In 2021, there were more than 20,000 common vulnerabilities and exposures (CVEs) added to the MITRE database. This number of annually reported vulnerabilities has been gradually climbing since the database’s creation in 1999, with a significant increase in volume over the last five years. As a result, it’s now become impossible for security teams to manually monitor vulnerabilities, leading to the reliance on vulnerability scans to identify instances of these CVEs in their environments.
Vulnerability scanning itself has also grown more complicated as organizations transition to the cloud, and shift vulnerability scanning left by integrating scanning into the application development process. Just like many other areas of security, there is no silver bullet in vulnerability scanning. A comprehensive vulnerability assessment utilizes a combination of scanning techniques to identify vulnerabilities across networks, systems, hardware, applications, and other aspects of the IT environment, both on premises and in the cloud.
Agent-Based vs. Agentless Scanning
One element differentiating types of scanners is how they are deployed. Agent-based scanning requires the installation of an agent on each device being scanned, while agentless scanning operates by scanning anything connected to the network it’s applied to. Both have pros and cons, depending on the architecture of your network.
Agentless Pros
- Agentless scanning is easier to apply as you don’t need to install an agent on every device.
- You can scan anything with an IP address, including printers and IoT devices that may not have an OS supported by agent-based scans.
- Agentless scanning can help identify network-connected devices that you may not even realize are there, which will help with asset management.
Agentless Cons
- Agentless scanning requires devices to be connected to the network, which may not be ideal for all endpoints, particularly in a remote work environment.
- Reporting progress on vulnerability remediation can be difficult if IP addresses are dynamically assigned, as in end-user environments.
- Deploying a network-based scanner requires you to understand your network and implement it in a way that the scanner has complete visibility, which in some cases may require multiple scanners. Changes to the layout of the network may change the coverage of the scanners.
- Having one scanner responsible for your entire network can slow the time it takes to get results if the entire network must be scanned at once.
Agent-Based Pros
- Agent-based scanning provides more in-depth results than an agentless scan.
- They can scan anything with the agent installed, regardless of network connection.
- It’s easier to track vulnerabilities that are tied to a specific asset by an agent than it is to track vulnerabilities by IP address if the IP address is not consistent.
Agent-Based Cons
- Agents can’t be installed on everything, leaving some gaps in coverage.
- Agent coverage in the cloud is limited.
- Agent-based scanning can be difficult to implement if there are a variety of operating systems used. You may need to use server orchestration technologies to manage deployment.
Agent-Based vs. Agentless Vulnerability Scanning in the Cloud
As businesses transition to the cloud, they have to reimagine many of their traditional security programs, including vulnerability management. Additional challenges to agent-based scanning reinforce the necessity of utilizing a combination of scanning techniques for full visibility.
For example, deploying agents is not practical for all cloud assets, particularly short-lived environments and ones that can’t be modified, such as marketplace images. Adding agents to cloud workloads can also increase costs as the volume of computing resources increases. Even for the cloud assets you can apply agents to, it can be difficult to know what is covered because of how quickly new environments are spun up and the lack of visibility into who owns them.
On the other hand, there is still a place for agents in the cloud because of the need to protect web server applications, where agents are better equipped to detect and block attacks such as DoS requests or SQL injection.
Authenticated vs. Unauthenticated Scanning
There are also different types of scans within agentless scanning, such as authenticated vs. unauthenticated scanning. Authenticated scanning requires a valid login to the system, which can help detect issues on installed applications, patches, etc. On the other hand, unauthenticated scanning scans from an outside perspective without login access. This is beneficial as well because it will show you how your devices are viewed from the open internet, which will allow you to determine if there are exposed ports, etc. Authenticated agentless scanning comes closer in depth of results to agent-based scanning as it has similar access to devices. You should, however, use a dedicated account for vulnerability scanning, and ensure that that account is following security best practices, such as password management, to avoid compromise of the vulnerability scanning account.
Application Scanning
According to F5’s State of the State of Exploits in Application Security Report, 56% of the most significant security incidents of the last five years tie back to some form of web application security issue. Web application scanners scan for common website vulnerabilities, such as SQL injection, cross-site scripting, or command injection, that lead to these types of breaches.
Today, organizations are interested in shifting security left in the development pipeline, to identify these vulnerabilities before they are pushed to production. SAST and DAST are two forms of code scanning that can be applied before release to root out application vulnerabilities earlier.
Static Application Security Testing (SAST)
SAST is a testing methodology that analyzes source code prior to runtime to identify vulnerabilities without the code needing to be executed. SAST tools allow developers to automatically identify and remediate code as an application is being built, so risky code is not carried forward to production.
Dynamic Application Security Testing (DAST)
Unlike SAST, DAST does require code to be executed. DAST is done in conjunction with SAST to find vulnerabilities later on in the production process. While SAST can root out some vulnerabilities earlier, saving time and money down the road, these tools cannot identify runtime and environment-related vulnerabilities and therefore do not provide a complete picture. They are likely to produce false positives because they cannot see how different parts of the code work together. DAST augments SAST tools by providing an additional layer of detection before final release.
Container Scanning
Containers make it easier and faster to test, develop, and launch applications, but this can lead to security being neglected in the race to deployment. Traditional vulnerability scans aren’t typically well suited for containers since they aren’t designed to have the CPU power to run the agents. They also don’t have a traditional network login that would be required for an agentless scan. Container security tends to rely on image scanning and putting in place best practices to reduce image vulnerabilities. Container scanning tools are now available to scan your container registry, scan your containers at runtime, and scan images before they are even added to your containers. Even with container scanning, however, it is important that the hosts of your containers are still scanned. In the event that a container does get compromised, an attacker may be able to use vulnerabilities in the host to move laterally and compromise other parts of your cloud instance. Additionally, scanning the host ensures you haven’t missed replacing a vulnerable image in any of your containers after deploying a fix.
API Scanning
Another area where traditional web scanners lack visibility is APIs. APIs are becoming more frequently used as microservices become more popular. However, not all vulnerability scanners are equipped to parse API definitions, thus scanning tools have been built specifically for APIs.
Next Steps
Depending on your infrastructure, you may not need to utilize all of the various types of vulnerability scanners that are available but investing in the tools that will provide visibility across your environment, especially as you transition to the cloud, is essential for reducing your cyber risk. After all, you can’t defend against what you’re not aware of!
One way to be aware of common threats impacting the retail and hospitality industry is by becoming a member of the RH-ISAC. Members receive threat intelligence briefings and trend reports, as well as access to a community of over 200 fellow retailers, who can expand the capabilities of your cyber team. Learn more about RH-ISAC membership.
`