BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Seizing Windows of Opportunity for Vulnerability Assessment

Posted April 1, 2014    Morey Haber

The change control process for many organizations dictates that vulnerability assessment scanning can only occur during predefined scan windows. During these times, teams are notified that an assessment will be conducted and that alerts from IDS/IPS sensors, SIEMS, and local AV agents should be ignored or whitelisted from the scanners. This is a very typical process.

The Window of Opportunity to perform vulnerability assessments also dictates that the scans must complete, be paused, or be aborted before the window ends. This ensures that scans only occur during the allotted time and not in production hours. In order to maintain these schedules, scan jobs need to be controlled centrally to maintain these windows. This implies the following characteristics:

  • Scan windows should permit jobs to be paused and resumed or aborted when the end of a scan window is reached.
  • Scan windows should be configurable per scan job, globally, or per scan engine to meet individual business requirements.
  • Scan windows should be calendar-based by time and day in order to enforce change control windows.
  • A methodology should be available for continuous scanning when assessments must adhere to strict change control windows.

The last bullet provides in an interesting dilemma for all that need to perform continuous monitoring. How do you scan frequently and not violate policies for scan windows?

The answer is only available from BeyondTrust. BeyondTrust provides the Retina Protection Agent, which is included with Retina CS Enterprise Vulnerability Management operating within the BeyondInsight IT Risk Management Platform. The Retina Protection Agent enables local vulnerability assessment on a host and returns the results to the BeyondInsight central management console. Scan windows typically dictate when network scanning can and cannot occur. With a local agent, the requirement is circumvented and can be scheduled as frequently as needed to achieve the desired results without impacting the host, network, and more importantly the people and policies that govern change control and scan windows.  Below is a diagram illustrating how this can be configured:

windows of opp-img1

Retina Protection Agents are located on systems that require periodic vulnerability assessment. In this case, scan windows are not applicable because the status and location of the assets is never fully known and cannot be scanned through the internet or made available reliably for change control windows. Therefore, the local Retina agent performs a scheduled assessment locally and, when it is connected to the Internet (or internal network), transmits the results to BeyondInsight for analytics and reporting. The results produce vulnerability data that meets continuous monitoring requirements and addresses any scan windows that may be in place by policy.

The Window of Opportunity for vulnerability assessment is changing. For example, PCI DSS 3.0 requires more continuous assessments and scans to be scheduled as a part of normal business practices versus just once per quarter. In order to meet these goals, vulnerability management tools need to manage scan windows with incredible flexibility and adhere to internal policies while allowing assessments to occur more frequently. BeyondInsight provides the features to control scan windows with incredible ease and exceed the requirements with localized agents when no Window of Opportunity can be established. Below is an example of how to perform scan window scheduling on a per job basis:

windows of opp-img2

For more information on how BeyondTrust can help you manage scan windows, please contact us at sales@beyondtrust.com. We look forward to helping your organization perform successful vulnerability assessments with the best reporting in the industry.

Tags:
, , , , ,

Leave a Reply

Additional articles

Restricted Area Sign

Implementing Least Privilege for Windows the Easy Way

Posted July 31, 2014    Morey Haber

The concept of least privilege states that asset users should have the lowest level of access privileges required to effectively conduct their jobs. Implementing least privilege can bring several benefits to your organization, including: Increased security by reducing the attack surface available to users and to potential attackers who compromise user systems via phishing, malware,…

Tags:
, , ,
gartner market guide image - aug 2014

Introducing the Gartner Market Guide for Privileged Account Management

Posted July 29, 2014    Chris Burd

Gartner recently released a new Market Guide for Privileged Account Management (PAM), and we’d like to share a complimentary copy with you. The report includes PAM market analysis and direction, vendor overviews, and recommendations for selecting PAM solutions for your environment. BeyondTrust is one of two representative vendors (out of 20) to address all solution…

Tags:
, , , , , , , ,
Integrating Least Privilege and Password Management to Solve Account Security Challenges

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

There is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field. Consider the challenge of privileged access:…

Tags:
, , , , ,