Take a moment and ask your self-am I seeing everything I need to see from my scan targets, from just doing unauthenticated scans? If this worries you, not being able to rest assured you're getting as much coverage as possible from the scan on your endpoints, then you're search has landed on the correct page. Clients often ask what should they be scanning and how they should conduct the scanning process. The simple answer is, scan everything, for everything all the time as thoroughly as possible. Meaning scan anything with an IP address: web apps, servers, workstations, networking gear, phones, printers among others. Scan with a high-level of frequency to ensure the data collected is as fresh as possible using credentials for the target. We have to remember Reporting and Scanning are two completely different lifecycles and maturity levels for a Vulnerability Management (VM) program.
Using credentials or what’s known, as “authenticated scanning” is the only way to get the complete picture of the environment.
If you are not doing this regularly, you do not see the complete picture of each system.
Why is Authentication important?
Using host authentication (trusted scanning) allows our service to login to each target system during scanning. For this reason, we can perform in-depth security assessments, and get better visibility into each system's security posture. Running authenticated scans gives you the most accurate results with fewer false positives.
Benefits of Authenticated Scanning
Maintenance periods are few and far between, being able to “fix” as much as possible in one period by having a complete view of the asset is a smart use of resources.
Complete Patch Audit - By relying solely upon your patching solution to audit and report on whats patched or not is incorrect. A Patch solution has defined goals, "has the patch been deployed, do I register it as installed." Qualys through the use of authenticated scanning verifies more on the endpoint, rather than just relying on the install packages software lists and verifying if the endpoint was flagged for a reboot. Because many updates require reboots, the actual patch is staged on the endpoint. Then upon reboot, the core systems files needed to be unhooked can be replaced. A patching solution that says "patched" and the machine says it needs a reboot; this means until the endpoint is rebooted it's still vulnerable. These mistakes can lead to organizations still being vulnerable to a large number of unpatched vulnerabilities. Think of this as the Fox guarding the hen house, having a check and balance ensures the best possible view.
- Many Potential vulnerabilities are converted to Confirmed vulnerabilities. Authentication can save time chasing down Potential vulnerabilities and assists in prioritizing Confirmed vulnerabilities. Confirmed vs Potential
Authenticated scans give you the most accurate results with fewer false positives.
There are vulnerabilities in our knowledge base that are only able to be tested via authentication or Cloud Agenton the target host. By gaining this knowledge, one can better assess how to prioritize remediation efforts, to save time and money.
Information gathering is much more robust. One can leverage AssetView to quickly discover but not limited to, applications, services and open ports on any host you are performing the authenticated/trusted scans. Screenshot below:
There are multiple other reasons as follows:
- Patch Supersedence - The patch report relies on the ability to calculate patch supersedence accurately. If you aren't scanning for all of the underlying vulnerabilities, supersedence may not be adequately calculated due to the lack of visibility into the host. (Example - if 10 patches supersede each other and we only scan for 6 of them, unexpected results may occur)
- Best Practice - We recommend to scan everything for everything all the time and then filter at the reporting level. We have to remember Reporting and Scanning are two completely different lifecycles and maturities for a VM program. Providing complete up to date vulnerability information in the database whether or not you choose to report it. Enabling you to have full visibility to the assets vulnerability posture. If the case were to arise that after you've scanned, you require more information to report on; then no new scan would be required only a new report. Customers can priorities threats using ThreatProtection. as a benefit to Authenticated Scanning.
- Tagging - As you know, Qualys gives you the ability to create both static and dynamic tags. Dynamic tagging enables the service to place tags on devices based upon defined criteria detected on the hosts. Therefore as you evolve your Vulnerability Management Service, it's very likely that you'll want to be able to leverage the tagging engine to create more advanced dashboards, prioritization, and reporting. To be able to use it to it's fullest you'll want to make sure Qualys is discovering everything it can so it's available for the tagging engine.
- The maturity of your Vulnerability Management Program: CMMI Models clearly show a staged representation approach. There are five maturity levels designated by the numbers 1 through 5.
CMMI Staged Representation of Maturity Levels = Maturity Level of a Vulnerability Management Program
Leveraging the Complete Knowledge Base
There also countless intangible reasons for using the complete KB during scanning, this includes the following.
- A detailed inventory of what is really in your environment, software, applications, ports, and vulnerabilities, etc...
- Better integrations with 3rd party applications, IDS, IPS, SIEM, GRC, etc.
- Greater visibility with other teams/groups inside your organization. As an example, Incident Response can log in to Qualys to see the state of a system and prepare a response to prevent further incidents. This also adds a reason for increasing scan frequency.
- Audit Controls - Pick something and begin to report rather than having to wait till next scan cycle.
Looking for additional Qualys Documentation use the Resource link in the Qualys Portal (Help > Resources)
Documentation specific to the authenticated scan:
In this link, you can search for supported technologies and authentication methods
Dissolvable Agent usage Benefits:
- Understanding the Windows Dissolvable Agent
- Eliminates the dependency on the remote registry service.
- Enables the scan to extract more data from the registry.
Potential vs Confirmed Vulnerabilities:
- Scanning Strategies and Best Practices
- Self-Paced Class: Reporting Strategies and Best Practices
- Asset Tags: Are You Getting The Best Value?
Additional AssetView Dashboards: #performance_mgmt