BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

What Comes After Discovery – Rediscovery and Scan

Posted August 15, 2011    Jerome Diggs

Over the next few blog posts I’ll show you ways to leverage your investment in Retina CS to help automate and streamline various scenarios I run into in the field. One common scenario I see quite often happens when customers are first implementing a vulnerability management solution into their organization. I call this the ‘What Next’ phenomenon.

After the initial ‘Discovery Scan’ customers ask, how can I discover any new systems that may show up on the radar and more importantly, how can I be made aware of these devices and do additional scanning? From here, things can get more complex but in today’s blog we’ll give you a few quick tips on how to overcome this seemingly daunting task.

Let’s assume you’re being diligent and performing a discovery scan on a weekly basis on a rotating list of IP Addresses (or network segments). This is a very easy process to perform within Retina CS:

1 – Create your address groups that contain the Network segments of interest.

2 – Create a Smart Rule that will leverage the address group created above. In this example we are using a simple rule using the address group created above and using an action of ‘Show assets as Smart Group.’ This will allow us to target the Charlotte Office for our scheduled discovery scans.

NOTE: A smart rule can be comprised of multiple criteria and actions therefore making them very useful for focusing in on specific assets and determining multiple actions when those assets are located.

3- Using the built-in Discovery Scan and the Smart Group we just created, we are now ready to schedule or Discovery scan of the Charlotte Office network to occur on a weekly basis.

In the screenshot below I’ve named the scan job after what my scheduled scan is performing. I’ve selected one of my distributed scanners located in that office and I’ve set my scheduled scan to initiate at 2:00AM Saturday morning on a weekly basis.

Now that my recurring scan is set up, I want to determine if any new assets (broken down by operating system) are found on my network within the last week. A couple of additional actions I’ve chosen are to email the local admin of the newly found devices and to generate a ticket and assign it to the team responsible for that segment of the network for further investigation and incident tracking.

Here are some general steps and ideas on how to accomplish such a task:

1 – Create a new smart rule that uses the criteria: Asset Fields, First Discovery Date,  Operating System, and Is Any Of. Select the operating systems of interest. Keep in mind you can multi-select OS’s or leave this criteria out all together.

For my example I chose Windows, as I will create a scheduled scan that will use this smart rule to perform more in-depth scanning of these assets. This ensures I’m keeping an accurate account of these machines on my network.

2- For my ‘Perform Actions’ I’ve chosen to: (1) Show assets as Smart Group, (2) Send an email with a list of assets (to my Charlotte admin team), (3) Create Ticket (assigned to my Charlotte admin team) to keep a record of account.

To automate the ‘in-depth’ scanning of these newly found Windows assets on a recurring basis you simply need to:

(1) Create a new ‘Vulnerability Report’ leveraging the ‘Newly Discovered Windows’ Smart Group we created in the previous step.

(2) Schedule the scan to occur sometime after the Discovery Scan, in my case I chose early Sunday Morning. Because we want to capture more detailed vulnerability data (versus our earlier discovery scan), I chose a credentialed scan. Keep in mind you can multi-select as many credentials as you need.

Now we’ll receive a weekly report that contains a Full audit of any newly found Windows machines on my network within the last week.

NOTE: Assuming that the newly found system is part of your managed environment, the credentials supplied will give you a full audit. The available access reports within Retina CS will give you further details as to which systems were unsuccessfully authenticated. These devices may be considered rogue/unauthorized machines.

As you can see, the process of going from a ‘What Next’ after a Discovery Scan can be simplified and more importantly automated to ensure that your investment in your Unified Vulnerability Management solution is keeping you abreast of any newly found devices and possible threats/exposures.

Leave a Reply

Additional articles

Restricted Area Sign

Implementing Least Privilege for Windows the Easy Way

Posted July 31, 2014    Morey Haber

The concept of least privilege states that asset users should have the lowest level of access privileges required to effectively conduct their jobs. Implementing least privilege can bring several benefits to your organization, including: Increased security by reducing the attack surface available to users and to potential attackers who compromise user systems via phishing, malware,…

Tags:
, , ,
gartner market guide image - aug 2014

Introducing the Gartner Market Guide for Privileged Account Management

Posted July 29, 2014    Chris Burd

Gartner recently released a new Market Guide for Privileged Account Management (PAM), and we’d like to share a complimentary copy with you. The report includes PAM market analysis and direction, vendor overviews, and recommendations for selecting PAM solutions for your environment. BeyondTrust is one of two representative vendors (out of 20) to address all solution…

Tags:
, , , , , , , ,
Integrating Least Privilege and Password Management to Solve Account Security Challenges

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

There is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field. Consider the challenge of privileged access:…

Tags:
, , , , ,