Prisma Cloud’s Innovative Agentless Scanning

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker

By Ivani Aviles, Customer Success Engineer

 

It is important to have more than one option, especially when it comes to securing your workloads. That is why Prisma Cloud became the first security platform to offer both agent-based and agentless security for workload protection. We introduced agentless scanning in our Joule release (22.01), but we have since expanded our support and capabilities quite considerably. 

 

At the time of writing, Prisma Cloud is able to provide Compliance and Vulnerability scans for both Containers and Hosts. Support has also expanded to the “big three” cloud providers (AWS, Azure, and GCP) and changes to the UI have been made in order to help users troubleshoot and to better accommodate agentless scanning in general.

 

Configuring cloud accounts for agentless scanning has never been easier. Since there are not any agents to deploy, agentless onboarding is already less involved than an agent-based approach, but we have provided more than one way to set up. Configuring agentless scanning can be accomplished in either of two ways:

 

  1. Through the general cloud account onboarding process by navigating to Settings > Providers > Connect Provider > Cloud Accounts (only available in Prisma Cloud Enterprise Edition)

  2. By navigating to Manage > Cloud Accounts in the Compute Console (Runtime Security in Prisma Cloud Enterprise Edition)

 

If you opt for option #1, you will not only automate the Agentless configuration, but also CSPM configuration and, optionally, serverless function scanning.

 

It is important to have more than one option, especially when it comes to securing your workloads. That is why Prisma Cloud became the first security platform to offer both agent-based and agentless security for workload protection. We introduced agentless scanning in our Joule release (22.01), but we have since expanded our support and capabilities quite considerably. 

 

At the time of writing, Prisma Cloud is able to provide Compliance and Vulnerability scans for both Containers and Hosts. Support has also expanded to the “big three” cloud providers (AWS, Azure, and GCP) and changes to the UI have been made in order to help users troubleshoot and to better accommodate agentless scanning in general.

 

Configuring cloud accounts for agentless scanning has never been easier. Since there are not any agents to deploy, agentless onboarding is already less involved than an agent-based approach, but we have provided more than one way to set up. Configuring agentless scanning can be accomplished in either of two ways:

 

  1. Through the general cloud account onboarding process by navigating to Settings > Providers > Connect Provider > Cloud Accounts (only available in Prisma Cloud Enterprise Edition)

  2. By navigating to Manage > Cloud Accounts in the Compute Console (Runtime Security in Prisma Cloud Enterprise Edition)

 

If you opt for option #1, you will not only automate the Agentless configuration, but also CSPM configuration and, optionally, serverless function scanning.

 

unnamed.png

Figure 1: General cloud account onboarding wizard_palo-alto-networks

 

While “Hub Account Mode” (Agentless Scanning Modes) can be successfully implemented with either options, only option #2 allows you to provide the least amount of permissions needed for both the “Hub account” and “Target accounts”. 

Option #1 will broadly assign all Agentless related permissions so that “Same Account Mode” can be configured, as well. For more information related to Agentless permissions, please refer to the Admin Guide: Permissions by Feature

 

Not only has the UI changed to better streamline the Agentless configuration process, but there have also been other notable changes to accommodate Agentless scanning. Now you are able to easily filter the vulnerabilities produced, either by Scanning type (Agentless or Defender) or by Host Status (Running or Stopped). Additionally, you can now also filter based on Cluster, Collection, or Distribution. 

 

You can also filter by scan type in the Radars view, simply tick the “Defender scan only” box to filter by agent-based scanning, or leave it blank to view all workloads, regardless of how they were scanned.

 

unnamed.png

Figure 2: Agentless scan filter_palo-alto-networks

 

There is always a chance that you may encounter issues with configurations, Agentless scanning is no different. If you do happen to run into any trouble, the “Agentless scan” column (see screenshot below) will generally give you a brief description on what may be causing the issue. 

 

Another option to gain a better understanding of your agentless scanning status is to simply check out your console logs. The console logs can prove helpful in discovering errors, but also in determining scan time duration and checking what regions are being scanned.

 

unnamed.png

Figure 3: Agentless scan error_palo-alto-networks

 

Some common issues with agentless configuration include setting the wrong console URL in the scan specification or a misconfigured security group that doesn’t allow communication to the console. By default, Prisma Cloud will look for the default VPC and its associated default security group, however, you can bypass this behavior by specifying a custom security group associated with your VPC of interest in the agentless configuration settings. After setup, you can manually trigger an agentless scan or even change the agentless scan frequency by navigating to Manage > System > Scan (the default scan frequency is 24 hours).

 

unnamed.png

Figure 4: Agentless scan settings_palo-alto-networks

 

Compared to the agentless approach, Defenders are more difficult to configure and will occasionally require upgrading. However, Defenders are an integral part of workload security and due to their architecture, they are able to have a near real time view of kernel-level activities. For more sensitive workloads, It is important to have that additional arsenal that Defenders provide, such as blocking anomalous processes and stopping containers that may be compromised.

 

While our agentless scanning capabilities have quickly expanded to provide better insights into the health of your workloads, there are some limitations that can only be addressed by utilizing Defenders. With that being said, both agent-based and agentless scanning should be deployed together and both are here to stay. The two approaches to workload security will be developed alongside one another and will ensure that Palo Alto Networks will continue to be the one-stop shop for your security needs.

 

References

 

Agentless Scanning Process

Agentless Scanning Modes

Agentless Scanning Results

Configure Agentless Scanning


About The Author

 

unnamed.png

 

1 Comment
L0 Member

@IAviles The first 3 paragraphs are repeated twice. Wouldn't it be better to remove the redundancy?

  • 2752 Views
  • 1 comments
  • 0 Likes
Register or Sign-in
Labels