Critical Analysis of Agentless Vulnerability Scans in Cloud Environments

Critical Analysis of Agentless Vulnerability Scans in Cloud Environments
April 1, 2024

Two years ago, we wrote a post here at Deepfence outlining the critical distinctions between agentless and agent-based security scans for environments in the blog post Agent and Agentless: a Comprehensive Approach to Security. The post documents what agent-based and agentless scans entail, different use cases that each solves for, and the critical questions each approach needs to answer moving forward. Ultimately, we said a more nuanced approach is necessary that takes elements from both approaches to provide a comprehensive security approach to securing modern environments. Over the past two years, we have talked to hundreds of organizations and compiled a number of case studies that highlight some of the growing costs associated with agentless scans when it comes to performing vulnerability assessments in cloud environments. This article examines a critical case study in agentless snapshot management for one of the largest social media giants in the world in the hopes of bringing to light some of the unseen costs of agentless security scans and encouraging companies to forge a better path forward that better balances efficiencies in the vulnerability detection process with financial viability in the cloud. 

Agentless scans conduct security assessments without installing software agents on target systems, offering simplified deployment. However, they may have limited visibility into certain system aspects and rely on network connectivity, potentially impacting performance. Despite these limitations, agentless scanning remains valuable, especially in environments where agent deployment is impractical.

These solutions offer convenience in deployment but beyond that?

As these solutions rely on scanning snapshots, the snapshots need to be stored somewhere i.e. either in the customer's cloud or the vendors. 

While agentless scans are crucial for vulnerability detection, their costs can escalate rapidly, particularly in expansive cloud environments. However, it's the overlooked snapshot expenses that pose a more insidious threat to financial sustainability.

If snapshots are stored in the vendor's cloud, organizations risk hemorrhaging more funds per scan than they save. Conversely, storing snapshots in the customer's cloud can lead to astronomical operational costs.

Case Studies on Agentless Scan Costs

Take, for instance, the case of a social media giant with over 200,000 Compute instances. The strain on their financial resources is so acute that implementing full logging for services becomes a luxury, further compromising security measures. 

To see the snapshot cost in detail, let us take an EBS volume of 100GB attached to an EC2 instance. Further, let us also assume the same thumb rule used in data backups; i.e., 3% of the data in an EBS volume changes every day. Using these two assumptions and a cost of $0.05 / GB for snapshots, the total cost of the snapshot is $9.50 for each month. Note that this cost will change depending on the size of the actual EBS volume used. For example, if we have an EBS volume of size 200GB attached to an EC2 instance, the total cost of the snapshot becomes $19 for each month. 

In addition, assuming a minimum of 90-day retention period for the snapshots, the cost of snapshot for a 100GB EBS volume is $28.50, and  $57 for a 200GB EBS volume.

If we use the data above, for an enterprise that has a 100GB EBS volume attached to each of their 10,000 EC2 instances, the total snapshot cost is at least $285,000, and for 200GB EBS volumes, it is at least $570,000.

Unsustainable Costs Across Industries

For a leading social media giant that has a 100GB EBS volume attached to each of their 200,000 EC2 instances, the total snapshot cost is at least $5.7M and for 200GB EBS volumes it is at least $11.4M.

This social media organization is not alone, organizations across industries in entertainment streaming, financial services software, restaurants and computer manufacturing all have to struggle with the complexity of managing these security scans in the cloud. Examples include the following data points: 

  • Consider a video streaming service, one of the largest users of S3 buckets. The financial strain on their resources is dire, making the issue of snapshot expenses even more pressing.
  • One of the largest financial software companies globally, maintaining over 100,000 EC2 instances, 6 million-plus Lambdas, and thousands of user accounts, faces significant challenges in managing snapshot costs. The sheer scale of their cloud infrastructure magnifies the financial strain, challenging their ability to balance security and budgetary concerns effectively.

Adding to the complexity, while snapshot-based scans are easier to deploy, they often lack context, resulting in noisy and non-actionable results. Organizations are left footing astronomical operational costs for scan results that fail to provide the necessary actionable insights to enhance security posture effectively.

  • A fast food restaurant chain encounters 70,000 vulnerabilities every time they scan!
  • One of the largest providers of insurance in the world grapples with 100,000 vulnerabilities. 
  • One of the largest computer manufacturers in the world faced 40,000 vulnerabilities, ultimately deciding to move away from these solutions.

In Conclusion

In navigating these challenges, organizations must strike a delicate balance between security, operational efficiency, and financial viability. The path to cloud security entails not only mitigating known risks but also shedding light on hidden financial burdens, ensuring a sustainable approach to safeguarding cloud environments across industries.

If you would like to go into more detail on the above use cases or learn more about the organizational case studies outlined in this article, please schedule a demo with Deepfence, and we will be happy to review with you.