How often do you run Vulnerability Scans

I'm curious how often everyone is running vulnerability scans on their networks and what product you use. I know this really depends on the size of the environment, so if you can include that info, it will be helpful.

I'm currently running daily scans for servers, and weekly scans for endpoints.

A few things about my setup that bother me, that I argue for but never goes anywhere. Maybe I'm wrong

1) The weekly endpoint scan is done on a weekend. Seems pointless since most laptop users will be offline, same with anyone who shuts their desktop off when they leave. I'd prefer to run this during business hours, but maybe not ideal

2) We don't have enough licenses for the proper number of hosts, therefore, some subnets do not get scanned.

Find more posts tagged with

Comments

blatini

Although not guaranteed to be on - can't you still schedule laptops to scan at a certain time regardless of where they are? And if they shut their desktop off you just need to utilize WakeOnLAN which I am pretty sure is a common feature nowadays?

If you don't have enough licenses then that seems like a separate management issue.

MitM

blatini wrote: »

Although not guaranteed to be on - can't you still schedule laptops to scan at a certain time regardless of where they are? And if they shut their desktop off you just need to utilize WakeOnLAN which I am pretty sure is a common feature nowadays?

If you don't have enough licenses then that seems like a separate management issue.

WakeOnLAN could work for desktops, if I could get that team to configure it.

Laptops on the other hand, people take them home with them because they are required to, but they surely don't take them out of their laptop bags during the weekend.

Ertaz

MitM wrote: »

WakeOnLAN could work for desktops, if I could get that team to configure it.

Laptops on the other hand, people take them home with them because they are required to, but they surely don't take them out of their laptop bags during the weekend.

My experience has been that the scanning we do isn't really noticeable when run against our client segments. The caveat to that is that we have plenty of bandwidth and geographically dispersed scan engines so as not to hammer the WAN when scanning 400 workstations at a clip. Our interval for scanning is not as as frequent as yours, but we do our client scanning during the business week. It really helps catch most of the assets.

blatini

Ertaz wrote: »

My experience has been that the scanning we do isn't really noticeable when run against our client segments. The caveat to that is that we have plenty of bandwidth and geographically dispersed scan engines so as not to hammer the WAN when scanning 400 workstations at a clip. Our interval for scanning is not as as frequent as yours, but we do our client scanning during the business week. It really helps catch most of the assets.

Have to agree scanning is never that noticeable in my experience. I have worked in 200-400 end user environments primarily with Sophos / Symantec and higher end user machines.

I chopped the scans to be run by department since they're generally dispersed evenly across sites.

TheFORCE

Running the scans so often is a good idea, but what are you gaining out of it? Do you also have a daily remediation plan for the servers and weekly remediation plan for the workstations? If you don't then you need to adjust your scans to your vulnerability remediation process.

Critical servers running business processes won't be as easy to take down in your current setup.

A better approach is to create a baseline preferably monthky or quarterly and lets say you run 1 scan and you find xyz vulnerability on Server1, now you have 30 days or 60 days to adress it, you let the system owner know what they need to fix by opening a ticket and assing it to them, that's usually IT. Once they close it, you can verify via a reacan or during your monthly-quarterly scan.

By doing this you now have a process that is simple, can be repeated and is easy to follow by everyone. On top pf that, you can now run reports and keep track of how many vulnerabilities were remediated month to month or how many are not being resolved, you can create reports based on that that show trends in your environment and management will be thrilled.

Of course you would need to get everyone on board with this, create policies and automate some items but it works and emis easy.

A scan means nothing if you are not adressing the results and if you are not decreasing the vulnerabilities from scan to scan.

I do this currently.

EJMADELINE

Weekly. Using Nessus to scan over 2k+ servers.

Ertaz

TheFORCE wrote: »

Running the scans so often is a good idea, but what are you gaining out of it? Do you also have a daily remediation plan for the servers and weekly remediation plan for the workstations? If you don't then you need to adjust your scans to your vulnerability remediation process.

100% agreed.

TheFORCE wrote: »

create policies
A scan means nothing if you are not addressing the results and if you are not decreasing the vulnerabilities from scan to scan.

If you are the one scanning and the one remediating this is pretty straight forward. If you are not, say you are a Risk Management person in charge of scanning and the folks that are remediating work for a different department that is not in the same chain of command, then you have issues without a policy. You need to prioritize what gets fixed first and what gets fixed at all. (Where my unfixable windows server TCP sequence vulns at?)

TheFORCE

Ertaz wrote: »

If you are the one scanning and the one remediating this is pretty straight forward. If you are not, say you are a Risk Management person in charge of scanning and the folks that are remediating work for a different department that is not in the same chain of command, then you have issues without a policy. You need to prioritize what gets fixed first and what gets fixed at all. (Where my unfixable windows server TCP sequence vulns at?)

Exactly. If you work for a big company you will not be doing everything on your own. If you work for a small company, then created policies and processes like you were a big company even if you are the only own doing everything.

MitM

Thanks for the replies. Client scanning really shouldn't be a problem between my main offices and I can easily deploy scanners most remote locations and use agents for some low bandwidth sites. I'm still pushing to scan clients during business hours and still pushing to purchase enough licenses. Otherwise, I could be missing something huge.

