The Value of Fully Integrated Credentialed Vulnerability Scans

Alejandro DaCosta, April 10th, 2017

Integrated Vulnerability Scans

Too Many Credentials

In most organizations, there is no one set of credentials that is used for the entire enterprise. In fact, there are multiple, shared credentials used for privileged users to access specific applications, devices, etc. to perform certain activities on those systems. This can be a problem when scheduling vulnerability scans. In order to complete vulnerability scans for all systems, administrators are faced with a challenge: they can either provide multiple credentials to one scan job, with the hopes that the best credentials are used against each target; or, they must create very targeted single credentialed scans, to increase the chance that scans are performed thoroughly. Without some sort of automation, though, neither option is all that great for the admin.

Scans Must Be Authenticated

While unauthenticated scans provide a valuable outsider’s view of your network, they tend to miss the majority (75%) of vulnerabilities within a target environment – making credentialed scans a must for those seeking to get a true picture of their risk. Some organizations however are concerned about internally sharing high-privileged credentials required to uncover threats such as missing security patches and unauthorized applications.  While using Retina Host Security Scanner to perform agent based scanning solves many of these challenges, the reality is that deploying an agent is not always feasible.

Why Unified Vulnerability Scanning With Privileged Password Management Makes Sense

BeyondTrust has overcome this challenge with a feature called “Smart Credentials.” This capability is enabled by default and will cause Retina to select the credentials with the highest level of privileges from PowerBroker Password Safe on each scan target when multiple scan credentials are provided. This capability improves the efficiency of scanning, making scanning much more thorough than with other solutions available in the market.  Additionally, using Password Safe eliminates the concern of internally sharing highly-privileged credentials or having static, never-changing, scan credentials.

While other competitive scanners have ad-hoc integrations with various password tools, only a fully-integrated solution ensures that there are no gaps in coverage, no unnecessary risks, and no manual effort in rotating scan credentials.

For a representation of this fully-integrated feature, please see the screenshot below, and for a complete guide to how this capability works, watch the brief 2-minute video demonstration.

For more on BeyondTrust’s fully-integrated privileged access management platform, PowerBroker, and how it can address your most complex privileged access management challenges, contact us today.