Creating a Vulnerability Management Program – Vulnerability Scanners: How They Help Cybersecurity Readiness
- Jul 26, 2022
- Brad LaPorte
Learn how to identify the right vulnerability scanner(s) for your organization’s needs.
So far in this series, we have laid out the fundamentals of cybersecurity and described the need to be systematic in analyzing your organization’s needs and capabilities. As we have noted, this is a marathon, not a sprint, and you need to ensure all your processes and purchases follow a step-by-step maturity model.
We’re now moving from some of the definitions and theoretical understandings of cybersecurity preparedness to the practical applications of cybersecurity readiness. In the last blog entry, we discussed the need to approach patching intelligently, recognizing its inherent complexities that might not be apparent at first. Now we are moving into the realm of accurately evaluating your organization’s cyber exposure. That is, where exactly are you providing an opening to cybercriminals that you otherwise wouldn’t know about?
You might think of this as part of the “Discovery” phase of cybersecurity. But, returning to an earlier point about the work of keeping organizations safe, the phase never ends. You’ll need to be continually discovering where your vulnerabilities are. In time, your understanding will grow, as well as your ability to respond quickly and appropriately. Think of the measures you’ll take here as ones you’ll build upon rather than use temporarily and replace later.
Before digging into specific tools and services, let’s introduce the concept of “vulnerability analytics.” This is the umbrella term for all the efforts made in fully identifying all the vulnerabilities that might affect your organization, then putting in the proper context to spur action. Within this broad category are other terms you’re likely to come across, such as “vulnerability assessment,” “vulnerability management,” and “vulnerability prioritization technology.” Vulnerability analytics itself is part of an even larger umbrella term – “exposure management” – but we’ll get to that in the future.
Organizations eventually want to get to the point that they have a fully developed stack of tools and processes that help them avoid the breaches that come from unaddressed vulnerabilities. The organization that has achieved the most mature stage of cybersecurity preparedness can detect vulnerabilities wherever they exist – not just east and west, but north and south, in the network, emails, endpoints, etc. Our first consideration is of performing vulnerability assessments – that is, just where are you vulnerable?
Broadly speaking, you can detect vulnerabilities by running automated solutions, hiring people to do the job, or both. Automated solutions include vulnerability scanners, application security tools, and software composition analysis tools. Humans can be hired to perform penetration testing, run red-team simulations, and participate in bug bounty programs.
There are benefits to each approach. Automated solutions and services are generally cheaper and can be readily repeated without incurring additional costs. Human solutions can dig deeper into your attack surface and turn up vulnerabilities the automated solutions miss, but they’re just a snapshot in time and aren’t scalable. For a company just building its vulnerability analytics capabilities, it’s probably a better bet to start with a vulnerability scanner rather than hiring a penetration testing crew. We’ll save a discussion of pentesting – which can be done through an application as well – for the next blog entry.
While application security tools and software composition analysis tools perform similar functions as vulnerability scanners, they are designed to identify different vulnerabilities. Space only allows us to examine vulnerability scanners in depth, but the principles of these automated solutions are similar.
Vulnerability scanners were first introduced in the late 1990s, so they’re not exactly a novel solution. Several well-established vendors offer vulnerability scanners, but before you start comparing features you should know what you’re scanning for.
Scanners can be used to detect vulnerabilities in different areas of your infrastructure. You might want a scanner that looks at where you’re exposed on the internet or where there are potential entry points close to storage areas for sensitive company information. If, for example, you don’t have much of an internet presence but do have a database you need to be protected at all costs, the scanner should excel at that function.
More specifically, there are these basic types of scanners:
These scan your systems across the network, looking for open ports and services, and seeing if there are configuration weaknesses or known vulnerabilities. These scanners in turn might examine either internal or external networks.
This method installs lightweight software scanners on each device needing coverage. For an organization with a simple internal network and reliance on a cloud infrastructure, this can be effective. Organizations with complex networks might want both agent-based scanners and network-based vulnerability scanners.
As the name implies, these focus on vulnerabilities in web applications and websites. One thing to check for is whether a scanner whose vendor says it can perform that function can get past the login page – called “authenticated” scanning – so it can duplicate the access that a cybercriminal might have.
Unlike network scanners, these scanners identify vulnerabilities and misconfigurations of both base images and run time virtual machines . By remediating security flaws in base images, you can be assured that newly deployed virtual machines are as secure as possible.
Most vendors have a trial period, so you can see how well they work on your system. But be aware that while one scanner might report more vulnerabilities than another, it may include false positives. You may just want to see how much you like the look and feel of each scanner.
It may be more valuable to do a deep dive into the scanners’ documentation to make sure each you’re considering can perform what you want it to do. There is a wealth of online material about the leading providers as well, with pros and cons listed by both experts and users. Once you have gone through all the other steps and feel a need to decide on one or another, those online reviews might be helpful. But see if there’s a consensus agreement rather than relying on the viewpoint of a single source.
And keep in mind that, eventually, you might want to follow the lead of other organizations and have two or more scanners, recognizing that each scanner has different strengths.
Vulnerability scanning, as with most of Vulnerability Management, is not a “one and done” process. SANS also recommends rescanning again following remediation of your original scan. While vulnerability scanning needs to occur on a recurring basis, the timeframe for scans really depends on the capabilities and risk appetite of your organization — meaning how quickly you are able to remediate the identified vulnerabilities from your scans and where vulnerability scanning falls on your priority list.
While vulnerability scanning is a crucial component of a successful Vulnerability Management program, scanning alone isn’t enough to ensure your organization remains secure. Scanning only identifies vulnerabilities; it doesn’t necessarily identify the root cause of it. To dig deeper, penetration testing utilizes human expertise to uncover where and how cyber attackers could access secure systems or stored sensitive data.
Ultimately, of course, you’ll need to be able to make use of the information the scanners are providing quickly and easily. That’s one tremendous benefit of NopSec’s platform. It’s designed to integrate with all the major vendors. As of this writing, NopSec integrates with vulnerability scanners from Qualys, Tenable, Rapid7, CrowdStrike, BeyondTrust, SonarQube, BurpSuite, Micro Focus, Checkmarx, Veracode, IBM, Threat Stack, jFrog, AWS, WhiteSource and Tripwire.
At NopSec, we know how much there is to think about when you’re trying to lead your security team from the initial stages of protection to the more advanced levels. See how other leading cybersecurity teams are succeeding by reading the 2022 State of Vulnerability Management Report.
Answer: Scanners are automation tools that can be used to detect and report vulnerabilities in different areas of your infrastructure.
Answer: There are three basic types of scanners: network vulnerability scanners, agent-based vulnerability scanners, and web application scanners. Many organizations opt to have multiple scanners as they have different capabilities and focuses.
Answer: Network vulnerability scanners, agent-based scanners, web application scanners, and cloud/container scanners.
If you haven’t read the previous installments of this series you can do so here:
Next: Creating a Vulnerability Management Program – Penetration Testing: Valuable and Complicated