TheFORCE wrote: »

Running the scans so often is a good idea, but what are you gaining out of it? Do you also have a daily remediation plan for the servers and weekly remediation plan for the workstations? If you don't then you need to adjust your scans to your vulnerability remediation process.

Critical servers running business processes won't be as easy to take down in your current setup.

A better approach is to create a baseline preferably monthky or quarterly and lets say you run 1 scan and you find xyz vulnerability on Server1, now you have 30 days or 60 days to adress it, you let the system owner know what they need to fix by opening a ticket and assing it to them, that's usually IT. Once they close it, you can verify via a reacan or during your monthly-quarterly scan.

By doing this you now have a process that is simple, can be repeated and is easy to follow by everyone. On top pf that, you can now run reports and keep track of how many vulnerabilities were remediated month to month or how many are not being resolved, you can create reports based on that that show trends in your environment and management will be thrilled.

Of course you would need to get everyone on board with this, create policies and automate some items but it works and emis easy.

A scan means nothing if you are not adressing the results and if you are not decreasing the vulnerabilities from scan to scan.

I do this currently.

Exactly!! So the management thinking is, if the scan discovers a backdoor, it must be resolved that day. All other items should be resolved within 30 days BUT there is no "policy" on this. The numbers do go down, though. Also, I'm a network engineer, so I am responsible for running the scans but I only resolve my own vulnerabilities. The other teams resolve their own. I try to work with them to help resolve as much as possible, but technically it's not "my job".

I've been working on other major projects, so I haven't been pushing hard lately to change the process and add some policies. Now that things are slowing down a little, I'm back on this because I believe there is a better way. I posted this here because I wanted to see if my thinking was way off. They had me believing it was me

TheFORCE

Still i think daily is a bit too much, unless you work for a company that deals with highly classified information. Often times, not even vendors have any solutions, or often times you might be using some custom build in house application thay will break if you update to a new version of the software. So then you need to develop a project plan and so on, all that doesnt happen in 1 day. Not to mention the time it takes to properly test the patch.

MitM

TheFORCE wrote: »

Still i think daily is a bit too much, unless you work for a company that deals with highly classified information. Often times, not even vendors have any solutions, or often times you might be using some custom build in house application thay will break if you update to a new version of the software. So then you need to develop a project plan and so on, all that doesnt happen in 1 day. Not to mention the time it takes to properly test the patch.

No, I'm with you. I don't agree with daily scanning at all. I never wanted it from day 1

jamesleecoleman

I am in the middle of working on the vulnerabilities at the moment.
The plan is to do it twice a quarter.

We use Nessus Cloud, which allows me to have an onsite scanner and agents on the laptops to scan the laptops when they're offsite.

Because I don't have the license to do 256 or 512, I break up the subnets into 128 blocks and then scan.

Danielm7

MitM wrote: »

No, I'm with you. I don't agree with daily scanning at all. I never wanted it from day 1

I'm curious about the motivation for daily scans. Do they also fix problems on day 1 as well? And for the endpoints, if you have a consistent image, couldn't you scan a smaller sample set vs every laptop? How about patch management, do they get a lot of info from there as well, something like SCCM?

I guess it depends on the size of the environment too, I'm in a big big org that is spread all over the country, running scans that often would be a pretty big feat.

MitM

jamesleecoleman wrote: »

We use Nessus Cloud, which allows me to have an onsite scanner and agents on the laptops to scan the laptops when they're offsite.

Because I don't have the license to do 256 or 512, I break up the subnets into 128 blocks and then scan.

Do you mean you scan 128, check (maybe export) the results and then scan a different set 128 IPs?

MitM

Danielm7 wrote: »

I'm curious about the motivation for daily scans. Do they also fix problems on day 1 as well? And for the endpoints, if you have a consistent image, couldn't you scan a smaller sample set vs every laptop? How about patch management, do they get a lot of info from there as well, something like SCCM?

I guess it depends on the size of the environment too, I'm in a big big org that is spread all over the country, running scans that often would be a pretty big feat.

I think their thinking is strictly the more scans the better. I just never agreed with the thinking.

We don't use SCCM, just WSUS for windows patching. All machines are deployed with an image, but between different versions of java and whatever else is installed after, you never know what's on these desktops/laptops.

Ertaz

Interesting way to view your vuln data beyond a standard excel pivot/GRC report:

Text mining and word cloud fundamentals in R : 5 simple steps you should know - Easy Guides - Wiki - STHDA

Did this today to visualize some vulns that were candidates for exceptions based on residual risk.

higherho

at least weekly. Need to make sure we hit 100% of all machines in the network (a lot of users) within a 30 day window. We also have the ability to run daily reports because the systems automatically upload there data to a central system (Continuous monitoring ftw). This gives us the ability to see latest patches installed, what security configurations might be missing, etc. Also have NAC installed which helps verify / check the system for us.

JasminLandry

I run scans daily, almost hourly! The network is big enough to run scans on hundreds of different servers each day. A part from that, we have regular monthly and quarterly scans that we need to run.

shimasensei

Weekly at the minimum. Multiple ad-hoc scans everyday.