Vulnerability scanning enables organizations to proactively identify and address security weaknesses before they are exploited by cyber threats. The scans can detect misconfigurations, unpatched software, potential points of unauthorized access, and other gaps that render organizations vulnerable to cyber-attacks.
Using Nodeware to perform comprehensive scans on a regular basis and remediating the findings is fundamental for preventing cyber incidents. With each scan, Nodeware attempts to scan every discovered device for vulnerabilities unless they are explicitly paused from scanning or unresponsive on the network. For more information on pausing devices, see the Pausing & Resuming Scanning knowledge base article in the Nodeware Scanning section.
Nodeware targets one full scan of each connected endpoint every day. This includes a host fingerprint, vulnerability scan, and if configured, a credentialed vulnerability scan. If an asset is removed from the network, it is scanned during its regularly scheduled scan. Once assets have been scanned, they continue with their scheduled scan timeline even when assets are taken home and reconnected to the network.
Vulnerabilities are added to the Nodeware data feed as they are published, and the latest definitions are included in each scan. There is no need to sync or update the definitions, instead the Nodeware Sensor will download the most recent profile for the scan if it has been updated between scans. This ensures the scan profiles stay in line with vendor security bulletins and published vulnerability feeds.
Scans | Duration | Cadence |
Requested Scan | up to 3 hours | On demand |
Baseline Patch Scan | 15 minutes |
Weekly and after reboots Daily if no match found |
External Scan | up to 3 hours | Based on a user-defined schedule with options to repeat scans weekly or monthly |
Agents tend to learn the patterns of the host machine better and attempt to find off-peak times to scan.
Agent scans may be interrupted by: User actions (reboot, shutdown, sleep/hibernate), and other applications and services affecting resource availability.
Sensors manage scans of assets while it can reach them and will focus on new unknown assets first. Sensor scan prioritization:
1. New devices
2. Rescan requests
3. Change detected (automatic rescan)
4. Regularly scheduled scans
Sensor scans may be interrupted by: Network latency or congestion, assets availability, and assets resources.
Element | Data Retrieved |
Agent (device-focused) | OS, services, processes, open network ports, patch level, network interfaces (IP/Mac Address), fingerprint |
Sensor (network-focused) | Assets on network, open network ports, asset fingerprint |
Credentialed | CVE, solution |
Non-credentialed | Ports in use, services running, applications, OS, CVE and possible solution |
Prioritization
Devices are prioritized for vulnerability scanning based on several factors. The primary factor is whether a device is new to a network–new devices are scanned first to shorten the time from detection to getting a full security assessment of a device and the risks it poses to your network.
Secondarily, device rescan requests are considered. While Nodeware continuously scans your network, during remediation work it may be helpful to more quickly see the results of scans. This can be requested via the Rescan icon on the Device view. For more information on rescanning a device, see the Rescanning Assets knowledge base article in the Nodeware Scanning section.
Queuing
Windows Sensors scan one device at a time so that the Sensors do not interfere with other system processes. Other Nodeware Sensors can scan up to 4 devices in parallel. This queuing system and the slower timing of scans allows Nodeware to maintain low network utilization and avoid impacting the availability of devices.
When a device has finished scanning, another is loaded into a queue spot. Because of the methodology used in scanning, this allows the scanner to be highly available to scan new hosts as they join the network.
Vulnerability Data
A device’s scan data is only retained on the Nodeware Sensor for the duration of the scan. Once a scan is complete, the data is transmitted securely to the Nodeware data store (cloud storage) and is encrypted both in transit and at rest. The data is only decrypted and available for you to view in the Dashboard and in reports.
Comments
0 comments
Please sign in to leave a comment.