Using Asset Group Scanning to Devise a Granular Scanning Strategy

Last updated at Mon, 21 Aug 2017 16:44:52 GMT

In the 5.13 release of Nexpose, you will notice some new functionality when configuring a site. In addition to being able to scan addresses or range of addresses, as we have done in the past, you now have the ability to define asset groups that you wish to be scanned.

Traditionally, it has been recommended for customers to scan an entire network or range of networks, as opposed to specifying targets individually, This is to ensure proper coverage and to prevent the need to continually reconcile a master asset list of assets against what is being scanned in Nexpose. That being said, it is often desireable for customers to target scan groups of assets. This may be due to specific change control requirements and scan windows. For example, scanning all assets belonging to Application A, or all Windows or Linux assets, in a given site and schedule. In the following use case, we will learn how to leverage some existing Nexpose functionality in conjunction with the new asset group scanning to facilitate this need, while making it self-maintaining.

Use Case:

The customer datacenter has multiple networks with a mix of assets ranging from Windows, Linux, Routers, Switches, etc. The requirement is to be able to scan all 'like' platforms on a defined scan schedule.

Step 1

Create a discovery scan of the desired network ranges in the DC. Run the discovery to identify and fingerprint all assets in the DC. Schedule the discovery scan to run on a periodic basis to find newly connected assets.

Note: For more accurate OS fingerprinting, define credentials for each asset/platform-type and select one vulnerability check in the scan template to be tested. This will allow Nexpose to utilize the provided credentials and fingerprint the OS with 100% certainty.

Step 2

Create a dynamic asset group based on the discovery site results and filter on OS. Create a dynamic asset group for each platform-type/grouping. You can get creative and utilize asset tags in conjunction with dynamic asset groups to get more granular and group based on asset context (i.e. assets that belong to Finance, or are critical assets).

Step 3

Create a new site and under the Assets heading, select the newly created Dynamic Asset Group, i.e. Windows Server Assets.

Step 4

Schedule the site to run at the desired time.

What you'll end up with is a discovery scan that will regularly identify assets on dynamically changing networks. The discovery will feed the dynamic asset groups by platform or other desired grouping, keeping the assets in those groups current and accurate. We can then scan those asset groups at on our desired schedule.

One thing to be aware of is that when you scan an asset group, those assets my not all be in the same site and could potentially utilize different scan engines deployed across your environment. In the site configuration, make note of the option to scan all assets with either a selected engine, OR the last engine to scan each asset.