BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

What Comes After Discovery – Rediscovery and Scan

Posted August 15, 2011    Jerome Diggs

Over the next few blog posts I’ll show you ways to leverage your investment in Retina CS to help automate and streamline various scenarios I run into in the field. One common scenario I see quite often happens when customers are first implementing a vulnerability management solution into their organization. I call this the ‘What Next’ phenomenon.

After the initial ‘Discovery Scan’ customers ask, how can I discover any new systems that may show up on the radar and more importantly, how can I be made aware of these devices and do additional scanning? From here, things can get more complex but in today’s blog we’ll give you a few quick tips on how to overcome this seemingly daunting task.

Let’s assume you’re being diligent and performing a discovery scan on a weekly basis on a rotating list of IP Addresses (or network segments). This is a very easy process to perform within Retina CS:

1 – Create your address groups that contain the Network segments of interest.

2 – Create a Smart Rule that will leverage the address group created above. In this example we are using a simple rule using the address group created above and using an action of ‘Show assets as Smart Group.’ This will allow us to target the Charlotte Office for our scheduled discovery scans.

NOTE: A smart rule can be comprised of multiple criteria and actions therefore making them very useful for focusing in on specific assets and determining multiple actions when those assets are located.

3- Using the built-in Discovery Scan and the Smart Group we just created, we are now ready to schedule or Discovery scan of the Charlotte Office network to occur on a weekly basis.

In the screenshot below I’ve named the scan job after what my scheduled scan is performing. I’ve selected one of my distributed scanners located in that office and I’ve set my scheduled scan to initiate at 2:00AM Saturday morning on a weekly basis.

Now that my recurring scan is set up, I want to determine if any new assets (broken down by operating system) are found on my network within the last week. A couple of additional actions I’ve chosen are to email the local admin of the newly found devices and to generate a ticket and assign it to the team responsible for that segment of the network for further investigation and incident tracking.

Here are some general steps and ideas on how to accomplish such a task:

1 – Create a new smart rule that uses the criteria: Asset Fields, First Discovery Date,  Operating System, and Is Any Of. Select the operating systems of interest. Keep in mind you can multi-select OS’s or leave this criteria out all together.

For my example I chose Windows, as I will create a scheduled scan that will use this smart rule to perform more in-depth scanning of these assets. This ensures I’m keeping an accurate account of these machines on my network.

2- For my ‘Perform Actions’ I’ve chosen to: (1) Show assets as Smart Group, (2) Send an email with a list of assets (to my Charlotte admin team), (3) Create Ticket (assigned to my Charlotte admin team) to keep a record of account.

To automate the ‘in-depth’ scanning of these newly found Windows assets on a recurring basis you simply need to:

(1) Create a new ‘Vulnerability Report’ leveraging the ‘Newly Discovered Windows’ Smart Group we created in the previous step.

(2) Schedule the scan to occur sometime after the Discovery Scan, in my case I chose early Sunday Morning. Because we want to capture more detailed vulnerability data (versus our earlier discovery scan), I chose a credentialed scan. Keep in mind you can multi-select as many credentials as you need.

Now we’ll receive a weekly report that contains a Full audit of any newly found Windows machines on my network within the last week.

NOTE: Assuming that the newly found system is part of your managed environment, the credentials supplied will give you a full audit. The available access reports within Retina CS will give you further details as to which systems were unsuccessfully authenticated. These devices may be considered rogue/unauthorized machines.

As you can see, the process of going from a ‘What Next’ after a Discovery Scan can be simplified and more importantly automated to ensure that your investment in your Unified Vulnerability Management solution is keeping you abreast of any newly found devices and possible threats/exposures.

Leave a Reply

Additional articles

{c4eae211-3ca2-4f8e-b2b9-6df0e970aab1}_g.markhardy

The “insider” threat. Is it real, or is it being blown out of proportion?

Posted March 4, 2015    G. Mark Hardy

A lot depends on whether or not you’ve been compromised. And therein lies the problem. Cyber threats are often ignored until they cause some damage, at which point management looks for people to blame and gives all kinds of attention to fixing the problem – until the next crisis in accounting or warehousing or staffing comes along.

Tags:
, , ,
webinar_chalk

Webinar March 4th: Recreating the Carbanak Breach & Techniques for Mitigating Similar Attacks

Posted March 3, 2015    Lindsay Marsh

Join BeyondTrust Research and Development team for an in-depth live webinar that will explore the attack vectors used in the Carbanak Bank Breach and share successful mitigation techniques needed to prevent this type of attack.

Tags:
, ,
VMware Hardening Guidelines-img3

How to Audit VMware ESX and ESXi Servers Against the VMware Hardening Guidelines with Retina CS

Posted February 27, 2015    BeyondTrust Research Team

Retina CS Enterprise Vulnerability Management has included advanced VMware auditing capabilities for some time, including virtual machine discovery and scanning through a cloud connection, plus the ability to scan ESX and ESXi hosts using SSH. However, in response to recent security concerns associated with SSH, VMware has disabled SSH by default in its more recent…

Tags:
, , , ,