BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Seizing Windows of Opportunity for Vulnerability Assessment

Posted April 1, 2014    Morey Haber

The change control process for many organizations dictates that vulnerability assessment scanning can only occur during predefined scan windows. During these times, teams are notified that an assessment will be conducted and that alerts from IDS/IPS sensors, SIEMS, and local AV agents should be ignored or whitelisted from the scanners. This is a very typical process.

The Window of Opportunity to perform vulnerability assessments also dictates that the scans must complete, be paused, or be aborted before the window ends. This ensures that scans only occur during the allotted time and not in production hours. In order to maintain these schedules, scan jobs need to be controlled centrally to maintain these windows. This implies the following characteristics:

  • Scan windows should permit jobs to be paused and resumed or aborted when the end of a scan window is reached.
  • Scan windows should be configurable per scan job, globally, or per scan engine to meet individual business requirements.
  • Scan windows should be calendar-based by time and day in order to enforce change control windows.
  • A methodology should be available for continuous scanning when assessments must adhere to strict change control windows.

The last bullet provides in an interesting dilemma for all that need to perform continuous monitoring. How do you scan frequently and not violate policies for scan windows?

The answer is only available from BeyondTrust. BeyondTrust provides the Retina Protection Agent, which is included with Retina CS Enterprise Vulnerability Management operating within the BeyondInsight IT Risk Management Platform. The Retina Protection Agent enables local vulnerability assessment on a host and returns the results to the BeyondInsight central management console. Scan windows typically dictate when network scanning can and cannot occur. With a local agent, the requirement is circumvented and can be scheduled as frequently as needed to achieve the desired results without impacting the host, network, and more importantly the people and policies that govern change control and scan windows.  Below is a diagram illustrating how this can be configured:

windows of opp-img1

Retina Protection Agents are located on systems that require periodic vulnerability assessment. In this case, scan windows are not applicable because the status and location of the assets is never fully known and cannot be scanned through the internet or made available reliably for change control windows. Therefore, the local Retina agent performs a scheduled assessment locally and, when it is connected to the Internet (or internal network), transmits the results to BeyondInsight for analytics and reporting. The results produce vulnerability data that meets continuous monitoring requirements and addresses any scan windows that may be in place by policy.

The Window of Opportunity for vulnerability assessment is changing. For example, PCI DSS 3.0 requires more continuous assessments and scans to be scheduled as a part of normal business practices versus just once per quarter. In order to meet these goals, vulnerability management tools need to manage scan windows with incredible flexibility and adhere to internal policies while allowing assessments to occur more frequently. BeyondInsight provides the features to control scan windows with incredible ease and exceed the requirements with localized agents when no Window of Opportunity can be established. Below is an example of how to perform scan window scheduling on a per job basis:

windows of opp-img2

For more information on how BeyondTrust can help you manage scan windows, please contact us at sales@beyondtrust.com. We look forward to helping your organization perform successful vulnerability assessments with the best reporting in the industry.

Tags:
, , , , ,

Leave a Reply

Additional articles

Are Your Data Security Efforts Focused in the Right Area?

Posted January 28, 2015    Scott Lang

Vormetric Data Security recently released an insider threat report, with research conducted by HarrisPoll and analyzed by Ovum. Based on the survey responses, it is apparent that there is still a great deal of insecurity over data. However, the results also show that there may be misplaced investments to address those insecurities. I will explain…

Tags:
ghost

GHOST Vulnerability…Scary Indeed

Posted January 28, 2015    BeyondTrust Research Team

A vulnerability discovered by Qualys security researchers has surfaced within the GNU C Library that affects virtually all Linux operating systems. The vulnerability lies within the various gethostbyname*() functions and, as such, has been dubbed “GHOST.” GHOST is particularly nasty considering remote, arbitrary code execution can be achieved. In an effort to avoid taxing DNS lookups, glibc developers introduced…

Tags:
,
dave-shackleford-headshot

Your New Years Resolution: Controlling Privileged Users

Posted January 27, 2015    Dave Shackleford

Is 2015 the year you get a better handle on security? The news last year was grim – so much so, in fact, that many in the information security community despaired a bit. Really, the end-of-the-year infosec cocktail parties were a bit glum. OK, let’s be honest, infosec cocktail parties are usually not that wild…

Tags:
, , ,