Scan Everything 

Previously I proposed that monitoring the wire is vastly more effective for alerting and generating events.

Now I'll cover the other piece of he equation, Vulnerability scanning.

Disclaimer: the views and opinions in his article are entirely mine and not those of my employer, fellow employees or management. 

Back to Scanning.

Firstly, scanning has to be all encompassing, regularly repeated, and something has to be done with the results.

The first caveat of cunning is that you you can't scan when you do not know about. The network needs to be accurately documented and Visio diagrams are a must if no automated solution is in place to dynamically enumerate the network.

The second caveat is that everything gets scanned repeatedly, and preferably on a Weekly basis.

Weekly scanning will more rapidly show you what is changing and the new vulnerabilities. You can then match these vulnerabilities to traffic alerts on your network and you will know when to be concerned.

The third caveat is that you need a good scanning solution that has audits updated more than weekly, and that doesn't crash or fail you when you need results. The solution needs to be all encompassing and able to scan internal and external facing systems regardless of their operating system, level of hardening or age. Just because its only been around for a year or so is no excuse for a scanning vendor not to support scanning of it. The scanning solution must be able to do credentialed or uncredentialed scanning. A solution which can select from a list of credentials depending on the detected system type is a valuable feature.

Finally, vulnerability scanning seldom lay causes issues on target systems and limiting scans to a narrow weekend window gives no flexibility to work around other network or system changes. 

So what scanning solutions hav I used? 

1. EEye Retina and REM was ok but has stability and support issues so I cannot recommend it.

2. Tenable Nessus has a few more features and the government likes it, but alas I do not. There is a better option.

3. Core Impact. While you can in theory scan for vulnerabilities with core its a penetration testing tool and not a vu operability scanner. You may as well tie your shoe laces with mittens on. While you may have success, you won't excel and the results will be mediocre.

3. Rapis7 Nexpose. Options available to scan internal and externally facing systems. Can select credential from a list depending on system detected. Integration with Metasploit for pen testing and validation. This is the preferred commercial solution.

For a cheap alternative..... Can't think of any at the moment.

Thanks for reading and once again, these are my personal views and not those of my employer, its management or fellow employees.

S. Russell Dyer BS CSSP CRISC

Information security guru and slave to the cause of securing networks and users.