Scanless Vulnerability
Assessment
A Next-Generation Approach to
Vulnerability Management
Overview
Vulnerability scanning, or the process of identify-ing a list of known security gaps in the network environment, is the focal point for most enter-prise vulnerability management programs. Before any action can be taken to assess risks or prior-itize vulnerabilities for remediation, you have to know the extent of your vulnerability challenge. The use of vulnerability scanners as security assessment tools is nearly ubiquitous in large organizations. Regular network scans are rec-ommended by security industry best practices and required by numerous regulations. However, as network infrastructures have grown more complex and identified vulnerabilities have mul-tiplied, the effectiveness of vulnerability scanning as a security management tool has declined. In a July 2015 Skybox Security survey, enterprise IT personnel reported several major challenges that limited their use of traditional active vul-nerability scanning. Respondents indicated that
even with one or more active scanners, they are not able to respond to new vulnerabilities and threats quickly. Most lack the ability to priori-tize accurately based on their network context. Blind spots left by “unscannable” devices and zones leave open risks, and false positives waste valuable time.
The sheer magnitude of the enterprise vulner-ability problem is daunting. In today’s enter-prise networks, scanners may identify tens of thousands or hundreds of thousands of vulnera-bilities at once. Review and remediation efforts may take weeks, while new vulnerabilities and threats are introduced daily. Simply put—there is no way for most enterprises to examine, prioritize and remediate vulnerabilities frequently enough; and, over a large enough portion of the network infrastructure, to bring risk level down on time, before exploitation. A next-generation approach is needed.
Contents
Overview
Achieving Broad and Frequent
Vulnerability Discovery
The Active Scanning Bottleneck Business Costs and Management Time
The New Approach to Vulnerability Discovery
Finding Vulnerabilities Without an Active Scan
Vulnerability Discovery with Rule-Driven Profiling (RDP) Data Sources for Product Profiling
Benefits of Scanless Vulnerability Assessment
Mixing Scanless Assessment and Active
Scanning Approaches
Summary
About Skybox Security
2
4
7
9
10
11
11
4 6 7 8 94 Skybox Security | Scanless Vulnerability Assessment
Achieving Broad and Frequent
Vulnerability Discovery
A new approach to vulnerability management starts with the way vulnerabilities are discov-ered in the first place. Vulnerability manage-ment programs are only effective at preventing attacks and data breaches if the organization can minimize both the risk exposure window (the amount of time between identifying a risk and resolving it) and the attack surface (all the ways in which an enterprise’s IT systems are vulnerable to threats).
To shrink the risk exposure window, the organiza-tion needs continuous visibility of attack vectors, and must drive mitigation of the most important risks before an attacker exploits them first. This makes the frequency of vulnerability scans and remediation efforts is highly important.
To map out and then minimize the attack surface, the organization must have a comprehen-sive understanding of available attack vectors across the network, and identify those attack vectors that contribute most to the size of the
attack surface. This makes the coverage of vul-nerability scans is important as well. And with enterprise networks continu-ing to grow at an exponential pace, 50 percent scan cove ra g e to d ay might mean 0.5 percent coverage two years from now. The message is clear: the next-generation of vulnerability
man-agement must include a discovery approach that keeps pace with new vulnerabilities, threat updates and daily network changes and covers as much of the network as possible.
In vulnerability management, there exists a scanning conundrum. If up-to-date scanning that covers more systems is so important to understanding and responding to vulnerabilities, why don’t organizations just run more scans? The answer, of course, is that active scanning produces several bottlenecks in the vulnerability management process that are extremely difficult and costly to resolve. On a large scale, active scanning processes become unmanageable.
POTENTIAL DISRUPTION
A network vulnerability scanner, as the name implies, scans every host in the target network
against thousands of scan signatures. A signature is typically a script that tests for the existence of one or a few vulnerabilities, by probing the host for information that would reveal whether this host is vulnerable to a certain attack. Sometimes the method of probing the host is essentially the same as an attack, testing the host directly to see if exploitation is truly possible. This can lead to serious disruption of critical business services. To minimize the potential disruption, “dangerous” attack signatures that could lead to disruption are avoided, often in the most critical parts of pro-duction networks where 100 percent uptime is of supreme importance. The organization becomes
The Active Scanning Bottleneck
How effective is your scan approach?
Assume that you live in a huge home with dozens of doors and hundreds of windows. Break-ins are common, and you want to reduce the chance of theft. To protect against intruders, you check half of the doors on Wednesday, the other half on Friday, and the windows every other week. Sound effective? Of course not. Yet this is sadly similar to the “round robin” scheduling approach used for network vulnerability scans in many organizations.
