Vulnerability Scanning Best Practices

Vulnerability management’s cornerstone is largely going to revolve around setting up and managing your infrastructure scanner in order to find, report and fix vulnerabilities before they can be used against you. The actual setup of your scanner is integral for vulnerability scanning, obviously; but, before you can efficiently scan your environment, you’ll need to get a lay of the land from your infrastructure team and figure out how your network is configured. 

Getting Started with Vulnerability Scanning

Getting the current state of your environment will encompass several teams and require cooperation from all of them to make scanning as efficient and effective as possible. Some of the high-level questions you’ll need to get answered include the following (and likely many more):

• How is the network segmented?
• What is static vs. DHCP?
• How prevalent are access groups?
• What do the current ownership groups look like (i.e., are they owned by site, app, system type, etc.)?
• What is the normal patching window?

Once you get these answers, there are several questions of what methods of scanning, which we will outline shortly, that you want to use and what is the best setup for your environment, including if you want to scan with agents, scanners or both. 

Building According to Vulnerability Scanning Best Practices

The best case is to get an agent on as many devices as you can and have a scanner (or multiple) scan over the rest of your network in order to catch all assets that don’t have an agent, including both your assets that are known about and accepted to not have an agent and your other devices that may not be known about that either missed the agent install or are foriegn assets. 

There are these basic types of scanners you’ll need depending on which parts of your network you want to monitor:

• Network Vulnerability Scanners
• Agent-Based Vulnerability Scanners
• Web Application Vulnerability Scanners
• Cloud/Container Vulnerability Scanners

You can learn more about these types of vulnerability scanning solutions and how to choose vendors through our series “Creating a Vulnerability Management Program” – specifically our post on vulnerability scanners. 

Once you have the scanner deployed, you’ll need to figure out what cadence you want / need to scan all your assets. Ideally, you match up with the networking team’s patch window in order to get them the most up-to-date results (i.e., assets with agents on them will report back at least daily). 

Finally, you’ll want to figure out what level of credentialed scanning you want to run (i.e., agents will be fully credentialed by design) – meaning you’ll have to work with the IAM team in order to get credentials to get full access in each domain to scan the devices in each.

Putting It All Together

Now that you’ve scanned all these assets you’ll need to set up asset groupings and/or tagging so that you can report results both out to the networking team and up to executives. 

Ideally, you’ll have several sets of grouping including things like OS, region, site number, and who is responsible for patching. All of this should be cut to be as granular as possible and roll up into higher levels (i.e., Windows Server 2019 → All Windows Servers → All Servers). Some or most of this may already be organized or marked in a CMDB or other database and can be brought in to make use of any groupings already in place. We recommend that you speak both to the infrastructure and metrics team in order to find out which tags are useful. This eliminates bringing in too many tags/groups and avoids creating more noise than intended, which would make the data less useful.

Incorporating Vulnerability Scanning into Your Vulnerability Management

Once this is done, your team will still need to integrate other aspects of your vulnerability management sector, including, but not limited to:

• Application Security
• External Attack Surface Reduction
• Penetration Testing
• Database Configuration Testing
• Social Engineering Tests

All of these and more hold their own intricacies and require their own high level staffing in order to maintain a healthy and safe cyber environment.

Gaining a Full View into Your Vulnerability and Risk

Leveraging best-in-class machine learning algorithms, NopSec Unified VRM analyzes billions of pieces of information to understand attack activity and likelihood in real time. NopSec brings in your full tech stack for a holistic view into your organization’s unique vulnerability outlook. 

With NopSec, your vulnerability risk scores are reprioritized based on insights from 30+ threat intelligence feeds for malware, ransomware, threat actors/campaigns, public exploit databases, social media, and more. 

Schedule a demo today to see NopSec in action. 

FAQ

Question #1: What is the first step for vulnerability scanning?

Answer: Setup seems like a logical first step for vulnerability scanning; but in actuality, however, you need to get a good understanding of the current state of your infrastructure to ensure nothing is missed in deployment.

Question #2: What are the different types of scanners?

Answer: There are three basic types of scanners: network vulnerability scanners, agent-based vulnerability scanners, and web application scanners. Many organizations opt to have multiple scanners as they have different capabilities and focuses.