Security agents as a weak point: guardian or enemy?
Are agent-based cloud security solutions exposing companies to the risk of a supply chain attack?
The Principle of Least Privilege (PoLP) is a cornerstone of IT security. With increasingly distributed IT environments, PoLP and Zero Trust are now more important than ever. Orca Security therefore believes: Against the background of increasing attacks on the supply chain, it is important to ensure that these principles also apply to security solutions. However, agent-based security solutions require full permissions for the machine on which they are installed. This means that the same cloud security solutions that companies rely on increase the risk to the company and potentially open the backdoor to supply chain attacks.
John Alexander, CISSP, Senior Director of Technical Product Marketing at Orca Security explain the underestimated risks:
PoLP has been one of the most important security best practices for many years and states that companies should grant identities only the permissions and access to the resources necessary to perform their tasks, and no more. Zero Trust goes one step further and states that you should never implicitly trust a user or a service. Once a user’s identity is proven, they only get access to the specific resources they need at that time.
The application of these principles is crucial in the age of distributed IT to protect against the increasingly frequent attacks on the supply chain. Recent examples have shown how attacks on the supply chain can have devastating consequences: SolarWinds and CodeCov have shown the world how a single attacked service can endanger tens of thousands of companies.
Security Agent: guardian or enemy?
Security providers with agent-based solutions choose the easy way and build their agents so that they only support the installation with “administrative rights”. The companies as customers have no choice: without administrator rights, these agents do not work. If you look at the installation instructions for almost any agent, it becomes clear that it runs as a privileged service that can do practically anything in the installed environment. However, this practice directly violates the principle of least privilege.
It’s in the nature of things that security tools require broad access, but that doesn’t mean you need unlimited access. The following scenarios are to be considered:
- A security tool that checks a host for vulnerabilities or malware does not require the same permissions as the host.
- A security tool that protects a server with access to privileged data stores does not also require access to these data stores.
- An agent running on a server that is exposed to the Internet does not also need to communicate with the Internet.
Ideally, security agents should not inherit the permissions of the protected object, but should run with the minimum permissions required to perform their task. This applies both from the point of view of permissions and the network. Even if companies trust the security provider, excessive sharing can lead to disastrous events. The provider could be hacked by attackers who want to gain access to the customer environment. Likewise, which is much more likely, the provider’s solution could include an open source tool that later turns out to be malicious and runs throughout the environment.
Example of a supply chain attack made possible by agents
Unimpeded access by the security agent can cause damage in a cloud environment by opening it up to a supply chain attack. A security agent might use a specific library to parse JSON, PDF, and other file types. Despite good internal security practices, the library contains a remote code execution (RCE) vulnerability. An attacker could create files to exploit this vulnerability. The files may contain payload data that install a malicious tool, communicate with a Command &Control (CnC) server, or encrypt the data on the host and send a message to demand a ransom. This happens not only in the case of a targeted attack, but also when attackers widely spread these infecting files.
A security agent using the vulnerable library is a preferred target for attackers. The payload is carried out with full permissions – with the ability to encrypt files, communicate with a CnC server and even move laterally through the cloud environment. So if agents can potentially expose companies to a supply chain attack, how can the cloud environment be reliably protected? The answer lies in the use of an agentless cloud security solution.
Agentless SideScanning follows the principle of least privilege
As an agentless Cloud Native Application Protection Platform (CNAPP), the Orca Security platform offers numerous benefits, including fast deployment, full visibility, contextual insights, and more. In addition, Orca’s platform fully adheres to the PoLP principle, limiting privileges to the absolute minimum. Instead of agents, Orca uses its proprietary SideScanning technology to scan cloud workloads out-of-band. In addition, unlike agents, SideScanning does not inherit the permissions of the scanned workloads. For example, SideScanning can scan a cloud environment in which a banking system is running without access rights to customer data.
If the hypothetical RCE vulnerability mentioned above is exploited in the Orca platform, the impact will be much less than agent-based security solutions for the following important reasons:
- No Internet connectivity: There is no malicious code running on an agent that could interact with a CnC, because Orca does not use agents. The Orca SideScanner runs without activated Internet communication.
- Read-only access: Orca’s SideScanner has no write access to data and only accesses a read-only snapshot. Any ransom activity has no effect on the real data.
- Dedicated, short-lived instances: Since SideScanning technology runs on dedicated instances, its vulnerability is significantly lower. These instances are short-lived and have very limited network access, so you can only access the scanned data and send the digest scan results to a specific and dedicated data store. They are also not reused between scans or assets, which further reduces the attack surface.
In addition to PoLP compliance, SideScanning from Orca offers other advantages, including full visibility and coverage without installing a single agent: once the platform is deployed, all cloud assets of an enterprise are covered. This also applies to inactive, suspended and stopped workloads, orphaned systems and devices/OS that cannot support agents.
It’s time to change the way companies implement security
PoLP is still a proven method because it effectively reduces the attack surface. However, providers of agent-based security solutions do not adhere to PoLP, as they develop their agents in such a way that they take over the permissions of their hosts. This means that the security controls that companies rely on even increase their risk of supply chain attacks. It’s time for a new approach, a security solution that provides complete visibility without increasing the risk.