5 Skybox Security | Scanless Vulnerability Assessment
FIGURE 1: THE VALUE OF VULNERABILITY KNOWLEDGE DECAYS OVER TIME
©Skybox Security www.skyboxsecurity.com blind to these attack vectors, or runs the more
disruptive tests in very distinct test windows. Due to the changes in the IT infrastructure and the publication of many new vulnerabilities every
day, the value of vulnerability knowledge decays quickly over time, making infrequent vulnerability testing ineffective.
ACCESS ISSUES
Sometimes, network access policies make it impossible to do a scan with access creden-tials. Non- authenticated network scanning (i.e., attempting to probe the host without access cre-dentials) is much less accurate. Non-authenticated scans result in a lot of false positives and false negatives, as less information about the host and potentially vulnerable services is available from the outside.
Firewalls themselves can also pose a challenge to active scanners. If an active scan must pass through a firewall, the stateful inspection of the firewall might interfere with the scan. This can lead to disruption of the firewall operation or partial scan results.
NETWORK TRAFFIC IMPACT
Now, let’s consider the scale of the enterprise scanning job. For example, a single planned scan period targeting 1,000 hosts, to verify 1,000 vulnerability types may result in hundreds of thousands of individual tests. In a really large network with 100,000 hosts, testing against these 1,000 signatures would result in 100 million tests. More tests mean more active network sessions, adding to the traffic load. Therefore active scanning can’t done too intensively, or it can bog down network performance to unaccept-able levels.
100%
Month 1 Month 2 Month 3
Time 50% Gaining vulnerability knowledge while scanning Decay of vulnerability knowledge post-scanning
6 Skybox Security | Scanless Vulnerability Assessment
FIGURE 2: VULNERABILITY DISCOVERY WITH ACTIVE SCANNING ENGINE
©Skybox Security www.skyboxsecurity.com
Business Costs and Management Time
Last but not least, the active scanning infra-structure required to have complete coverage of the enterprise network may require a large footprint of scanners, which is costly to purchase, implement and manage.
Even if the technology costs are addressed or absorbed by the organization, active scanners
produce huge amounts of data with little context for accurate prioritization. Typical reports from an enterprise-level active scanning program may take a team of security analysts days or weeks to evaluate and determine appropriate response. Adding more people to evaluate more data from more active scans is not a scalable solution. HOSTS TESTING SCRIPTS VULNERABILITY SCANNER VULNERABILITY REPORT
NON-SCANNABLE HOSTS
Many hosts can’t be scanned at all for the following reasons:
>
Mission critical hosts can never be touched by an active scan>
Industrial controllers, smart grid controllers and other systems where standard scanning techniques are either not applicable, notavailable or not wanted because of those systems’ sensitivity
>
Mobile devices’ (BYOD) changing IP address and topological location make them amoving target and difficult to scan
>
Organizations may have limited rights to scan virtual machines hosted in a public cloud7 Skybox Security | Scanless Vulnerability Assessment
2015 Enterprise Vulnerability Management Trends Report
The Skybox Vulnerability Management Trends Report polled nearly 1000 IT decision makers including C-level executives, security managers and network and systems engineers involved in vulnerability management processes. The companies surveyed ranged in size from less than 100 to more than 100,000 employees. The survey revealed:
>
The two highest ranking potential vulnerability program improvements organizations seek are responding quickly to new threats and prioritizing risks more accurately based on network context>
Less than half of all CISOs reported that they were satisfied with their current vulnerability management program>
Most organizations currently scan monthly or less often, but ideally would like to scan weekly or even daily>
36 percent of SMB respondents (1 – 99 employees) scan quarterly or less often. By contrast, 17 percent of enterprises with 5,000 and more employees scan quarterly or less frequently.The New Approach to
Vulnerability Discovery
Finding Vulnerabilities Without an Active Scan
Most of the vulnerabilities in operating systems, middleware and commercial applications covered by active scanners, can be deduced very accu-rately if there is detailed knowledge available of the systems and applications in use. For example, critical remote code execution vulnerability CVE-2011-0817 has been found to occur on all Windows hosts with Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier. It’s easy to determine if this vulnera-bility exists if you know the detailed information about installed software. No need to actively probe with test signatures.
In a recent analysis of corporate network vulnera-bility data, Skybox found that in organizations that are heavily reliant on Microsoft and Linux infra-structure for server and endpoints, substantially all of the vulnerability instances in the assessed networks were concentrated on few hundred software products/platforms. Furthermore, more than 90 percent of the vulnerabilities were ones that could be accurately derived from granular
knowledge of the operating system (including edition, patches, hardware, etc.) and details about all software products installed (including product version, patch level, special editions, etc.).
