Answering the age-old question, ‘What’s plugged into my network?’
October 9th, 2015
“What’s plugged into my network?” is a question I hear frequently from security administrators. And, really, it’s no surprise why. No longer do we have to account just for the physical servers in our datacenters, workstations and a few network devices. Now we need to keep track of roaming laptops, dynamic virtual systems, off-site cloud deployments and BYOD. Tracking all these devices only gets more difficult when companies go through mergers and acquisitions.
Despite the efforts it may take to track and scan all of my devices, IT security admins generally only scan those devices that are known to be there. These same devices tend to be easy to reach and are generally available. The problem starts with devices that are known to exist but are hard to reach. And an even bigger problem is those devices that go undetected. The challenge of course being, how can I protect my network if I can’t keep track of all that’s plugged into it? Let’s look at some solutions.
For starters, consider the option to deploy host-based scanners onto roaming, hardened, virtual or firewalled devices. Oftentimes these are the devices that go unassessed as they are completely missed by traditional network-based scanning. Unfortunately, these are also the devices that tend to be on an attacker’s radar. Devices that you may find hard to reach are not always hard to reach by an attacker.
Also consider the use of cloud connectors. Private and public cloud deployments are on the rise and so is the need to find better and smarter ways to automate how we manage them. It is the very nature of what makes cloud deployments so attractive that directly contributes to how difficult it can be to scan them. I’m specifically referring to the elasticity these virtual or cloud offerings provide. It is so easy to power-up and power-down servers and services as needed to meet our up-to-the minute needs. This then provides a crucial challenge for traditional network-based scanners. Scanning is a more regimented task that is done during off-hours and on a reoccurring schedule; as a result, many critical and potentially vulnerable virtual systems go unassessed. Traditional network-based scanners can use cloud connectors to enhance their reach and, in turn, facilitate and automate the scanning of all non-physical devices.
The vulnerability management space is seeing a spike in the demand for both host-based vulnerability scanning as well as for solutions that can handle cloud deployments. The spike in demand can be attributed in part to requirements for continuous monitoring and the increase in virtual infrastructures, telecommuters, hardened devices, kiosks and many more systems that are outside the scope of traditional network-based scanning technologies. I recently experienced this demand firsthand when working with a financial institution.
A Real World Scenario
A large financial institution, who will remain nameless for security reasons, was faced with the harsh reality that they were unable to scan and track all virtual systems as they moved through the development, QA and production stages. This meant that they were blind to the number of systems and potential vulnerabilities being introduced into their environment. They were unaware of when the systems would be powered-up and thus were rarely detected by a network scan. Additionally, if they were lucky enough to detect a system, they were unable to track it from development to production. The fact is, they were only able to scan these virtual systems once they were in production. Scanning these systems in production caused a reactionary response, whereas if they were able to successfully detect and track these systems from their infancy, they would be able to take a pro–active stance to security.
This financial institution implemented both a host-based scanner and a VMware vCenter connector. Host-based scanners were deployed to critical virtual systems and configured to self-scan and forward events to a central console; this meant that every time a dormant critical system would be powered up it would automatically self-assessed. The VMware vCenter connector then facilitated with scheduled network-based scans. It allowed the scanner to know, in real-time, what virtual systems where in existence. In essence, every schedule network scan moving forward will always contain a real-time list of virtual systems to target. This financial institution no longer had to be reactionary to new systems popping up in production, as they now keep track of them throughout the entire devotement stages. As a result, they have reduced their security exposure and moved to a pro-active security practice.
Retina CS Offers Zero-Gap Coverage
Able to discover and assess any IT resource in your organization, Retina CS offers zero-gap vulnerability management coverage of the largest, most diverse IT environments. Agentless and agent-based scanning protects assets, whether they are connected to your network or not. Cloud connectors are available for Amazon AWS, IBM SmartCloud, GoGrid, Rackspace and VMware vCenter.
By implementing Retina CS organizations are able to take advantage of its diverse offering to find what’s on the network, prioritize and fix vulnerabilities, and reduce overall security risk. If you would like to know more about Retina CS discovery and assessment capabilities, contact us today.
Author: Alex DaCosta, Product Manager, Retina CS