Aqua Security CEO: ‘No One’ Is Leading With Agentless Anymore

During 2023, the cloud security market saw ‘complete disillusionment around this agentless messaging,’ Aqua CEO Dror Davidoff tells CRN.

ARTICLE TITLE HERE

One of the major cloud security developments in 2023 was the reality check in the market around the limitations of agentless tools, according to the CEO of a top cloud security unicorn.

While agentless tools such as cloud security posture management (CSPM) have found massive interest thanks in part to their ease of deployment, the limitations of the tools for directly improving security outcomes became widely evident this year, Aqua Security CEO Dror Davidoff said in an interview with CRN.

Customers have realized, “‘We’ve got visibility, we understand our cloud, we understand what’s running — but this is not yet security. Now I need to have my controls in my production environment,’” he said.

In 2023, “there was complete disillusionment around this agentless messaging,” Davidoff said. “For a couple of years, people were hoping, ‘Oh my God, in the cloud, we can do this all agentlessly.’ You cannot.”

Davidoff, who co-founded Aqua Security in 2015, is not unbiased on the topic, given that his company has specialized in securing the cloud using installed software agents. However, Aqua does now offer agentless tools, and “you can do some things without an agent,” he said.

“But to really have a full solution, you must have an agent in place, and you want to be able to block bad things from happening in real time,” Davidoff said. “You want to be able to react in a very immediate and decisive way if there is a problem.”

In recent years, startups such as Wiz and Orca Security have stormed into the cloud security market with an agentless method for securing public cloud environments such as AWS, Microsoft Azure and Google Cloud.

Leveraging API connections, the approach involves taking snapshot scans of cloud environments, rapidly providing visibility into security issues such as cloud misconfigurations.

In just a few years, the agentless approach has transformed Wiz into the top-valued unicorn in cybersecurity, while turning Orca into an IPO contender.

Market Transition

But 2023 did indeed see a shift in the market, according to Gartner analyst Mark Wah, with some of the agentless companies taking their first steps toward providing agent-based functionality. Most major cloud security vendors at this point are in the process of building out a CNAPP (cloud-native application protection platform) that includes a broad range of capabilities, both agentless and agent-based, Wah said in a previous interview with CRN.

The moves come amid the realization by many customers that the “previous positioning of agentless approaches to CSPM may not be sufficient to cover runtime,” he said.

That contributed to influencing vendors such as Wiz to expand from periodic snapshot scanning to offer capabilities for real-time monitoring of cloud workload threats, Wah said. In June, Wiz introduced its Runtime Sensor tool that uses a “lightweight” agent to provide detection and response in the cloud.

Davidoff acknowledges that agentless tools can improve visibility into cloud security risks.

“When you take a snapshot of the environment, and then you analyze it and scan it, you identify vulnerabilities, you understand the inventory — you provided good visibility. But you didn’t secure the environment,” he said.

In the cloud security market, “try and look for any company that is now leading with agentless security,” Davidoff said. “No one is saying that anymore.”

Cloud Maturity

At this point, there’s no question that organizations need more than just agentless tools to fully secure their cloud deployments, said Mark Butler, advisory CISO at Trace3, No. 36 on CRN’s 2023 Solution Provider 500. Irvine, Calif.-based Trace3 partners with numerous cloud security vendors including Aqua Security, Palo Alto Networks, Wiz and Lacework.

Wiz, for instance, has excelled at providing “remediation guidance — but somebody’s got to consume all that and go fix it,” Butler said.

Clearly, companies that offer robust agents such as Aqua Security have had the “upper hand” in the remediation side of the equation, he said — though he noted that there’s also significant “agent fatigue” among many IT and security operations teams.

At the same time, organizations that are only interested in agentless tools are likely not as mature, security-wise, as customers that are interested to explore a full CNAPP offering, Butler said.

“When a client comes to us and they say, ‘I need a CSPM’ — the fact that they’re asking about a CSPM probably tells us a little bit about their mindset,” he said. “If a client comes to us and says, ‘I want the best CNAPP solution out there,’ it’s a much more mature cloud organization.”