In other words, if we have detailed knowledge of all products installed on the hosts in the network, then more than 90 percent of the vulnerabili-ties can be accurately discovered—without an active scan.
This realization is nothing new. There have been previous attempts at scanless vulnera-bility discovery based on one-to-one mapping of product information to vulnerabilities. One-to-one mapping is too simplistic and fails as an approach because:
>
Vulnerability deduction requires very detailed product information that includes edition, major and minor versions and patch level8 Skybox Security | Scanless Vulnerability Assessment
FIGURE 2: VULNERABILITY DISCOVERY WITH RULE-DRIVEN PROFILING ©Skybox Security www.skyboxsecurity.com
>
In many cases, vulnerability deduction requires consideration of more than one product to conclude the existence of a single vulnerability instance. In the example above using CVE-2011-0817, deducing whether thisvulnerability exists requires consideration of both the operating system and the product installed
Vulnerability Discovery with Rule-Driven Profiling (RDP)
Both flaws of the old techniques can be overcome by utilizing a rule-driven profiling approach, which is the core of the Skybox Vulnerability Detector feature included in Skybox Vulnerability Control. Rule-driven profiling is a two-step process that converts the product configuration and
description information stored in system and security management repositories into a detailed and accurate product catalog, and then accurate-ly deduces a list of vulnerabilities present in the network environment. HOSTS EXTRACTION RULES LIBRARY VULNERABILITY DETECTION RULES LIBRARY SYSTEM, ASSET OR PATCH MANAGEMENT SYSTEM PRODUCT PROFILING VULNERABILITY PROFILING PRODUCT CATALOG VULNERABILITY LIST
The first phase is called product profiling, which involves collecting, merging, and normalizing product configuration information into a com-prehensive list of the systems and products installed in the network environment. The raw data is collected automatically from multiple data sources such as Microsoft SCCM, WSUS, RedHat Satellite, results from previous authorized scans and patch management systems. Thousands of information extraction rules are then applied to translate strings such as “Microsoft Windows 7 Enterprise with MDOP 2011 R2” into a normalized Common Platform Enumeration (CPE), which
represents installed products, version informa-tion, patch level and more.
The second phase is called vulnerability profiling, which converts this CPE into accurate vulnerabil-ity data. We utilize a proprietary library of tens of thousands of logical rules contained in the Skybox Vulnerability Database (updated daily) to test the product catalog to determine if a set of pre-con-ditions for the existence of a vulnerability are met. The rules take multiple factors into account to deduce if a vulnerability truly exists in the envi-ronment. For example, a particular vulnerability
9 Skybox Security | Scanless Vulnerability Assessment
Data Sources for Product Profiling
Skybox leverages existing, authoritative network and host configuration data repositories to extract vulnerability information in a non-dis-ruptive and highly accurate manner. The data is retrieved from operational products that are already deployed and used by IT and security organizations such as:
>
Microsoft Active Directory>
Microsoft System Center Configuration Manager (SCCM)>
Microsoft Windows Server Update Service (WSUS)>
Configuration management databases (CMDB)>
Red Hat Satellite>
Previous authorized scan information>
Network devices>
Anti-virus softwareThese management tools, already deployed in most enterprises, synchronize information about the network hosts and installed software products frequently, and therefore own an up-to-date ‘picture’ of much of the typical network environment. That picture includes informa-tion on the operating system, the installed products and their versions, installed patches and missing patches. Skybox merges the infor-mation from multiple sources into a consolidated product catalog representing that organization’s unique environments.
may exist on a certain product, version and patch level of Adobe Reader, but only when running in a particular operating system environment and in the presence or absence of other products or factors.
This results in a comprehensive and highly accurate product catalog and list of found vul-nerabilities—compatible with MITRE’s CPE and CVE standards—that can be updated automat-ically and continuously without requiring an active scan.
The accuracy of the RDP technique depends on the granularity of the product profiling and the vulnerability deduction rules. The Skybox Vulnerability Lab team has developed an extensive library containing tens of thousands of vulnerability profiling rules, and continuous updates to this content library ensure a very accurate vulnerability discovery process.
See a full list of products supported by Skybox Vulnerability Detector.
Benefits of Scanless
Vulnerability Assessment
The use of scanless assessment to identify nerabilities has many benefits. This scanless vul-nerability discovery technique minimizes network disruptions; can provide up-to-date vulnerability information quickly to respond to new threats; and can meet the levels of vulnerability iden-tification frequency and coverage needed to
understand the attack surface. When combined with other automated analytical capabilities in Skybox Vulnerability Control, organizations can effectively minimize the window of exposure and effectively mitigate the most critical vulnerabili-ties before they can be exploited.
