What is Vulnerability Scan Coverage?

Scan coverage is a topic that comes up fairly frequently in VM discussions… but what does scan coverage measure?

Scott Kuffer
August 11, 2021
Resources
What is VM Scan Coverage?

What is Vulnerability Scan Coverage?

The first step in the vulnerability management process is understanding what assets and vulnerabilities an organization has. Scan coverage is a way to measure the scanning of all the assets, systems and applications for vulnerabilities across an organization and the frequency at which the scans are scheduled. This helps an organization find coverage issues, and correct any issues discovered.

What Scan Coverage Measures

Scan coverage answers two related questions:

  1. Are you scanning all of the systems on your network?
  2. Are your scans scheduled at the right frequency?

This can be easier said than done, of course. I’ve had consulting gigs where companies didn’t know for sure what network ranges they were even using, let alone what was on those network ranges. I’ve had other gigs where the company had a complete inventory and even knew which of those systems was most important to them. Needless to say, it’s easier for companies who have a good asset inventory to measure scan coverage. For companies who don’t have a good inventory, it’s essentially a guessing game.

This problem was easier to solve when everyone went into the office. If worse came to worse, you could just scan the entire RFC 1918 space and hope for the best. No auditor would fault you for that. But then you have another problem… compiling all of that data.

Measuring Scan Coverage in Nucleus

Fun fact: the difficulty of measuring scan coverage in vulnerability scanners was one of the reasons we built Nucleus. Nucleus makes this pretty easy once you’ve imported an asset inventory and are importing all of your scans.

Navigate to Assets > Asset Management. We think scan coverage is so important we put it right at the top and default to a 90-day metric. Assets in green have been scanned at least once in the last 90 days. Assets in orange have not been scanned within the last 90 days. To pull up either group of assets, go to the section of the bar you are concerned about and click to view details.

Nucleus Scan Coverage Screenshot

You may also narrow it down to a shorter timeframe. Admittedly 90 days is generous, but that’s the minimum to meet PCI requirements. To use a narrower timeframe, click Filter. Scroll to Last Scanned, then choose the timeframe you want to review. You can even click Never to find assets in your inventory that have no scan data available.

 

You can export the list by clicking Export. You’ll need to investigate those systems and launch scans against anything that turns out to still be live, but at least we made it easy to find the problem.

Fixing Scan Coverage Issues

Working remotely makes scanning more difficult. Putting a scan appliance in every employee’s home is beyond impractical. Fortunately, the scanner vendors recognize this, and all of the major vendors provide agents. Provided the agent can communicate with the cloud on port 443, your VM scanner can reach those remote hosts. Agents get a bad name, but at this point all of the major scanner agents are reasonably well behaved. I have a lab system that runs a process that wants 100% of the CPU. I’ve loaded not one, but two VM agents on it and scan it multiple times a day. It still gets its work done, and I still get my scan results.

Getting buy-in can be difficult because everyone remembers that one agent they loaded years ago that took 100% of the CPU and refused to share. While there are still some security agents that are pretty heavy, by-and-large the VM agents play nice. You may have to try it out on some lab systems and on your user acceptance testing team if you have one, but as long as you run the defaults, or at least avoid the extreme settings, you’ll find it works reasonably well.

You may find your scanning tool has trouble tracking a system with an agent on it that it also scans over the network. If that happens, Nucleus can merge those findings back for you.

Dealing with Unreachable Assets on Your Corporate Network

What about systems that are on your corporate network that you haven’t seen in a long time? Talk to your remediation teams about those. They can give you a good idea of how long a system can be offline before it is presumed ‘decommissioned’. You can then create an automation rule to inactivate those assets in Nucleus once they reach that age. When Nucleus inactivates an asset, the vulnerabilities close as well.

And yes, there’s a reason I said ‘inactivate’ rather than ‘delete’. Zombie systems. You know zombie systems… the ones that get decommissioned, but then someone or something turns the systems back on without telling anyone, and now that system is alive again? When a zombie system shows back up in a vulnerability scan, Nucleus reactivates it with its full scan history intact.

zombies

How Frequently Should You Scan?

At minimum, you need to be scanning once a month. But given the frequency that new vulnerabilities get discovered and new updates get released, once a month isn’t really adequate in a mature organization. The other problem is your intent. You can run one scan and say you scanned your network that month – but there’s no guarantee all your systems were online at the time of the scan. If your intent is to scan all the systems on your network every month, you’re going to need to scan more frequently to ensure you actually scan every system at least once in a given month.

We recommend weekly scans at a minimum. That’s enough to catch every major software vendor’s release cycle, and to put out a best effort to catch every system at least once in a 30 day period. It also makes you more likely to catch each maintenance window. That way the data you are reporting on is reasonably up-to-date, and vital metrics like mean-time to remediate are reasonably close to reality.

If you have agents, have enough network scanner capacity, or both, you should probably scan every day. Then you know your data is no more than 24 hours old at any given time.

There is one other caveat to scan frequency. You need to make sure your scanner is scaled to match your ambitions. The exact capacity of a scanner appliance varies from vendor to vendor and on how much memory and CPU capacity they have – but a reasonable rule of thumb is that one scanner appliance can scan about 3000 hosts in a day. If you have 5000 hosts and only have one scan appliance and don’t want to use agents, you will have a difficult time scanning your whole network in a single day.

I’ve certainly seen both extremes. Sometimes people aren’t scanning often enough, and sometimes people are trying to scan more frequently than their deployment is designed to handle.

Nucleus can’t solve that problem for you, but we can help you to measure the effectiveness of your scanning and see where you may need to make adjustments. You can’t fix what you don’t know if broken.

Scott Kuffer
Scott is the co-founder and COO of Nucleus Security, a leading provider of risk-based vulnerability management solutions. With a wealth of experience in cybersecurity, SaaS, and business strategy, he has been at the forefront of driving innovation in vulnerability management, helping some of the world’s most complex enterprises tackle their biggest security challenges.

See Nucleus in Action

Discover how unified, risk-based automation can transform your vulnerability management.