In 2023, nearly 60% of incidents investigated by Arctic Wolf Incident Response involved a vulnerability that was two — or more — years old. That means the organization had 24-plus months to find and remediate the vulnerability before threat actors took advantage.
Why do vulnerabilities remain persistent? There’s a number of reasons, not the least of which is that more of them pop up each day, creating a mountain of vulnerabilities that feels too difficult to summit for most businesses. Prioritization is a problem, alongside visibility, and vulnerabilities are just one part of the environment security teams need to comb through to find issues that could lead to incidents.
By taking a risk-based approach, and conducting regular, thorough security scans, organizations can turn their sights toward a proactive strategy that will help mitigate threats like vulnerabiliities and put them in a better position to defend when threats arrive in their environment.
What is Risk Management?
Risk management is an ongoing, cyclical process comprised of a series of steps an organization can take to reduce their overall cyber risk. While the steps are the same for every organization broadly, how they are accomplished will vary, as no two environments are the same. By utilizing risk management, and taking a risk-based approach to cybersecurity, organizations can reduce resource burden, increase efficiency, and bolster their defenses through proactive initiatives.
A major component of this process is continuous monitoring, particularly network monitoring, and cybersecurity scans. Network monitoring, or the monitoring and evaluating of a computer network and associated assets, is now an essential component of holistic visibility and proactive cybersecurity for any organization. This source of telemetry allows organizations to take in information from various parts of the network, such as the firewall or internal applications, and not only see what’s happening, but understand where risks may lie or where incidents may be in motion. This visibility is critical when it comes to prioritization of time, resources, and budget, as you can’t defend what you can’t see.
A major way to achieve this visibility, and the first step in most risk management processes, is the conducting of security scans.
Types of Cybersecurity Scans
However, not all scans are the same. There are three major types that an organization can deploy.
1. Vulnerability Scans
These types of scans look for vulnerabilities in your network and fall into two categories: external and internal.
External vulnerability scans look at your network from the threat actor’s perspective. They scan external IP addresses and domains, probing for vulnerabilities in internet-facing infrastructure to determine which ones can be exploited. These vulnerability scans are best used to verify the strength of your externally facing services. It helps identify weaknesses in your perimeter defenses, such as a firewall. These scans reveal not only your vulnerabilities, but also the list of ports that are open and exposed to the internet.
Looking at your network from this point of view lets you easily identify the most pressing issues within your network, including any services or new servers that have been set up since the last scan to see if they present any new threats to your organization.
Internal vulnerability scans are performed from a location with access to the internal network, and are typically more complex than external ones, because there are often more potentially vulnerable assets within your organization. This scan will discover and catalog your core IP-connected endpoints, such as laptops, servers, peripherals, IoT-enabled machines, and mobile devices.
Internal vulnerability scanners check these endpoints for vulnerabilities due to misconfigurations or unpatched software, so you can prioritize the devices that require immediate attention to properly secure the network.
Internal scans are best used for patch verification, or when you need to provide a detailed report of vulnerabilities within the network. When analyzing the data, take note of trends such as the top missing patches and the most vulnerable machines.
Performing internal scans on a regular basis is a proactive approach to protecting your network from known vulnerabilities and helps you gain useful insight into your patch management process.
2. Endpoint Scans by Agent
Endpoint scans involve an agent that is installed on an endpoint itself and tracks active processes, applications, Wi-Fi networks, or USB devices that don’t conform to company policies. It can then flag the user or IT team to fix the issue, be it an unusual login or a host-based vulnerability. In some cases, the agent can end the threat by blocking the malicious action; this is often referred to as “active response.”
Endpoint agents monitor system activity for signs of suspicious behavior, including repeated failed log in attempts, changes to the system registry, or backdoor installations.
A host-based agent is not a complete solution, just one part of it. That’s because visibility is limited to a single host, and attacks aren’t seen until they have already reached the host. You may have heard the concept that all attacks will ultimately end up on an endpoint, which is often used to highlight the importance of endpoint security. You should ask yourself, however, if you are satisfied with detecting the threat only once it lands on an endpoint, or would you prefer to detect the threat as it enters the environment and before it makes its way to the endpoint?
If it’s the latter, it’s important to note that the passive nature of endpoint agents means they are best suited to use in conjunction with the other types of security scans listed here to take advantage of complementary strengths.
Learn how the Arctic Wolf Endpoint Agent offers threat detection, asset inventory, and more.
3. Penetration Testing
While a penetration test may not be a traditional scan, it can help your organization identify gaps, gain visibility, and understand where your risk points lie within the environment.
Valuable and effective penetration testing tools are vital to gauge your system’s security posture.
Types of penetration tests include:
- Clear box tests, or white box tests. Your organization provides penetration testers with a variety of security information relating to your systems to help them easily find vulnerabilities.
- Blind tests, or black box tests. Your company provides penetration testers with no security information about the system being penetrated with the goal of exposing vulnerabilities that would otherwise go undetected.
- Web application tests. Penetration testers attempt to find vulnerabilities in external-facing applications, such as websites, that can be accessed remotely.
- Double-blind tests. In this test, both the subject and observers are unaware the test is happening.
- Internal tests. Penetration testing takes place on-premises and focuses on security vulnerabilities that someone within your organization may use for their advantage.
- API penetration testing. Simulating attacks via your application program interface (API) will let you simulate the steps a cybercriminal can take toward exploit.
- Red Team testing. This test involves actual exploitation, with the tester writing custom tools and utilizing novel techniques. This kind of test involves a deeper level of scrutiny.
Penetration testing, the most active form of cybersecurity scanning, can be critical to reducing cyber risk and patching vulnerabilities. It shows your organization where and how a malicious attacker might exploit your network, allowing you to mitigate weaknesses before a real attack occurs. While some IT and security teams may search for open-source penetration testing tools, experts recommend you engage the services of a professional third-party to conduct any penetration testing.
Learn more about how to get the most out of your penetration tests.
The Value of Proactive Security and Scans for Risk Management
A comprehensive cybersecurity strategy is one that incorporates all the scans above, and uses the information gathered to take proactive actions and reduce cyber risk. These scans should be conducted on a regular basis – and in the case of vulnerability and endpoint scans, continuously – so your organization can continually remediate vulnerabilities , close security gaps, and alter strategies to better continue your security journey.
Learn more about how Arctic Wolf® Managed Risk not only continually scans your environment for vulnerabilities, but helps your organization assess risks and prioritize remediation.
Better understand the risk landscape and the role visibility plays in reducing threats with the Arctic Wolf Security Operations Report.
