BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

What Comes After Discovery – Rediscovery and Scan

Post by Jerome Diggs August 15, 2011

Over the next few blog posts I’ll show you ways to leverage your investment in Retina CS to help automate and streamline various scenarios I run into in the field. One common scenario I see quite often happens when customers are first implementing a vulnerability management solution into their organization. I call this the ‘What Next’ phenomenon.

After the initial ‘Discovery Scan’ customers ask, how can I discover any new systems that may show up on the radar and more importantly, how can I be made aware of these devices and do additional scanning? From here, things can get more complex but in today’s blog we’ll give you a few quick tips on how to overcome this seemingly daunting task.

Let’s assume you’re being diligent and performing a discovery scan on a weekly basis on a rotating list of IP Addresses (or network segments). This is a very easy process to perform within Retina CS:

1 – Create your address groups that contain the Network segments of interest.

2 – Create a Smart Rule that will leverage the address group created above. In this example we are using a simple rule using the address group created above and using an action of ‘Show assets as Smart Group.’ This will allow us to target the Charlotte Office for our scheduled discovery scans.

NOTE: A smart rule can be comprised of multiple criteria and actions therefore making them very useful for focusing in on specific assets and determining multiple actions when those assets are located.

3- Using the built-in Discovery Scan and the Smart Group we just created, we are now ready to schedule or Discovery scan of the Charlotte Office network to occur on a weekly basis.

In the screenshot below I’ve named the scan job after what my scheduled scan is performing. I’ve selected one of my distributed scanners located in that office and I’ve set my scheduled scan to initiate at 2:00AM Saturday morning on a weekly basis.

Now that my recurring scan is set up, I want to determine if any new assets (broken down by operating system) are found on my network within the last week. A couple of additional actions I’ve chosen are to email the local admin of the newly found devices and to generate a ticket and assign it to the team responsible for that segment of the network for further investigation and incident tracking.

Here are some general steps and ideas on how to accomplish such a task:

1 – Create a new smart rule that uses the criteria: Asset Fields, First Discovery Date,  Operating System, and Is Any Of. Select the operating systems of interest. Keep in mind you can multi-select OS’s or leave this criteria out all together.

For my example I chose Windows, as I will create a scheduled scan that will use this smart rule to perform more in-depth scanning of these assets. This ensures I’m keeping an accurate account of these machines on my network.

2- For my ‘Perform Actions’ I’ve chosen to: (1) Show assets as Smart Group, (2) Send an email with a list of assets (to my Charlotte admin team), (3) Create Ticket (assigned to my Charlotte admin team) to keep a record of account.

To automate the ‘in-depth’ scanning of these newly found Windows assets on a recurring basis you simply need to:

(1) Create a new ‘Vulnerability Report’ leveraging the ‘Newly Discovered Windows’ Smart Group we created in the previous step.

(2) Schedule the scan to occur sometime after the Discovery Scan, in my case I chose early Sunday Morning. Because we want to capture more detailed vulnerability data (versus our earlier discovery scan), I chose a credentialed scan. Keep in mind you can multi-select as many credentials as you need.

Now we’ll receive a weekly report that contains a Full audit of any newly found Windows machines on my network within the last week.

NOTE: Assuming that the newly found system is part of your managed environment, the credentials supplied will give you a full audit. The available access reports within Retina CS will give you further details as to which systems were unsuccessfully authenticated. These devices may be considered rogue/unauthorized machines.

As you can see, the process of going from a ‘What Next’ after a Discovery Scan can be simplified and more importantly automated to ensure that your investment in your Unified Vulnerability Management solution is keeping you abreast of any newly found devices and possible threats/exposures.

Leave a Reply

Additional articles

BI-5.1-user-asset-visibility-img

Understanding Who Has Access to What with BeyondInsight v5.1

Today, it’s my pleasure to introduce you to BeyondInsight version 5.1, the latest release of our IT Risk Management platform, which unifies several of our solutions for Privileged Account Management and Vulnerability Management. BeyondInsight v5.1 embodies BeyondTrust’s mission to give our customers the visibility they need to make smart decisions and reduce risk to their…

Post by Morey Haber April 15, 2014
Tags:
, , , , , , , , , , , ,

PowerBroker for Unix & Linux Now Available via Web Services

This week BeyondTrust released a fully functional Web Services interface (REST API) for its PowerBroker for Unix & Linux product.  With this new feature users of the solution will now be able to remotely and securely configure and retrieve data via the API.  The Web Services interface implemented by BeyondTrust is an industry standard that…

Post by Paul Harper April 10, 2014
Tags:
, , , , ,

Heartbleed – When OpenSSL Breaks Your Heart

You’ve likely heard about the recent OpenSSL vulnerability, CVE-2014-0160, dubbed Heartbleed. The main takeaway of this vulnerability is that attackers can use this to obtain things like secret keys used for X.509 certificates, user names and passwords, instant messages, emails, and other highly sensitive information. For a technical analysis of the bug, check out this…

Post by BeyondTrust Research Team April 8, 2014
Tags:
, , ,