Adding Passive Vulnerability Scanning To Your Security ToolKit

by Ron Gula
September 16, 2013

The new PVS 4.0 annual subscription takes more than five years of enterprise network monitoring and places it in the hands of a wide variety of security practitioners. This is a new type of product, and it has many highly-practical use cases. In this blog entry, I’ll discuss several of the obvious and not so obvious ways you can get your security work done quicker with PVS 4.0.

Save Time on Consulting Engagements

If a vulnerability scan is part of your audit, and your customer doesn’t know where to plug in, what networks to scan, who to get permission to scan from, and looks at you funny when you ask for the domain password, then you may be able accomplish more with sniffing than with scanning.

A well-placed PVS that runs for a day, a weekend, or some period of time ahead of your audit can give you results that are better than a poorly-tuned vulnerability scan. For starters, you’ll have client-side vulnerabilities and lists of services that were seen on any port, such as web servers and malware running on odd ports. You’ll also have trust relationships which you can use to identify key servers and administrators, and you’ll be able to pick up on any mobile devices seen accessing the Internet.

All of this makes for a report that has more data and can identify more risks than a poorly-configured vulnerability scan. This passive data can also help you ask for credentials, permission for active scanning, or identify risky items that need top priority.

Finally, passive monitoring may also save you time in general. A sniffer takes less time to set up and employs a different skill set than active scanning. Consulting firms can leverage more junior analysts to deploy sniffers rather than sending senior staff to scan thousands of computers on a weekend.

Intrusion Detection Teams Need Vulnerability Data Too

The bigger your network is, the more likely that you have auditors, administrators, and security monitoring functions that don’t communicate as well as they should.

At Tenable, we’ve seen communication in some organizations that was so poor that the teams running the network intrusion detection systems were barred from knowing the internal vulnerabilities. In this case, the team was a third-party MSP. Typically, we see the intrusion teams working with bad vulnerability data, such as outdated un-credentialed scans.

PVS can rectify this by providing instant access to a system’s OS, open and browsed ports, a list of all vulnerabilities (both client and server), and a list of web-based applications.

For teams that have invested in a sniffing infrastructure (like GigaMon), PVS can be deployed there. For organizations that have “rolled their own” IDS based on Snort, PVS can often be deployed on those systems as well.

Measure Your Mobile Risk

Do you think you have a BYOD problem, but don’t have the data to prove it? PVS can be deployed on your perimeter, and it will identify the majority of iPhones, iPads, Android phones, and other devices on your network. This can help you justify a NAC or an MDM solution, or simply give you enough evidence to get a change in the corporate network security policy.

Breathe Life Into Your Netflow or Forensics Programs

PVS also supports real-time logging of all network traffic. It converts a great deal of network events to syslog, which is easily searchable by Splunk. Tenable Log Correlation Engine (LCE) users have relied on PVS real-time logs to look for anomalies in SSL traffic, botnets, parse and summarize DNS queries, track web browsing without the need for web proxy logs, and much more.

Discover All of Your Web Severs and SSL Certificates

I routinely talk to enterprise web application teams who do a great deal of auditing of known web servers, but haven’t any idea if there were any applications running inside the enterprise on ports like 8080, 8443, and so on. Similarly, there are a wide variety of SSL-wrapped websites that have expired, unsigned, or otherwise insecure certificates. These can also add a great deal of risk to your network.

Vulnerability scanning is great for finding off-port services, including web and SSL-wrapped servers, but doing a full 65,000 TCP port scan of your entire network is typically out of the question for most security teams.

With PVS though, this information is automatically available to you. As long as PVS sees this traffic, it will identify the web or SSL-based service, regardless of which port it is on.

Conclusion

We’ve been working on PVS at Tenable for many years, and there are many more use cases, including finding industrial control systems, keeping track of virtualization sprawl, enumerating your IPv6 addresses, hunting malware, and much more.

Tenable is currently offering a PVS evaluation to scan unlimited IP addresses for 30 days and incentives to buy annual subscriptions at very low prices.

If you have questions, ideas, or other use cases for PVS, we’d love to hear from you. Talk to us on Twitter or on our Discussions Forum, or leave a comment below.