Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

How to Discover and Continuously Assess Your Entire Attack Surface

To eliminate network blind spots and fully understand your entire attack surface, it's essential to determine which discovery and assessment tools are required for each asset type.

If you've been in security for more than a few years, you've undoubtedly watched your network evolve from containing strictly traditional, on-premises IT assets to one that comprises both on-prem and cloud-based environments with myriad asset types, including virtual platforms, cloud services, containers, web apps, operational technology (OT) and internet of things (IoT). While the evolution itself is well understood by security professionals, many still struggle to make the appropriate modifications that will enable them to fully discover and properly assess their broad array of modern digital assets.

Back when networks were no more than homogeneous collections of physical, on-premises IT assets, mostly sitting within the organization's well-controlled data center and IP address space, simply running a network vulnerability scanner was sufficient to understand what you had and where you were exposed. It was common to take on a "boil the ocean" approach when evaluating where you were potentially at risk from adversaries exploiting your vulnerabilities. But with today's array of asset types, you need more purpose-built tools to safely and accurately gain visibility across the entire attack surface and develop a deep understanding of the security posture of every asset, wherever it lives in the environment.

Most modern asset types require a specific methodology and/or toolset for discovering and accurately assessing them. Here are a few examples:

  • Cloud connectors: Since cloud environments aren't physically attached to the network, a connector is necessary to keep them in contact with the vulnerability management platform.

  • Agents: Assets such as laptop computers are oftentimes disconnected from the network during routine scans, causing their vulnerabilities to be missed for long periods of time. Installing agents locally on the host can solve this challenge by continuously monitoring and reporting back findings whenever the asset is attached to the network.

  • Active query sensors for OT devices: Most assets in OT and IoT environments are purpose-built systems that operate very differently from traditional IT assets. Because of this, they are best assessed with sensors that can safely query (NOT scan!) these devices using their native command language to determine if vulnerabilities or misconfigurations exist. This allows for constant monitoring not only for potential attacks, but also for misconfigurations in settings and thresholds.

  • Web app scanner: Web apps look and behave differently than traditional IT assets for a variety of reasons. And their vulnerabilities are typically categorized as Common Weakness Enumerations (CWEs) rather than Common Vulnerabilities and Exposures (CVEs). As a result, a purpose-built scanner is required to discover and assess web apps to gain an understanding of your web application security posture.

  • Container security: Modern digital assets, such as container images, can't be assessed using traditional methods. Security devices made specifically for containers can store and scan container images as the images are built and provide vulnerability and malware detection, along with continuous monitoring and validation of container images.


Of course, a major problem security professionals face today is that they have far more vulnerabilities than they can ever handle. Taking a "boil the ocean" approach simply isn't feasible for most organizations due to resource and time limitations. Instead, you need to determine which vulnerabilities actually pose the greatest risk to your most critical systems, so that you can effectively prioritize your remediation efforts.

To perform effective vulnerability prioritization, you need to analyze your security data to fully understand each vulnerability in context. Problem is, you probably already have too much data to analyze, and you're probably analyzing it all manually. And each of the security tools highlighted above generates even more data, thereby exacerbating the issue. That's why you need a comprehensive vulnerability management platform capable of ingesting all types of security data and employing automation to process and analyze it immediately. This way, you get the security intelligence you need at the speed you require.

In short, matching the right discovery and assessment tools with each asset type enables you to fully understand your entire attack surface by eliminating blind spots across your network. And using a vulnerability management tool capable of ingesting the inputs from each of these tools enables you to assess your various assets in a unified view so you can properly prioritize your vulnerability remediation efforts.

Learn more

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today.

NEW - Nessus Expert Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Professional Trial.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training