- 22 Sep 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
Finding Devices Not Being Scanned For Vulnerabilities
- Updated on 22 Sep 2024
- 3 Minutes to read
- Print
- DarkLight
- PDF
Watch the “Finding Devices Not Being Scanned For Vulnerabilities” video, or read below.
Finding Devices Not Being Scanned For Vulnerabilities
Today’s vulnerability assessment tools do an incredible job of identifying known vulnerabilities present in the devices they’re aware of. But how can we ensure that all devices — including workstations, laptops, virtual machines, and other IT assets — are being scanned for?
Here, we’ll look at the challenges related to identifying devices not being scanned by a VA Tool, the security benefits of automatically discovering devices not being scanned, and how to automatically add assets to the next scheduled scan.
Challenges in Knowing Which Devices Are Not Being Scanned For Vulnerabilities
Understanding which devices are covered by a specific vulnerability scanner is simple: you just need to access the admin console, which produces a list of covered devices. However, the problem is the inverse: knowing which devices should be scanned but are not part of the VA Scan schedule.
Data Sources Required to Find Devices Missing Vulnerability Assessment Tool Coverage
The following data sources are needed to uncover devices missing vulnerability scanner coverage:
Vulnerability scanner console — By connecting to the admin console of the vulnerability scanner, you can see all devices that are known and are being scanned
Directory Services / Endpoint Management Solutions — examples include Active Directory or Azure AD that authenticate and authorize users and devices
Network/Infrastructure Data — By connecting to the network infrastructure, you can see devices that are known to the network and not being scanned
Finding Devices Not Being Scanned For Vulnerabilities
First, let’s take a look at the most basic query to find devices missing vulnerability scanner coverage.
This query can be represented in the Axonius Query Wizard as:
This query can also be represented as an AQL (Axonius Query Language) expression:
not specific_data.data.adapter_properties == "Vulnerability_Assessment"
This query finds devices missing Vulnerability Scanner coverage by showing anything not known to security solutions categorized as Vulnerability Assessment Tools. Here’s an example of the returned results:
Finding Windows Devices Without a Vulnerability Scanner Solution
We can add any other filter criteria to narrow down the result set even further. For example, if our policy states that every Windows device needs to be covered by a Vulnerability Scanner, we can modify our query.
This query can be represented in the Axonius Query Wizard as:
This query can also be represented as an AQL (Axonius Query Language) expression:
specific_data.data.os.type == "Windows" and not specific_data.data.adapter_properties == "Vulnerability_Assessment"
This simple query looks to find Windows devices without Vulnerability Scanner coverage. Here are the results:
Finding Windows Devices Without Vulnerability Scanner Coverage Active in the Past 7 Days
In some large enterprises, the result set may still be too large, requiring additional filter criteria to prioritize devices needing attention. By adding the “last seen” filter, you can see only Windows devices without coverage that have been active in the past week.
This query can be represented in the Axonius Query Wizard as:
This query can also be represented as an AQL (Axonius Query Language) expression:
specific_data.data.os.type == "Windows" and not specific_data.data.adapter_properties == "Vulnerability_Assessment" and specific_data.data.last_seen >= date("NOW - 7d")
Adding the last seen parameter returns the following results:
Taking Action on Devices Missing VA Scanner Coverage
The Axonius Security Policy Enforcement Center allows customers to determine which automated actions to take when a device missing VA tool coverage has been found.
Highlighted Actions Include:
- Notify - Let someone know about the device via email, Slack, Syslog, or CSV
- Create Incident - Create an incident using a ticketing system like ServiceNow, Jira, or Zendesk
- Update VA Coverage - Add the device to the next scheduled VA scan
- Deploy Files and Run Commands - Run a shell command on Windows/Linux or initiate a WMI or SSH Scan
For more details, see Action Library.