BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

What Comes After Discovery – Rediscovery and Scan

Posted August 15, 2011    Jerome Diggs

Over the next few blog posts I’ll show you ways to leverage your investment in Retina CS to help automate and streamline various scenarios I run into in the field. One common scenario I see quite often happens when customers are first implementing a vulnerability management solution into their organization. I call this the ‘What Next’ phenomenon.

After the initial ‘Discovery Scan’ customers ask, how can I discover any new systems that may show up on the radar and more importantly, how can I be made aware of these devices and do additional scanning? From here, things can get more complex but in today’s blog we’ll give you a few quick tips on how to overcome this seemingly daunting task.

Let’s assume you’re being diligent and performing a discovery scan on a weekly basis on a rotating list of IP Addresses (or network segments). This is a very easy process to perform within Retina CS:

1 – Create your address groups that contain the Network segments of interest.

2 – Create a Smart Rule that will leverage the address group created above. In this example we are using a simple rule using the address group created above and using an action of ‘Show assets as Smart Group.’ This will allow us to target the Charlotte Office for our scheduled discovery scans.

NOTE: A smart rule can be comprised of multiple criteria and actions therefore making them very useful for focusing in on specific assets and determining multiple actions when those assets are located.

3- Using the built-in Discovery Scan and the Smart Group we just created, we are now ready to schedule or Discovery scan of the Charlotte Office network to occur on a weekly basis.

In the screenshot below I’ve named the scan job after what my scheduled scan is performing. I’ve selected one of my distributed scanners located in that office and I’ve set my scheduled scan to initiate at 2:00AM Saturday morning on a weekly basis.

Now that my recurring scan is set up, I want to determine if any new assets (broken down by operating system) are found on my network within the last week. A couple of additional actions I’ve chosen are to email the local admin of the newly found devices and to generate a ticket and assign it to the team responsible for that segment of the network for further investigation and incident tracking.

Here are some general steps and ideas on how to accomplish such a task:

1 – Create a new smart rule that uses the criteria: Asset Fields, First Discovery Date,  Operating System, and Is Any Of. Select the operating systems of interest. Keep in mind you can multi-select OS’s or leave this criteria out all together.

For my example I chose Windows, as I will create a scheduled scan that will use this smart rule to perform more in-depth scanning of these assets. This ensures I’m keeping an accurate account of these machines on my network.

2- For my ‘Perform Actions’ I’ve chosen to: (1) Show assets as Smart Group, (2) Send an email with a list of assets (to my Charlotte admin team), (3) Create Ticket (assigned to my Charlotte admin team) to keep a record of account.

To automate the ‘in-depth’ scanning of these newly found Windows assets on a recurring basis you simply need to:

(1) Create a new ‘Vulnerability Report’ leveraging the ‘Newly Discovered Windows’ Smart Group we created in the previous step.

(2) Schedule the scan to occur sometime after the Discovery Scan, in my case I chose early Sunday Morning. Because we want to capture more detailed vulnerability data (versus our earlier discovery scan), I chose a credentialed scan. Keep in mind you can multi-select as many credentials as you need.

Now we’ll receive a weekly report that contains a Full audit of any newly found Windows machines on my network within the last week.

NOTE: Assuming that the newly found system is part of your managed environment, the credentials supplied will give you a full audit. The available access reports within Retina CS will give you further details as to which systems were unsuccessfully authenticated. These devices may be considered rogue/unauthorized machines.

As you can see, the process of going from a ‘What Next’ after a Discovery Scan can be simplified and more importantly automated to ensure that your investment in your Unified Vulnerability Management solution is keeping you abreast of any newly found devices and possible threats/exposures.

Leave a Reply

Additional articles

How To Implement The Australian Signals Directorate’s Top 4 Strategies

Posted October 20, 2014    Morey Haber

The Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, has developed a list of strategies to mitigate targeted cyber intrusions. The recommended strategies were developed through ASD’s extensive experience in operational cyber security, including responding to serious security intrusions and performing vulnerability assessments and penetration testing for Australian government agencies. These recommendations…

Tags:
, , , ,
asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,