Full Report
It is always a little bemusing to hear that we only provide pentests. Since 2001, SensePost has offered a very comprehensible vulnerability management service that’s evolved through multiple generations of technologies and methodologies into a service we’re very proud of. The Managed Vulnerability Scanning (“MVS”) service makes use of our purpose-built BroadView scanning technology to scan a number of high profile South African and European clients. More information can be found here, but the purpose of this post is to introduce it with a basic overview of its deployment.
Analysis Summary
# Best Practices: Implementing Managed Vulnerability Scanning and Network Service Monitoring
## Overview
These practices focus on leveraging comprehensive vulnerability management services, moving beyond simple penetration testing, to establish continuous monitoring, intelligent asset tagging via attributes, and proactive reporting using a dashboard-driven approach. This addresses the need for an "intelligent scanning" capability that facilitates targeted remediation and network service oversight.
## Key Recommendations
### Immediate Actions
1. **Implement Continuous, High-Frequency Scanning:** Ensure vulnerability scanning is performed on an ongoing, scheduled basis (e.g., weekly or bi-weekly, reflecting the high frequency mentioned in the context, such as 935 scans per week across the client base).
2. **Establish Centralized Data Storage:** Mandate that all scan findings, configurations, and associated metadata (attributes) are stored in a centralized, queryable database to facilitate historical tracking and analysis.
3. **Identify Critical Open Services:** Immediately query the existing database or run targeted scans to identify all hosts with externally accessible, high-risk services (e.g., Port 139 open to the Internet, or exposed administrative interfaces like `phpmywebadmin`).
### Short-term Improvements (1-3 months)
1. **Develop Comprehensive Attribute Tagging Strategy:** Define and consistently implement 'attributes' (metadata related to findings, but not the finding itself) across all scans. Key attributes to prioritize include:
* TCP Banners (for rapid version identification).
* Operating System Value.
* Hosts Accessible (True/False for external exposure).
* SMTP Relaying Allowed (True/False).
* SMB Directories listing.
* CMS Type.
2. **Deploy Initial Monitoring Widgets ("Blizzards"):** Configure a central dashboard to display critical data sets derived from the vulnerability and attribute database. Start with widgets showing:
* Overall open port distribution across the network estate.
* Inventory of targets running specific, high-risk web services (e.g., total Apache vs. total IIS instances).
* Current status of known critical vulnerabilities requiring immediate patching (e.g., listing BIND servers lacking a specific DoS patch, if applicable).
3. **Implement Targeted Remediation Queries:** Create saved queries that tie attributes to vulnerabilities to enable precise targeting of remediation efforts (e.g., "Show all Windows IIS 5 devices accessible externally that have Port 80 open").
### Long-term Strategy (3+ months)
1. **Integrate Scanning with Patch Management:** Automate the process where attribute queries (e.g., identifying all instances of a vulnerable OS version) directly feed into the patch/network management system for streamlined lifecycle control.
2. **Utilize Scanning for Network Service Monitoring:** Transition the scanning tool's function from purely reactive vulnerability reporting to proactive network service monitoring, using attributes to track changes in service exposure (e.g., monitoring when external accessibility status of critical assets changes).
3. **Establish Certificate Inventory Management:** Use scanning data to maintain a real-time, up-to-date inventory of asset-associated SSL certificates, including issuer tracking (e.g., Entrust, VeriSign, Thawte) for proactive renewal management and security auditing.
## Implementation Guidance
### For Small Organizations
- **Focus on Inventory:** Start by prioritizing the 'TCP Banners' and 'Operating System Value' attributes to build a foundational asset inventory if one is lacking.
- **Manual Dashboard Review:** Utilize a basic list view or single-metric widget on the dashboard, focusing initially on externally exposed assets and critical open ports, reviewing the data monthly.
### For Medium Organizations
- **Automate Attribute Collection:** Ensure the scanning platform is configured to automatically populate defined attributes for every scan job, rather than relying on manual tagging.
- **Implement Role-Based Dashboards:** Create separate dashboard views (blizzards) tailored for Network Operations (focusing on open ports) and Security Teams (focusing on vulnerability findings and system compliance attributes).
### For Large Enterprises
- **Develop Attribute-Driven Profiling:** Use the comprehensive attribute data (CMS Type, SMB details) to build security profiles for different application tiers or business units.
- **Implement Forensic/Historical Querying:** Leverage the large volume of historical data to perform trend analysis on vulnerability density or track the effectiveness of patch rollouts over time, specifically querying attributes tied to specific remediation efforts.
## Configuration Examples
*Since the provided article focuses on the service's *capabilities* rather than specific configuration syntax, the following represents the *intent* of configuration based on the described functionality:*
| Functionality Desired | Configuration Action (Hypothetical Query/Widget Configuration) |
| :--- | :--- |
| **Targeted Patching:** Identify servers requiring a specific DoS patch. | Query: `WHERE Attribute='BIND Server' AND Finding_Status='Requires DoS Patch_X'` |
| **Web Service Inventory:** Get a breakdown of web server technologies. | Widget Source: Group results by `Attribute='CMS Type'` or `Attribute='TCP Banner'` filtered by `Open Port = 80/443`. |
| **External Exposure Check:** Find all hosts reachable from the internet with a sensitive configuration. | Query: `WHERE Attribute='Hosts Accessible'=TRUE AND Attribute='SMTP Relaying Allowed'=TRUE` |
## Compliance Alignment
This managed scanning approach directly supports compliance objectives related to continuous monitoring and asset management:
* **NIST SP 800-53 (AC, RA Families):** Continuous scanning addresses RA-5 (Vulnerability Scanning) and supports AC-2 (Account Management) and AC-4 (Information Flow Enforcement) through service mapping.
* **ISO/IEC 27001 (A.12.6.1):** Aligning regular vulnerability management and patching processes based on asset attributes supports Annex A controls for technical vulnerability management.
* **CIS Benchmarks:** Establishing clear inventories of configuration details (like OS version, exposed ports) facilitates mapping back to specific configuration baselines defined in the CIS Benchmarks.
## Common Pitfalls to Avoid
1. **Treating Scan Data as Static:** Do not rely solely on the final vulnerability finding. The value lies in the **attributes** (contextual metadata). Failing to capture and utilize attributes (like OS version or open relays) limits intelligent response.
2. **Ignoring Service Monitoring:** Viewing the tool only as a "vulnerability scanner" risks missing opportunities to use it as a "network service monitoring device" for checking continuous compliance of external configurations (e.g., keeping track of external SMTP relay status).
3. **Unmanaged Certificate Sprawl:** Failing to track SSL certificate issuers and expiration dates via scanning data will lead to unexpected service outages or security black marks when certificates lapse.
4. **Ineffective Dashboard Design:** Creating generic, unfilterable dashboards that overwhelm users with raw data. Custom "blizzards" must be curated for specific review roles (e.g., showing only patchable items to the patching team).
## Resources
- **Vulnerability Management Service Documentation:** (Referencing the specific 'here' link for service deployment details - *To be replaced by organization's internal documentation link*).
- **Asset Tagging Standard/Schema:** Internal documentation defining mandatory and optional attributes for scanning data enrichment.
- **Service Monitoring Dashboard Configuration Guide:** Documentation on building, filtering, and subscribing to specialized widgets ("blizzards").