When WannaCry hit the news in May 2017, I was working as the lead application security analyst for a global organization and was responsible for reducing risk across tens of thousands of endpoints. In the aftermath of the attack, our security team kicked off a major incident to determine our exposure and progress toward remediation. In the process, we discovered why having an agent-based vulnerability management strategy could have made a huge difference in how we approached our response.
The need for speed
The process of determining our post-WannaCry readiness was difficult due to the number of subsidiaries, time zones, and language barriers that came into play when communicating with business units around the world. We were also a young security department that had taken over security operations (SecOps) for our parent company and all subsidiaries. We were still forming policies and procedures and had a long way to go to get to where we needed to be. The result? A ton of overtime.
However, the most memorable issue that we encountered was that scanning tens of thousands of systems takes a long, long time. Vulnerability scans could take days to complete, in addition to hours or days longer to see results filtered into the console. On a large scale, systems were scanned on a monthly or quarterly basis, not weekly, which meant we didn’t have real-time answers.
When I was asked for firm numbers of affected systems and remediation progress, scan-based vulnerability management on so many systems didn’t cut it when real-time answers were needed.
How agents can help
After the event was over, we saw firsthand the importance of moving toward an agent-based vulnerability management strategy in order to have real-time, actionable data. This incident was the trigger for our company to add the agent into your system build process.
As a penetration tester, another benefit I see agents offer is the ability to limit scan credential management. For example, if I’m on the network using an unmanaged or rogue device and a vulnerability scanner attempts to connect to my system, I can potentially capture and crack a weak password hash or relay the authentication hash to other systems. Penetration testers find service accounts with domain admin access far too often and abuse them for lateral movement and privilege escalation.
Rapid7’s Insight Agent
When you use Rapid7’s Insight Agent, credentialed scans aren’t necessary, so you don’t risk exposing a privileged account password hash to a malicious actor. Rapid7’s Insight Agent automatically collects data from your endpoints—even those from remote workers who rarely join the corporate network—and provides timely access to endpoint data. If you’re using multiple Rapid7 products, one Insight agent unifies data across the following:
- InsightVM, our vulnerability management solution
- InsightIDR, our security-focused SIEM
- InsightOps, our log management solution
The combination of scan and agent are available, so you have visibility across your entire network, including non-Windows/Mac/Linux assets.