How to Find Devices Not Being Scanned For Vulnerabilities

How to Find Devices Not Being Scanned For Vulnerabilities

Finding Devices Not Being Scanned for Vulnerabilities

Today’s vulnerability assessment tools do an incredible job of identifying known vulnerabilities present in the devices they’re aware of. But how can we ensure that all devices — including workstations, laptops, virtual machines, and other IT assets — are being scanned?

Here, we’ll look at the challenges related to identifying devices not being scanned by a VA Tool, the security benefits of automatically discovering devices not being scanned, and how to automatically add assets to the next scheduled scan.

Challenges In Knowing Which Devices Are Not Being Scanned For Vulnerabilities

Understanding which devices are covered by a specific vulnerability scanner is simple: you just need to access the admin console, which produces a list of covered devices. However, the problem is the inverse: knowing which devices should be scanned but are not part of the VA Scan schedule.

Security Implications For Devices Without VA Scanner Coverage

Devices without VA Scanners present a number of security implications. These may include:

  • The devices remaining vulnerable to known threats
  • Blind spots created within the security infrastructure
  • Devices not adhering to the overall security policy

To maximize its return on investment, the vulnerability solution needs to scan each device within the network.

Data Sources Required to Find Devices Missing Vulnerability Assessment Tool Coverage

The following data sources are needed to uncover devices missing vulnerability scanner coverage:

  • Vulnerability scanner console — By connecting to the admin console of the vulnerability scanner, you can see all devices that are known and are being scanned
  • Identity Access Management Solutions (IAM) — IAM examples include Active Directory or Azure AD that authenticate and authorize users and devices
  • Network/Infrastructure Data — By connecting to the network infrastructure, you can see devices that are known to the network and not being scanned

Finding Devices Not Being Scanned For Vulnerabilities 

First, let’s take a look at the most basic query to find devices missing vulnerability scanner coverage:

not == "Vulnerability_Assessment"

This query can also be represented in the Axonius Query Wizard as:

This query finds devices missing Vulnerability Scanner coverage by showing anything not known to security solutions categorized as Vulnerability Assessment Tools. Here’s an example of the returned results:

Finding Windows Devices Without A Vulnerability Scanner Solution

We can then can add any other filter criteria to narrow down the result set. For example, if our policy states that every Windows device needs to be covered by a Vulnerability Scanner, we can modify our query as such: == "Windows" and not == "Vulnerability_Assessment"

This query can also be represented in the Axonius Query Wizard as:

This simple query looks to find Windows devices without Vulnerability Scanner coverage.

Here are the results:

Finding Windows Devices Without Vulnerability Scanner Coverage Active In The Past 7 Days

In some large enterprises, the result set may still be too large, requiring additional filter criteria to prioritize devices needing attention. By adding the “last seen” filter, you can see only Windows devices without coverage that have been active in the past week. == "Windows" and not == "Vulnerability_Assessment" and >= date("NOW - 7d")

This query can also be represented in the Axonius Query Wizard as:

Adding the last seen parameter returns the following results:

Taking Action On Devices Missing VA Scanner Coverage

The Axonius Security Policy Enforcement Center allows customers to determine which automated actions to take when a device missing VA Tool coverage has been found. 

Highlighted Actions Include:

  • Add Device to VA Scan — Add the device to the next scheduled VA Scan
  • Run Command — Run a shell command on Windows/Linux or initiate a WMI or SSH Scan
  • Block Device at Firewall — Block the unprotected device at the firewall level
  • Notify — Let someone know about the device via email, Slack, Syslog, or CSV
  • Create an Incident — Create an incident using a ticketing system like ServiceNow, Jira, or Zendesk

LEARN MORE ABOUT Finding Devices Not Being Scanned For Vulnerabilities

With that said, we’ve created a video that outlines Finding Devices not Being Scanned for Vulnerabilities here:

And as always, if you’d like to see a custom demo to better understand how Axonius can help your organization solve the asset management challenge, request a demo here.

See for yourself.

Interested in seeing what Axonius can do for your organization?

Schedule a demo and let us show you