Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe
  • Twitter
  • Facebook
  • LinkedIn

How to Discover and Continuously Assess Your Entire Attack Surface

How to Discover and Continuously Assess Your Entire Attack Surface

To eliminate network blind spots and fully understand your entire attack surface, it's essential to determine which discovery and assessment tools are required for each asset type.

If you've been in security for more than a few years, you've undoubtedly watched your network evolve from containing strictly traditional, on-premises IT assets to one that comprises both on-prem and cloud-based environments with myriad asset types, including virtual platforms, cloud services, containers, web apps, operational technology (OT) and internet of things (IoT). While the evolution itself is well understood by security professionals, many still struggle to make the appropriate modifications that will enable them to fully discover and properly assess their broad array of modern digital assets.

Back when networks were no more than homogeneous collections of physical, on-premises IT assets, mostly sitting within the organization's well-controlled data center and IP address space, simply running a network vulnerability scanner was sufficient to understand what you had and where you were exposed. It was common to take on a "boil the ocean" approach when evaluating where you were potentially at risk from adversaries exploiting your vulnerabilities. But with today's array of asset types, you need more purpose-built tools to safely and accurately gain visibility across the entire attack surface and develop a deep understanding of the security posture of every asset, wherever it lives in the environment.

Most modern asset types require a specific methodology and/or toolset for discovering and accurately assessing them. Here are a few examples:

  • Cloud connectors: Since cloud environments aren't physically attached to the network, a connector is necessary to keep them in contact with the vulnerability management platform.

  • Agents: Assets such as laptop computers are oftentimes disconnected from the network during routine scans, causing their vulnerabilities to be missed for long periods of time. Installing agents locally on the host can solve this challenge by continuously monitoring and reporting back findings whenever the asset is attached to the network.

  • Active query sensors for OT devices: Most assets in OT and IoT environments are purpose-built systems that operate very differently from traditional IT assets. Because of this, they are best assessed with sensors that can safely query (NOT scan!) these devices using their native command language to determine if vulnerabilities or misconfigurations exist. This allows for constant monitoring not only for potential attacks, but also for misconfigurations in settings and thresholds.

  • Web app scanner: Web apps look and behave differently than traditional IT assets for a variety of reasons. And their vulnerabilities are typically categorized as Common Weakness Enumerations (CWEs) rather than Common Vulnerabilities and Exposures (CVEs). As a result, a purpose-built scanner is required to discover and assess web apps to gain an understanding of your web application security posture.

  • Container security: Modern digital assets, such as container images, can't be assessed using traditional methods. Security devices made specifically for containers can store and scan container images as the images are built and provide vulnerability and malware detection, along with continuous monitoring and validation of container images.


Of course, a major problem security professionals face today is that they have far more vulnerabilities than they can ever handle. Taking a "boil the ocean" approach simply isn't feasible for most organizations due to resource and time limitations. Instead, you need to determine which vulnerabilities actually pose the greatest risk to your most critical systems, so that you can effectively prioritize your remediation efforts.

To perform effective vulnerability prioritization, you need to analyze your security data to fully understand each vulnerability in context. Problem is, you probably already have too much data to analyze, and you're probably analyzing it all manually. And each of the security tools highlighted above generates even more data, thereby exacerbating the issue. That's why you need a comprehensive vulnerability management platform capable of ingesting all types of security data and employing automation to process and analyze it immediately. This way, you get the security intelligence you need at the speed you require.

In short, matching the right discovery and assessment tools with each asset type enables you to fully understand your entire attack surface by eliminating blind spots across your network. And using a vulnerability management tool capable of ingesting the inputs from each of these tools enables you to assess your various assets in a unified view so you can properly prioritize your vulnerability remediation efforts.

Learn more

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.