BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Seizing Windows of Opportunity for Vulnerability Assessment

Posted April 1, 2014    Morey Haber

The change control process for many organizations dictates that vulnerability assessment scanning can only occur during predefined scan windows. During these times, teams are notified that an assessment will be conducted and that alerts from IDS/IPS sensors, SIEMS, and local AV agents should be ignored or whitelisted from the scanners. This is a very typical process.

The Window of Opportunity to perform vulnerability assessments also dictates that the scans must complete, be paused, or be aborted before the window ends. This ensures that scans only occur during the allotted time and not in production hours. In order to maintain these schedules, scan jobs need to be controlled centrally to maintain these windows. This implies the following characteristics:

  • Scan windows should permit jobs to be paused and resumed or aborted when the end of a scan window is reached.
  • Scan windows should be configurable per scan job, globally, or per scan engine to meet individual business requirements.
  • Scan windows should be calendar-based by time and day in order to enforce change control windows.
  • A methodology should be available for continuous scanning when assessments must adhere to strict change control windows.

The last bullet provides in an interesting dilemma for all that need to perform continuous monitoring. How do you scan frequently and not violate policies for scan windows?

The answer is only available from BeyondTrust. BeyondTrust provides the Retina Protection Agent, which is included with Retina CS Enterprise Vulnerability Management operating within the BeyondInsight IT Risk Management Platform. The Retina Protection Agent enables local vulnerability assessment on a host and returns the results to the BeyondInsight central management console. Scan windows typically dictate when network scanning can and cannot occur. With a local agent, the requirement is circumvented and can be scheduled as frequently as needed to achieve the desired results without impacting the host, network, and more importantly the people and policies that govern change control and scan windows.  Below is a diagram illustrating how this can be configured:

windows of opp-img1

Retina Protection Agents are located on systems that require periodic vulnerability assessment. In this case, scan windows are not applicable because the status and location of the assets is never fully known and cannot be scanned through the internet or made available reliably for change control windows. Therefore, the local Retina agent performs a scheduled assessment locally and, when it is connected to the Internet (or internal network), transmits the results to BeyondInsight for analytics and reporting. The results produce vulnerability data that meets continuous monitoring requirements and addresses any scan windows that may be in place by policy.

The Window of Opportunity for vulnerability assessment is changing. For example, PCI DSS 3.0 requires more continuous assessments and scans to be scheduled as a part of normal business practices versus just once per quarter. In order to meet these goals, vulnerability management tools need to manage scan windows with incredible flexibility and adhere to internal policies while allowing assessments to occur more frequently. BeyondInsight provides the features to control scan windows with incredible ease and exceed the requirements with localized agents when no Window of Opportunity can be established. Below is an example of how to perform scan window scheduling on a per job basis:

windows of opp-img2

For more information on how BeyondTrust can help you manage scan windows, please contact us at sales@beyondtrust.com. We look forward to helping your organization perform successful vulnerability assessments with the best reporting in the industry.

Tags:
, , , , ,

Leave a Reply

Additional articles

powerbroker-for-mac-diagram-small

PowerBroker for Mac: A Least-Privileged Apple a Day…

Posted July 27, 2015    Jason Silva

BeyondTrust PowerBroker for Mac reduces the risk of privilege misuse by enabling standard users on Mac OS X to perform administrative tasks successfully without entering elevated credentials.

Tags:
, ,
PrivilegedAccountManagement

On Demand Webinar – Now is the time for Privileged Account Management

Posted July 24, 2015    BeyondTrust Software

In this webinar, SANS Instructor and Founder of Voodoo Security, Dave Shackleford, will revisit several hacking and breach scenarios that involved privileged accounts, and use these as examples while discussing tools and tactics to get this problem under control once and for all.

Tags:
, ,
dave-shackleford-headshot

Privileged Account Management: The Time is Now

Posted July 22, 2015    Dave Shackleford

There’s plenty of problems we don’t have great options for in InfoSec today. Malware is a pain point that keeps evolving rapidly. 0-day exploits are tough to prepare for. Privileged account management? We got this. We know the root causes, we know how it manifests, we know how to get it under control effectively, and there are great technology solutions that are enterprise-class.

Tags:
, ,