• September 9, 2021
  • Dave Farquhar
  • 0

Fixing Scan Coverage Issues

One of the most common questions we get here at Nucleus is why the “last seen” dates for assets in Nucleus don’t match (what they believe to be) the most recent vulnerability scan dates. “We scan weekly, but the Nucleus last seen date for these assets is over two months ago!” In many cases, our customers believe there is something amiss with Nucleus, and engage with our support team. In nearly every case, something is in fact amiss, but it isn’t with Nucleus…

Scan coverage is hard.

I have built several vulnerability management programs from scratch – and one of my first questions is always “how frequently are you required to scan?” Usually a company has some regulatory, legal, or contractual requirement driving the scanning requirement. If the company requirement for scanning frequency was monthly, I never suggested they scan once a month. I recommended that they scan every two weeks, or better yet, every week. Of course, they always asked why. If we scan every week, we get four chances to catch each system online in a given month. If I only scan once a month, I can’t guarantee I will scan every system every month.

Even if scanning once a week, and if each scan hits 75% of its target assets, after four weeks, you can expect to scan 99.6% of the assets. That’s pretty close to 100%, but it’s not 100%.

There are any number of reasons why a system might be unreachable during a scan. The system may be offline during that time. A server could be under maintenance. Employee laptops are easily missed, for example, if the employee was sick that day, and the laptop was asleep in their laptop bag and unreachable. Or if an employee is carrying a laptop around from meeting to meeting and roaming between wireless access points while a scan is happening, that’s likely to interfere with the scan, especially if they get a new IP address at any point.

And this is easy to forget, but networks are fickle. We noticed it a lot more in the bad old days when networks ran at 10 megabits. Now that Gigabit speed is normal, we don’t necessarily notice all the retries – but your scanner has to deal with them. A scan involves transferring a lot of data over what may already be a very strained network. If there is a questionable network device in the path, certain devices may not respond in a timely fashion and get dropped from the scan.

By scanning two or four times more often than required, I found I could usually work around those issues. At least, that was always my theory. Proving it could be a bit harder, depending on the search capabilities of your particular scanning tool.

Regardless of what scanning tool you use, Nucleus makes it easier to notice discrepancies in scan times, because we make the date more prominent than the scan vendors do. Not only do they we make the last seen date prominent, we also color code it when we think it’s starting to get stale.

If you’re a large company, frankly, I expect your scan dates to not match. At least not if you’re doing standard network-based scans. Even if you’re doing agent-based scans, depending on the vendor, I expect variance. Even if you use one of the vendors whose agent works automatically, without having to schedule scans, I don’t expect to see the results from every asset every day.

Is Scan Coverage a Problem?

The first question is whether this is a problem. If your infrastructure teams are questioning your findings and you are consistently discovering that your scan results predate the most recent maintenance window, then yes, this is a problem.

If you have scan results that are newer than the most recent maintenance window, and you meet your contractual, legal, or regulatory scanning requirements, then there’s no reason to worry about a bit of variance in the scan dates. Some variance is normal, due to normal comings and goings. And sometimes a scan takes several days to finish. If you have a scan that runs from Monday to Wednesday, then you’re going to have a three-day variance in your last seen dates. The scanner probably will use the date when that asset was assessed, not the start or end date of the scan.

But you may also find you have a problem you didn’t know you had. Nucleus is pretty good at helping you do that. When we can, we also like to present solutions and a few general suggestions are included below.

What You Can Do

The first thing you can do if you see assets not getting scanned as regularly as others is to simply scan more often. This gives more opportunity for the asset to get assessed. This probably won’t eliminate the variance, but can reduce it to a tolerable level.

If the issue seems more systemic, your network may be hard to scan. There may be some informational findings that can help you troubleshoot. Look for the findings that tell you what the host scan time was, and whether a firewall was detected, for example. If the host scan time is longer than you see on systems that are assessed regularly, you may need to work with that System Administrator to figure out why that system is hard to scan. If you see a firewall detected finding, it’s always better to not scan through a firewall. Try to put a scanner on the other side of that firewall and dedicate that scanner to those devices.

Of course, doing this at scale for thousands of assets can get very tedious and can turn into a very long and expensive project. Frequently, it is easier to simply deploy agents.

If you’re already using agents, and still see a lot of variance, make sure that your scan window for those agents is long enough. Depending on your scan vendor, you may or may not be able to limit agent activity to a specific hour of the day. I once worked with a company that wanted to scan all of its agents during the lunch hour on Wednesdays so they could guarantee no disruption. It was a nice idea in theory. Unfortunately, we found that wasn’t enough time in practice. Depending on the size of a company, you may have to open the scan window to the full workday to catch everything.

Again, this is general advice. While at one time or another I have been certified by all three of the major scan vendors’ tools, I no longer spend all day every day using one of them. If you’re having issues getting your scans to complete, your scan vendor may be able to give you more specific advice. And as you consider the value of increasing your scan frequency for better recency data, share your thoughts with the remediation team for their perspective and buy-in. They can’t fix what you can’t see and some simple scan scheduling adjustments can help to improve performance metrics for both teams overall.