According to IBM’s 2023 Cost of a Data Breach Report, it takes the average organization 277 days to detect and contain a breach. However, organizations with a robust risk management program can drastically reduce these numbers through proactive identification and remediation of vulnerabilities.
What Is Risk Management?
Risk management is an ongoing, cyclical process comprised of a series of steps. The number and order of steps will be unique to every industry and organization — as no two attack surfaces are the same — however there is one crucial component that every risk management program needs: network monitoring.
What Is Network Monitoring?
Network monitoring, or the monitoring and evaluating of a computer network and associated assets, is now an essential component of holistic visibility and proactive cybersecurity for any organization. This source of telemetry allows organizations to take in information from various parts of the network, such as the firewall or internal applications, and not only see what’s happening, but understand where risks may lie or where incidents may be in motion.
A key piece of network monitoring involves the detection and identification of active devices on a network. This is accomplished via network security scans.
What Are Network Security Scans?
Network security scans, also known as vulnerability scans, involve monitoring for intrusions around the clock to reduce the likelihood that an IT system will be breached by bad actors to steal sensitive data. They also provide automatic alerts and reports that uncover the defense posture of the organization’s network, while indicating which employees could be a weak link in the security chain.
Cybersecurity best practice is to engage in 24×7 continuous network monitoring and scanning by a team of security experts. However, amidst the ongoing security skills gap, it can be difficult to find, train, and retain enough staff to conduct this around-the-clock monitoring and scanning. That’s one of the reasons why many organizations resort to conducting this type of vulnerability scanning on a quarterly or yearly basis. However, intermittent network scanning no longer stands a chance against cybercriminals incessantly probing an organization’s network.
How To Conduct a Network Scan
Network scanning is done by pinging a network and getting a response. Ideally, this should be done continuously, 24×7, to determine if there’s any irregularities with the pings and to identify vulnerabilities. Many organizations utilize a tool, or agent, to conduct these pings and check for irregularities within specific points in the network.
Types of Network Scans
Network scans fall into two categories: passive network scanning and active network scanning. Passive scanning, also known as “packet sniffing,” tracks data packets moving through an organization’s network. Active scanning uses pings or test packets to search for specific irregularities and actively examines the results.
However, not all network scans are the same. There are three major types that an organization can deploy.
1. Vulnerability Scans
These types of scans look for vulnerabilities in your network and fall into two categories: external and internal.
External vulnerability scans look at your network from the hacker’s perspective. They scan external IP addresses and domains, probing for vulnerabilities in internet-facing infrastructure to determine which ones can be exploited. These vulnerability scans are best used to verify the strength of your externally facing services. It helps identify weaknesses in your perimeter defenses, such as a firewall. These scans reveal not only your vulnerabilities, but also the list of ports that are open and exposed to the internet. While external scans are like external penetration tests, they are different in their methodologies.
Looking at your network from this point of view lets you easily identify the most pressing issues within your network, including any services or new servers that have been set up since the last scan to see if they present any new threats to your organization.
Internal vulnerability scans are performed from a location with access to the internal network, and are more complex than external ones, because there are also more potentially vulnerable assets within your organization. This scan will discover and catalog your core IP-connected endpoints, such as laptops, servers, peripherals, IoT-enabled machines, and mobile devices.
Internal vulnerability scanners check these endpoints for vulnerabilities due to misconfigurations or unpatched software, so you can prioritize the devices that require immediate attention to properly secure the network.
Internal scans are best used for patch verification, or when you need to provide a detailed report of vulnerabilities within the network. When analyzing the data, take note of trends such as the top missing patches and the most vulnerable machines.
Performing internal scans on a regular basis is a proactive approach to protecting your network from known vulnerabilities and helps you gain useful insight into your patch management process.
2. Endpoint Scans by Agent
An agent is installed on an endpoint itself and tracks active processes, applications, Wi-Fi networks, or USB devices that don’t conform to company policies. It can then flag the user or IT team to fix the issue. In some cases, the agent can close the vulnerability by blocking the malicious action.
Endpoint agents monitor system activity for signs of suspicious behavior, including repeated failed login attempts, changes to the system registry, or backdoor installations.
A host-based agent is not a complete solution. That’s because visibility is limited to a single host, and attacks aren’t seen until they have already reached the host. You may have heard the concept that all attacks will ultimately end up on an endpoint, since this argument is often used to highlight the importance of endpoint security.
The truth is all threats will land on an endpoint — depending upon how you define an endpoint — as the attack progresses. You should ask yourself, however, if you are satisfied with detecting the threat as it lands, or would you prefer to detect the threat as it enters the environment and makes its way to the endpoint?
Therefore, the passive nature of endpoint agents means they are best suited to use in conjunction with the other types of security scans listed here to take advantage of complementary strengths.
3. Penetration Testing Tools
In penetration testing (often called pen tests) security experts simulate how malicious hackers may attempt to infiltrate your network.
These attacks help verify the effectiveness of your cybersecurity efforts, identify any potential weak spots, and test the human response capabilities of your security team and IT partners. Valuable and effective penetration testing tools are vital to gauge your system’s security posture.
Types of penetration testing tools include:
- Clear Box Tests. Your organization provides penetration testers with a variety of security information relating to your systems to help them easily find vulnerabilities.
- Blind Tests. Your company provides penetration testers with no security information about the system being penetrated with the goal of exposing vulnerabilities that would otherwise go undetected.
- Double-Blind Tests. Penetration testers attempt to find vulnerabilities in external-facing applications, such as websites, that can be accessed remotely.
- Internal Tests. Penetration testing takes place on-premises and focuses on security vulnerabilities that someone within your organization may use for their advantage.
- API Penetration Testing. Simulating attacks via your application program interface (API) will let you simulate the steps a cybercriminal can take toward exploit.
Penetration testing, the most active form of network scanning, can be critical to reducing cyber risk and patching vulnerabilities. It shows your organization where and how a malicious attacker might exploit your network, allowing you to mitigate weaknesses before a real attack occurs. While some IT and security teams may search for open-source penetration testing tools, experts recommend you engage the services of a professional third-party to conduct any penetration testing.
Learn more about how an MDR solution provides continuous internal monitoring with the 2023 Gartner® Market Guide for MDR Services.
Learn more about how endpoints and the network work together to provide holistic visibility with Exploring Endpoint Telemetry: Discovering Its Strengths and Limitations.
Understand how a managed detection and response solution can provide holistic visibility with our MDR Buyer’s Guide.