We are often asked by customers for recommendations on what they should be scanning, when they should be scanning, how they ensure remote devices don't get missed, and in some cases why they need to scan their endpoints (especially when they have counter-measures in place protecting the endpoints). This blog post is intended to help you understand why running regular scans is a vital part of a security program, and to give you options on how to best protect your ecosystem.
Q: What do I need to be scanning?
Scan everything. This may seem blunt or overly simplified, but if a device touches your ecosystem, then it should be scanned. Why? Because if you don't, you are losing visibility into the weaknesses in your infrastructure. This brings inherent, unquantifiable risk because you cannot see where the holes are that an attacker can use to access your organisation. Exploitable vulnerabilities exist across all operating systems and applications; if you are not scanning your entire ecosystem, including cloud and virtual, you are leaving these vulnerabilities as unknowns. Scanning everything does not mean that all systems or devices will be treated with the same level of criticality when it comes to prioritizing remediation actions.
Q: How frequently should I scan my ecosystem?
Our recommendation is to combine Insight Agents and regular scanning to get a live picture of your ecosystem at all times. Nexpose Now capabilities prevent your data from becoming stale, meaning you'll know where to focus your efforts on reducing risk at all times. Specifically, adaptive security within Nexpose Now automatically detects new devices as they join your network, so you never miss a network change.
If you haven't had a chance to upgrade your vulnerability management program to include the live monitoring that comes with Nexpose Now and are still using traditional Nexpose, then scanning everything as frequently as possible is highly recommended. Monthly scans to coincide with Patch Tuesday are good, but scanning more frequently certainly doesn't hurt. Customers often split up their scans to hit different segments at different times, but they'll cover the whole environment on a monthly or bi-weekly basis. More details on scan configuration can be found here.
Q: How do I ensure my remote workers aren't missed?
Most organisations have a number of remote workers, some of whom hardly ever connect to the internal network, but still have access to certain applications when they are on the road. It can be tricky to ensure their devices don't get missed during scans and patching. Remote workers bring additional risk as they often keep sensitive data local to their devices for ease of access when they are travelling, and frequently connect to unsecured Wi-Fi. Therefore, on the occasions when they do venture into the office, their devices are potential grenades.
You really don't want to miss these folks.
The best way to ensure you have visibility into these devices is to use our Insight Agent, which can connect back to Nexpose Now as long as the device has internet access. You can learn more about how Rapid7 can solve your remote workforce challenges here.
Q: Why are endpoints important? Can I just scan my servers?
Endpoints run operating systems and applications that have vulnerabilities, meaning they can be breached just as easily as servers — if not more so. Endpoints are more likely to have a connection to the internet and generally have users attached to them. Users often introduce security risks, either due to a lack of care or, in some cases, through no fault of their own (i.e. unknowingly connecting to a compromised website). Endpoints can have sensitive data saved locally while also accessing resources on the network. Users can also introduce security risks by connecting removable media and other USB type devices to endpoints.
Furthermore, attackers have been increasingly focusing on using endpoints as an initial entry point in an attack. We've become very good at spending millions of dollars on firewalls and defense-in-depth tools to protect servers, so attackers have moved to the weakest link that remains: users and their endpoints. Almost every major breach in the news begins with a phishing or spear phishing attack, and these all exploit endpoints.
As mentioned above, any device you do not scan brings unquantifiable risk to your ecosystem. Scan or use Insight Agents across all your devices, endpoints, servers, virtual, remote, and cloud.
Q: But I've got countermeasures in place!
Good. Countermeasures — and a good security policy — are really important. These could include Host or Network IPS, a strong security configuration on the endpoints, plus things like access control policies and strict settings for remote users to ensure they always connect to your VPN before accessing the internet. That doesn't mean you shouldn't scan devices for vulnerabilities *and* validate that your countermeasures are working. There have been multiple instances of vulnerabilities in security software itself, not to mention operating system and application vulnerabilities, as well as malware that affects configuration settings and a device's security policy. If you don't have a way to see which vulnerabilities are on a device, then you are leaving a door open for attackers.
The best way to test that your countermeasures are working properly is to simulate an attack and make sure they catch it; many customers use Metasploit Pro to test their security controls, or our professional services to simulate a full-scale attack and help plan how to improve compensating controls.
If you would like to discuss best practices further, we would love to talk with you. If you are already a customer, your Customer Success Manager is a great resource. We can also provide services engagements to help you implement or invigorate your security program. If you're interested in receiving training on how to make the most of Nexpose, we have options available to you as well. Contact us through your CSM or Rapid7.com and let us know how we can help.