10 Skybox Security | Scanless Vulnerability Assessment
MINIMIZES DISRUPTIONS
Since Vulnerability Detector collects all of the information about hosts from existing system management solutions—no target host is ever probed or touched. This non-invasive vulnera-bility discovery technique does not disrupt the network or any business services or negatively impact network performance.
EASILY DEPLOYED
In addition, gaining access to a few centralized data repositories already deployed is significantly easier than deploying active scanners throughout a network and gaining approvals to scan busi-ness-critical areas. These differences mean that deployment of the Skybox vulnerability discovery approach can take days, where deployment of active scanning can take weeks or months in a large organization with a complex network.
CONTINUOUS MONITORING
Scanless assessment is an analytic vulnerabili-ty discovery technique, and up-to-date source data can be collected and analyzed at any time in a matter of seconds or minutes. Skybox Vulnerability Control can be used to identify,
a n a l y z e a n d manage vulner-abilities on a daily basis, compared to a cycle of weeks or months to perform full scanning of an entire large enter-prise network.
FAST THREAT
RESPONSE
Another advantage of the scanless assessment techn-ique is the availabili-ty of comprehensive, up-to-date product catalogs and vul-nerability data to correlate against emerging threatintelligence. Early warning systems are most effective in identifying real hazards to the orga-nization when they can assess the relevance of a new threat alert against accurate and timely data sources, without waiting for a full scan.
Next Generation Approach to Patch Tuesday
On Microsoft’s monthly patch Tuesday, many new vulnera-bility types are published for Microsoft platforms and products. Active scanning for the new and sometimes critical vulnerabilities could cause significant delay— possibly weeks or months—due to limited approved scan windows. Patching everything is usually not an option for enterprise-size networks, due to operating system standards, software dependencies and more. With scanless assess-ment, finding all instances of the vulnerability types announced on Microsoft’s Patch Tuesday can be done on the same Tuesday, without running any disruptive scans.
Mixing Scanless Assessment and
Active Scanning Approaches
While the scanless assessment technique within Skybox Vulnerability Control can identify vul-nerabilities at the high-levels of frequency and coverage required for effective vulnerability management, continued use of network vul-nerability scanners can extend coverage even further. Network vulnerability scanners may be used to probe hosts for specific attack patterns
that cannot be detected by scanless assess-ment. Because of this capability, using Skybox Vulnerability Control daily and a network vulnera-bility scanner occasionally will achieve continuous vulnerability management objectives covering 90 percent of vulnerabilities and near-100 percent coverage of all vulnerability types through regular combination with active scan data.
www.skyboxsecurity.com | [email protected] | +1 408 441 8060
Copyright © 2016 Skybox Security, Inc. All rights reserved. Skybox is a trademark of Skybox Security, Inc. All other registered or unregistered trademarks are the sole property of their respective owners.
Summary
For vulnerability management programs to succeed in lowering risk levels or prevent-ing potential attacks, security teams need to reexamine the effectiveness of their vulnerability discovery approach.
Identifying vulnerabilities on a frequent basis and responding quickly to new threats is critical to success, as is covering enough of the infra-structure to make a difference. Traditional active scanners may produce accurate results when applied, but may face challenges that limit their use in the network environment, such as access issues or disruption of critical services.
Scanless assessment is a two-step process that does not rely on active scanning technolo-gies, and, therefore, is not subject to the same concerns about disruption and access as a tradi-tional vulnerability scanner. Scanless assessment converts the product configuration and descrip-tion informadescrip-tion stored in system and security
management repositories into a detailed and accurate product catalog, and then accurately deduces a list of vulnerabilities present in the network environment. With this information, more than 90 percent of the vulnerabilities in a typical enterprise network can be accurately discovered without an active scan.
When the high frequency of scanless assess-ment is combined with active scanning, scanless assessment can fill in the vulnerability informa-tion between monthly or quarterly active scans, and extend vulnerability coverage to previously “unscannable” systems. Skybox recommends using Vulnerability Control daily, either inde-pendently or in conjunction with a network vul-nerability scanner, to reduce overall risk and have the intelligence needed to respond to new threats at any time.
About Skybox Security
Skybox arms security teams with a powerful set of security management solutions that extract insight from traditionally siloed data to give unprecedented visibility of the attack surface, including all Indicators of Exposure (IOEs). With Skybox, security leaders can quickly and accurately prioritize and address vulnerabilities and threat exposures.
