach, the agents operate within the computer being monitored, they are able to capture every user action—as well as details about the computer, operating system, hardware and connected devices – regardless of whether users log in locally or connect from remote locations. This is the biggest advantage of this approach. Here is a list of all the advantages of the agent-based approach, as compared with the agentless method (which I will describe in a moment):

  • Captures user activity regardless of how users connect to servers,— through both local console login and remote-access login methods
  • Captures keystrokes and mouse clicks in locally-running applications
  • Captures extensive details on running processes, plus the operating system, local file system, machine hardware and connected devices
  • Allows interactive intervention in a user’s session (e.g., messaging, kill session) when needed
  • Can record user activity to a local cache for later transmission, when network connectivity is interrupted

The two primary disadvantages of the agent-based approach are:

  • Requires installation and management of agents on each monitored computer
  • Introduces some CPU and RAM utilization overhead on each computer

 

The Agentless Approach to User Activity Monitoring

“Agentless” means that no software agent is installed on each individual computer being monitored. Instead, the User Activity Monitoring system either captures user activity on target machines conducted through a monitored gateway server, or it captures and analyzes the network traffic flowing between users’ client machines and the servers they are accessing.

The most important aspect to keep in mind about agentless monitoring systems is that it can only monitor remote access to the monitored computers—local console access to the remote computers will not be recorded at all.

The main advantages of the agentless approach, as compared with the agent-based method, are:

  • Does not require resources on the individual computers being recorded
  • Does not require management overhead to install or manage agents on every monitored computer
  • Can record configuration changes to network devices, storage subsystems, hypervisors, etc. on which agents cannot be installed

The main disadvantages of agentless monitoring are:

  • Can only capture client-server interaction between the client computer and remote server, but can capture nothing about local user activity on the remote computer, locally-running process, hardware elements or other details of the computer itself
  • Can only capture details of client-server network traffic that can be parsed and understood (custom  applications and encrypted data traffic cannot be monitored in any meaningful way)
  • Requires network re-routing in order to capture all traffic between clients and monitored computers—adds network topology complexity and a single point of failure

Real-Life Examples

Example of Agent-based Monitoring

A large insurance company that I was helping with some large-scale IT projects decided to deploy a User Activity Monitoring solution to aid in regulatory compliance efforts. Because the compliance requirements were around monitoring the activity of remote IT contractors accessing internal servers, the company decided on an agentless approach. They deployed a number of gateway servers which provided contractors with the only means of accessing the servers on which they worked. Agents were deployed on these gateway servers in order to record all the sessions performed on the target servers—without any agents installed on the target servers themselves.

One day, after a fairly wide systems failure caused significant harm to the company, it was discovered that a particular configuration change on a critical server brought down a central DNS. Eventually, the IT folks discovered that this change was made on a server to which remote contractors had access and so naturally assumed that a contractor was at fault. However, the User Activity Monitoring system did not contain any record of a contractor making the change. It turns out that it was an internal junior IT administrator who logged in to the machine using its local console—something that is not recorded when using the agentless approach.

Given the high levels of transparency into user actions that the IT admins had gotten used to with the remote contractor monitoring in place, not knowing what in-house admins were doing suddenly became a difficult pill to swallow! This one incident led the company to deploy agents on all the sensitive servers in the organization. Now, with the agent-based approach at their disposal, it is fast and easy for them to audit all administrator activity on all sensitive servers and even receive real-time alerts for dozens of specific dangerous user activity scenarios. By moving to an agent-based deployment, this insurance company realized better IT security and more comprehensive control over their entire IT infrastructure.

Example of Agentless Monitoring

I consulted with a bank that had already been using agent-based User Activity Monitoring on all its application and database servers for some time. Every user action on every server was closely monitored and audited, providing an excellent degree of IT security and control. They were happy with the system, but needed to address a hole in their user monitoring: configuration changes made to network devices, such as routers and firewalls. Because administrators were logging in from their desktops or laptops to the devices, and because agents could not be installed on these devices, there was no way to know who was doing what in the devices’ configuration interfaces.

This was a case where an agentless approach could solve the problem. We set up a gateway server as the only avenue to reaching the network devices, even by internal administrators. An agent on the gateway server could then monitor and record every action performed by every user when logged in to any device on the network. This improved IT oversight and the company’s security posture. It made it easy to audit changes made to network device configurations, to generate alerts in real time when particular changes were made, and dramatically speed up IT incident response via user-activity-based forensics.

Final Thoughts

Which deployment method to choose for a User Activity Monitoring Tool can be tricky. Both approaches have various positives and negatives, yet choosing one is solely dependent on current organizational needs.

Subscribe to the Proofpoint Blog