Nexpose: Live Assessment and the Passive Scanning Trap

Last updated at Sat, 20 Jan 2024 20:43:05 GMT

With the launch of Nexpose Now in June, we've talked a lot about the “passive scanning trap” and “live assessment” in comparison. You may be thinking: what does that actually mean? Good question.

There has been confusion between continuous monitoring and continuous vulnerability assessment – and I'd like to propose that a new term “continuous risk monitoring” be used instead, which is where Adaptive Security and Nexpose Now fits. The goal of a vulnerability management program is to understand your risk from vulnerabilities and manage it effectively, based upon what is acceptable to your organization.

First ask, “What does ‘Continuous Monitoring' actually mean?”

“Continuous” admits that our networks, and the systems on them, are not static. System configurations change, users install stuff, admins deploy things. Users move around the building, plug into network jacks, or leave stuff plugged in.

“Monitoring” speaks to the need to answer that question “What is on my network?” and “Are the systems on my network patched and configured in a way we are comfortable with?”. Because these things are changing continuously, we need to be able to monitor them continuously to be secure.

Then ask, “How are other folks using this ‘continuous monitoring' concept?”

There are different definitions from best practices and regulatory standards that use the words “continuous”, like SANS (now CIS) Critical Security Controls and NIST: PDF.

The definitions vary.

• SANS says “Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores”.
• NIST says “Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”

With that said, the intent behind “continuous” is the same…it is to provide you as close to real-time visibility into risk in your environment that is actionable, to ultimately reduce your risk of a breach (side note: Rapid7 was also recently recognized as the top company for meeting the SANS top 20 controls, so this is just one of 19 controls we can help with!)

Many Approaches Available

There are different approaches to continuous risk monitoring that range from running back-to-back vulnerability scans, or passively finding vulnerabilities using network traffic, to running event-driven vulnerability assessments.

Back-to-Back Scans

This approach is basically running an endless loop of vulnerability scans back to back, so when one scan finishes you run another scan.  While this approach ensures that you always have a full picture of the risk on your network, during the time between when the scan starts and ends you have a potential blindspot in your risk posture. Not only is this noisy and expensive from a network bandwidth perspective, a risky asset could join and be removed during this window without your knowledge.

Passively identifying vulnerabilities using network traffic

The other approach to continuously monitoring risk is to put a network sniffer throughout your network to find vulnerability risk. This approach sounds pretty good, however, it is limited as it relies only on clear text network traffic on the network. The volume of vulnerabilities is limited when compared to active vulnerability scanning, and is more likely to generate false-positives needing tracked down and explained to your IT organization. Buyers should also be aware that network traffic is increasingly encrypted –Google is even rewarding sites that leverage HTTPS through better rankings – this limits visibility of data that can be used for vulnerability assessment.

Because of these limitations it's tough to use passive vulnerability scanning alone as true continuous monitoring; you still need active vulnerability scanning in order to have an actionable view of your risk posture. Which is fine, but the deployment architecture is eerily similar to IDS and would be duplicated if you already have an IDS deployed in your environment. Many organizations have made the upgrade to IPS over the classic IDS because if you are going to go through the effort of sniffing network traffic, you might as well have a solution that can actually prevent an attack from happening instead of just knowing about it.

What's even more interesting is that Gartner says “In 2015, 40% of enterprises have a standalone IPS deployed. However, it is decreasing down to 30% by the end of 2017.”

That seems odd, right? Well, IPS technology is getting baked into next-generation firewalls which is becoming a more and more popular choice for enterprises.

This is the trap that most people fall into: thinking they can rely on “passive scanning” to do continuous monitoring, when they a) often have very similar capabilities already baked into their next-generation security tools and b) are overloaded with false positives that provide more noise than actual monitoring. This is what lead us to a new approach.

A Live approach for vulnerability management: Adaptive Security Nexpose Now

The Adaptive Security approach, which was released with Nexpose 6, is a dynamic event-driven automated workflow approach that provides between-vulnerability-scan visibility to changes that occur in your network and real-time. These adaptive security features provide actionable insight into the impact on your organization's risk.

Dynamic data collection is made possible by the Nexpose integration with asset sources like DHCP and VMWare to identify when an asset joins the network. The automated actions workflow enables instant scanning of these assets, tagging and/or adding to a site. Thus, when a new asset or vulnerability joins the network, Nexpose can automatically assess it and add it to you reports, without any additional deployment and with minimal impact on network performance, and only provides vulnerability insight and actionable information for the events you want to track – no alert fatigue.

Now this can be coupled with Nexpose's Liveboards to get an instantly updating scoreboard of how your environment is doing. Integrating a new subnet into your network after an acquisition? Adaptive Security will instantly scan it and you'll see how it affects your overall risk in (near) real time. New critical vulnerability come out over the weekend? Walk into the office on Monday with a list of all assets that are affected and have the ability to assign remediation to the right IT group.