BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

What Comes After Discovery – Rediscovery and Scan

Posted August 15, 2011    Jerome Diggs

Over the next few blog posts I’ll show you ways to leverage your investment in Retina CS to help automate and streamline various scenarios I run into in the field. One common scenario I see quite often happens when customers are first implementing a vulnerability management solution into their organization. I call this the ‘What Next’ phenomenon.

After the initial ‘Discovery Scan’ customers ask, how can I discover any new systems that may show up on the radar and more importantly, how can I be made aware of these devices and do additional scanning? From here, things can get more complex but in today’s blog we’ll give you a few quick tips on how to overcome this seemingly daunting task.

Let’s assume you’re being diligent and performing a discovery scan on a weekly basis on a rotating list of IP Addresses (or network segments). This is a very easy process to perform within Retina CS:

1 – Create your address groups that contain the Network segments of interest.

2 – Create a Smart Rule that will leverage the address group created above. In this example we are using a simple rule using the address group created above and using an action of ‘Show assets as Smart Group.’ This will allow us to target the Charlotte Office for our scheduled discovery scans.

NOTE: A smart rule can be comprised of multiple criteria and actions therefore making them very useful for focusing in on specific assets and determining multiple actions when those assets are located.

3- Using the built-in Discovery Scan and the Smart Group we just created, we are now ready to schedule or Discovery scan of the Charlotte Office network to occur on a weekly basis.

In the screenshot below I’ve named the scan job after what my scheduled scan is performing. I’ve selected one of my distributed scanners located in that office and I’ve set my scheduled scan to initiate at 2:00AM Saturday morning on a weekly basis.

Now that my recurring scan is set up, I want to determine if any new assets (broken down by operating system) are found on my network within the last week. A couple of additional actions I’ve chosen are to email the local admin of the newly found devices and to generate a ticket and assign it to the team responsible for that segment of the network for further investigation and incident tracking.

Here are some general steps and ideas on how to accomplish such a task:

1 – Create a new smart rule that uses the criteria: Asset Fields, First Discovery Date,  Operating System, and Is Any Of. Select the operating systems of interest. Keep in mind you can multi-select OS’s or leave this criteria out all together.

For my example I chose Windows, as I will create a scheduled scan that will use this smart rule to perform more in-depth scanning of these assets. This ensures I’m keeping an accurate account of these machines on my network.

2- For my ‘Perform Actions’ I’ve chosen to: (1) Show assets as Smart Group, (2) Send an email with a list of assets (to my Charlotte admin team), (3) Create Ticket (assigned to my Charlotte admin team) to keep a record of account.

To automate the ‘in-depth’ scanning of these newly found Windows assets on a recurring basis you simply need to:

(1) Create a new ‘Vulnerability Report’ leveraging the ‘Newly Discovered Windows’ Smart Group we created in the previous step.

(2) Schedule the scan to occur sometime after the Discovery Scan, in my case I chose early Sunday Morning. Because we want to capture more detailed vulnerability data (versus our earlier discovery scan), I chose a credentialed scan. Keep in mind you can multi-select as many credentials as you need.

Now we’ll receive a weekly report that contains a Full audit of any newly found Windows machines on my network within the last week.

NOTE: Assuming that the newly found system is part of your managed environment, the credentials supplied will give you a full audit. The available access reports within Retina CS will give you further details as to which systems were unsuccessfully authenticated. These devices may be considered rogue/unauthorized machines.

As you can see, the process of going from a ‘What Next’ after a Discovery Scan can be simplified and more importantly automated to ensure that your investment in your Unified Vulnerability Management solution is keeping you abreast of any newly found devices and possible threats/exposures.

Leave a Reply

Additional articles

Are Your Data Security Efforts Focused in the Right Area?

Posted January 28, 2015    Scott Lang

Vormetric Data Security recently released an insider threat report, with research conducted by HarrisPoll and analyzed by Ovum. Based on the survey responses, it is apparent that there is still a great deal of insecurity over data. However, the results also show that there may be misplaced investments to address those insecurities. I will explain…

Tags:
ghost

GHOST Vulnerability…Scary Indeed

Posted January 28, 2015    BeyondTrust Research Team

A vulnerability discovered by Qualys security researchers has surfaced within the GNU C Library that affects virtually all Linux operating systems. The vulnerability lies within the various gethostbyname*() functions and, as such, has been dubbed “GHOST.” GHOST is particularly nasty considering remote, arbitrary code execution can be achieved. In an effort to avoid taxing DNS lookups, glibc developers introduced…

Tags:
,
dave-shackleford-headshot

Your New Years Resolution: Controlling Privileged Users

Posted January 27, 2015    Dave Shackleford

Is 2015 the year you get a better handle on security? The news last year was grim – so much so, in fact, that many in the information security community despaired a bit. Really, the end-of-the-year infosec cocktail parties were a bit glum. OK, let’s be honest, infosec cocktail parties are usually not that wild…

Tags:
, , ,