Oct 31, 2023

Agent vs. Agentless: A New Approach to Insider Risk Monitoring

3

A question our customers commonly ask is whether our InTERCEPT insider risk management platform is agent-based or agentless.

The short answer is: “A bit of both, but better.”

Technically speaking, InTERCEPT is an agent for the sheer fact that our collector sits on the endpoint to monitor for insider risk.

Most experienced security professionals will agree that endpoint agents are required to provide visibility at the endpoint. Agentless solutions alone won’t cut it; most simply scrape Windows event logs, creating extra noise without any actionable contextual intelligence. That’s not to say agentless solutions don’t have their place. More on that later.

It’s what InTERCEPT does (and doesn’t do) on the endpoint that sets it worlds apart from other user activity monitoring (UAM) agents. For this reason, we prefer to call our solution a “lightweight forwarder”.

Agents often get a bad rap, and UAM agents are no exception: they ingest and process a ton of data (often superfluous) on the endpoint which slams network performance and CPU utilization. This can have a negative impact on productivity, creating a terrible user experience that only incentivizes users to bypass security and subsequently introduce risk.

DTEX InTERCEPT offers a new approach to insider risk monitoring, with a lightweight solution that balances visibility with scalability and performance.

“Lightweight Forwarder” | A Next-Gen Approach to User Activity Monitoring

InTERCEPT is different by virtue of the type, amount, and processing of the data it collects:

  • InTERCEPT collects just 5MB of metadata on the endpoint per user per day. This makes for an extremely lightweight solution that enables seamless interoperability and scalability (currently proven to 800,000 users in a single implementation).
  • The data collected on the endpoint is strictly actionable metadata based on behavioral interactions, not content inspection. InTERCEPT is only interested in data that can legitimately be used to understand, detect, and mitigate insider risk ahead of a potential incident occurring. Anything else is noise, heavy on the endpoint and highly reactionary. InTERCEPT is a purpose-built solution designed to genuinely enable early risk resolution and data loss prevention. We achieve this through data quality, not quantity.
  • InTERCEPT does not process the metadata on the endpoint but moves it to the cloud where it undergoes behavioral enrichment underscored by our patented AI and ML capabilities. InTERCEPT can, however ingest other valuable data sources directly into the cloud and correlate it against our own metadata to provide a more holistic understanding of risk. This is how InTERCEPT has the ability to be “agentless”. This includes data across HR feeds (where some of the most important human sensor data resides) as well as data from Microsoft Office 365CrowdStrikeNetskopeSplunkServices Now, and more:

As a close partner of MITRE Corporation, DTEX knows full well that insider risk is a highly complex field that, in order to understand and resolve, requires touch points across multiple data sets, from cyber and physical to organizational and psychosocial sensors. InTERCEPT enables this holistic view of insider risk by taking the advantages of agent-based and agentless solutions and leaving their hiccups behind.

What this means for enterprise and federal entities is that they can proactively manage insider risk quickly, easily and at scale, without impacting performance. No more false positives or lost productivity or time spent on risks that don’t exist. More time to focus stopping genuine insider risks from becoming threats in the first place.

To learn more about InTERCEPT, request a demo.

Subscribe today to stay informed and get regular updates from DTEX Systems