Vulnerability Assessment and Scanning Approaches for Asset Discovery.

While scanning tools like vulnerability assessment (VA) and network scanners provide valuable insight into a wide array of devices, there are limitations when relying on them for cybersecurity asset management alone. Unlike platforms that rely on network scans, Axonius automatically aggregates and correlates asset data — regardless of asset type — to deliver a comprehensive and credible asset inventory for security, IT, and risk teams.

What's Scanning?

Network scanning helps detect and collect information of hosts on a network. There are two primary types of network scanning — active and passive scanning:

• Active scanning is when a scanning tool sends a probe to each IP address on a network segment and awaits a response to determine if any device is listening. Depending on how the scanning tool is configured, the active devices’ responses may be as simple as an indication that the device is listening, or include additional information about the device. 
• Passive scanning doesn't actively ping IP addresses looking for device responses. Also known as packet sniffing, these scans are designed to search for communication packets traversing a network segment. Passive scanning tools can capture a lot of information about devices communicating on the network, based on communication ports and protocols, packets and block sizes, periodicity, MAC addresses, IP addresses, etc.

What Technologies Conduct Scanning?

• Vulnerability Assessment (VA) Tools: These are automated tools that scan the network to look for new, emerging, and historic security vulnerabilities that could exploit flaws in software, hardware, devices, and network infrastructure. After the scans are complete, the VA tool provides a report on vulnerabilities identified and the suggested remediation actions for those vulnerabilities. The data and reports from the scans are also usually integrated into other security tools to deliver a holistic view of the threat. 
  • Common Vendors: Qualys, Tenable, Rapid7

• Network Scanning Tools: By scanning for common discovery protocols, network scanning tools discover and collect information on all devices attached to a network. These scans result in an initial asset inventory solely based on connected devices. This information is used to gain visibility into the network and understand the relationships between devices. 
• Common Vendors: Lansweeper, Nmap, SolarWinds, ServiceNow Discovery

How's Scanning Used for Asset Discovery?

Network-based Scanning: Network scanners and network discovery tools use common discovery protocols, like Simple Network Management Protocol (SNMP), Link Layer Discovery Protocol (LLDP), and ping, to compile an inventory of all devices attached to a local area network. 

These scans collect information on virtual computers and networks, hardware and software on a network, and the interconnectedness between assets. Security teams leverage these tools  to map their network-specific infrastructure. 

Agent-based Scanning: Agent-based vulnerability scanning requires an agent be deployed on each machine to obtain a vulnerability profile for the device. This  approach can provide rich context and deep insights into both the device and device characteristics. A wide range of details can be obtained, including IP and MAC address, open ports, installed software, operating system and versions, patches, users, and security vulnerabilities on the machine.

What are the Limitations of Vulnerability Assessment & Network Scanners?

1. Deployment: It’s difficult to deploy scanning-based solutions for mobile and remote workforces, as well as highly segmented networks requiring multiple scanners. Scanning-based approaches, therefore, lead to incomplete asset visibility.
2. Discovery: Scanning requires machines to be turned on and available, and is often limited to periodic scan cycles like every week or month. This means you'll only find unmanaged devices at the time of scan and won’t find machines created or deprecated in between scan cycles (like Amazon EC2 instances and VMs in VMware).
3. Data Correlation: There’s often no real way to aggregate, correlate, and compare asset data with scan data, or other valuable asset data sources.

Why it’s Best to Combine Vulnerability Assessment & Network Scanners with Other Data Sources 

• Many assets can’t be found from only one source: Cloud containers may never be scanned or have an agent, so relying on one source will often lead to incomplete asset inventories.
• You need to compare two or more data sources: You need two or more trustworthy data sources to help identify gaps. For example, one data source that knows all about the assets and the other that has details on the full scope of the vulnerability scans. When these data sources are compared, the visibility is far deeper than looking at a single source of data.
• More data sources lead to stronger signals: The more data sources overlap, the stronger correlation can occur to give you a single source of truth into any one asset.