BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Seizing Windows of Opportunity for Vulnerability Assessment

Posted April 1, 2014    Morey Haber

The change control process for many organizations dictates that vulnerability assessment scanning can only occur during predefined scan windows. During these times, teams are notified that an assessment will be conducted and that alerts from IDS/IPS sensors, SIEMS, and local AV agents should be ignored or whitelisted from the scanners. This is a very typical process.

The Window of Opportunity to perform vulnerability assessments also dictates that the scans must complete, be paused, or be aborted before the window ends. This ensures that scans only occur during the allotted time and not in production hours. In order to maintain these schedules, scan jobs need to be controlled centrally to maintain these windows. This implies the following characteristics:

  • Scan windows should permit jobs to be paused and resumed or aborted when the end of a scan window is reached.
  • Scan windows should be configurable per scan job, globally, or per scan engine to meet individual business requirements.
  • Scan windows should be calendar-based by time and day in order to enforce change control windows.
  • A methodology should be available for continuous scanning when assessments must adhere to strict change control windows.

The last bullet provides in an interesting dilemma for all that need to perform continuous monitoring. How do you scan frequently and not violate policies for scan windows?

The answer is only available from BeyondTrust. BeyondTrust provides the Retina Protection Agent, which is included with Retina CS Enterprise Vulnerability Management operating within the BeyondInsight IT Risk Management Platform. The Retina Protection Agent enables local vulnerability assessment on a host and returns the results to the BeyondInsight central management console. Scan windows typically dictate when network scanning can and cannot occur. With a local agent, the requirement is circumvented and can be scheduled as frequently as needed to achieve the desired results without impacting the host, network, and more importantly the people and policies that govern change control and scan windows.  Below is a diagram illustrating how this can be configured:

windows of opp-img1

Retina Protection Agents are located on systems that require periodic vulnerability assessment. In this case, scan windows are not applicable because the status and location of the assets is never fully known and cannot be scanned through the internet or made available reliably for change control windows. Therefore, the local Retina agent performs a scheduled assessment locally and, when it is connected to the Internet (or internal network), transmits the results to BeyondInsight for analytics and reporting. The results produce vulnerability data that meets continuous monitoring requirements and addresses any scan windows that may be in place by policy.

The Window of Opportunity for vulnerability assessment is changing. For example, PCI DSS 3.0 requires more continuous assessments and scans to be scheduled as a part of normal business practices versus just once per quarter. In order to meet these goals, vulnerability management tools need to manage scan windows with incredible flexibility and adhere to internal policies while allowing assessments to occur more frequently. BeyondInsight provides the features to control scan windows with incredible ease and exceed the requirements with localized agents when no Window of Opportunity can be established. Below is an example of how to perform scan window scheduling on a per job basis:

windows of opp-img2

For more information on how BeyondTrust can help you manage scan windows, please contact us at sales@beyondtrust.com. We look forward to helping your organization perform successful vulnerability assessments with the best reporting in the industry.

Tags:
, , , , ,

Leave a Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

Tags:
, , , , ,
dave-shackleford-headshot

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

Tags:
, ,
patch-tuesday

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…

Tags:
,