WHITEPAPER
HOW AGENTS
CLEAN UP
THE MESS
Why EVEN SYSADMINS ARE ADOPTING AGENTs for LOG COLLECTION SOLUTIONS
It’s hard to resist the initial appeal of agentless
deployments, especially when they’re already
included in larger solutions you’ve purchased.
Agentless appears to be easier to deploy and
manage which prevents them from getting the
scrutiny any enterprise software solution, especially
security solutions, deserve. After all, the fewer
installs the better right? Not so fast. When budget,
scalability, scope, throughput, performance and
security are a concern, as they should be, you need
to think agents. With the right tools, agents are
easier to manage and when properly designed,
they don’t add any new software dependencies.
Premium agents are lightweight and secure. On top
of that, agents also give you real time data delivery
of your logs which, as we will cover later, is crucial
to successful SIEM deployments. When premium
agents are built with sysadmins in mind, everybody
wins.
Solution Management
Managing agent-based solutions can seem
daunting, but agents with centralized management,
like Snare and the Agent Management Console, can
manage and monitor the agents you have deployed.
For example, you can monitor the activity status of
P: (800) 834.1060

“
Did you know a chatty
domain controller can require an
entire agentless collector server to
itself?
your agents, which lets you know when there is an
interruption in your logging while also validating
policy configurations on all endpoints. Deploying
agentless log collection solutions always seems
easier at first until you get in the nuts and bolts and
spend far more time bashing your head against your
keyboard than any human should. Counterintuitive
as that may sound, once you get past installing the
software, you have to configure them. How many
endpoints are you pulling from? What are their
individual and collective EPS rates? Did you know
a chatty domain controller can require an entire
agentless collector server to itself? Plus you have
to set the collector up with the credentials for each
machine it pulls from. All of a sudden agentless
deployment becomes far more tedious than an
agent-based solution. Once installed agents can be
managed en masse via a management console that
turns your agents into a single cohesive solution.
[email protected]

www.intersectalliance.com
Stack Dependencies
Agents can be built to be platform agnostic and not
require a specific framework or operating system,
such as IIS, Java or .NET, which negates concern
around additional software dependencies and saves
significant time during deployment. Snare does this
to not only make deployment easier, but also help
tie together log collection across disparate systems
seamlessly. Snare agents are also compatible
based. When faced with putting agents on each
machine on a network or using agentless collectors
that sit on far fewer machines it may seem like
agentless is the more secure approach, but that
is far from the truth. Agentless collectors require
login credentials for every machine they access
giving malicious actors a great opportunity to
penetrate more network systems. Also attacking an
agentless collector is easy as successfully accessing
one endpoint can allow an individual to then
with any SIEM, which is why Snare is the go to
for companies with mixed topographies, complex
network settings and those migrating SIEMs. It
is this flexibility that allows Snare clients to scale
efficiently. It also prevents potential vulnerabilities
when your agents aren’t dependent on additional
software.
inundate the collector server exposing every system
it collects from and leaving no way to perform
thorough forensic work. Purpose built security
agents, in contrast, mitigate vulnerabilities. This
is demonstrable and why an increasing number of
companies are partnering with Snare to obtain their
Veracode certification.
New Software Vulnerabilities
Resource Usage
It almost goes without saying these days that
additional software installs create more potential
for security vulnerabilities, which is a legitimate
concern whether or not your efforts are security-
Another major factor in scalability are resources.
As you grow your collection efforts your hardware
and bandwidth requirements shouldn’t grow
exponentially. Once upon a time agents were
resource monsters bogging down machines with
large footprints and clogging networks. Lightweight
agents are only three megabytes and eat up almost
no CPU. Snare agents also add a full complement
of noise reduction capabilities, from verbose
truncation to multi-level log filtering. What does
that mean? It means sophisticated output-based
filtering so your SIEM is not wasting your time or
money on superfluous data, reducing mean time
to detection (MTTD). Agentless logging requires
“
Snare agents are also
compatible with any SIEM, which is
why Snare is the go to for companies
migrating SIEMs and those trying to
tie event logs and syslog together.
P: (800) 834.1060

[email protected]

www.intersectalliance.com
major network usage as it grabs logs in bulks every
five plus minutes creating a tidal wave pattern of
activity, a vast majority of which have no forensic
value and just drive up SIEM costs while eating up
bandwidth.
The Agent Advantage
When a SIEM comes with agentless collectors
many immediately seek out agents. Whether
cost, reliability or even resource management,
there are a number of reasons why, the common
denominator for all of them is they understand the
need their collection and analysis to happen in real
time. The MTTD is a critical KPI for any SIEM and
when logs are only collected in bulk every five plus
minutes that is going to raise the MTTD to a level
that is unacceptable to any organization that takes
its network security seriously. It may seem daunting
at first but when you have premium enterprise level
agents, it makes life orders of magnitude easier.
Snare Enterprise Agents
Many institutions are already aware of agentless
shortcomings. When faced with the very real threat
of digital malfeasance the lag time of agentless
logging is unacceptable. It can take well over five to
30 minutes for logs to send and that is more than
enough time for people to commit wire fraud. Not to
mention the lack of reliability in log collection. When
security is at a premium, companies everywhere
know to steer clear of agentless solutions.
They do this because unlike most agents Snare is
not an afterthought companion to a larger SIEM
solution but purpose built to upgrade every SIEM
implementation regardless of software choices. We
believe everybody should be able to take advantage
Snare’s reliability and efficiency.
About Intersect Alliance
Intersect Alliance is the developer of Snare, a
security information and event management
(SIEM) software solution. Snare is utilized in private
companies and government agencies alike, but
also used in conjunction with other SIEM systems.
Originally an open source project, Snare Enterprise
was released to support a more aggressive road
map to meet and then exceed the increasingly
diverse demands of users around the world.
Intersect Alliance strives to go well beyond what is
required of security software, thereby helping their
customers to exceed their own goals.
Further information on Intersect Alliance is
available on the Internet at:
www.intersectalliance.com
Pricing is is a critical piece of scalable solutions. As
demonstrated by the graph on the left, the larger the
deployment the steeper the savings in agent-based
solutions.
P: (800) 834.1060

[email protected]

www.intersectalliance.com