How can you perform vulnerability scanning to meet the needs of different business units?

Even before scope definition, there are foundational asset management and data governance issues to be worked out. It's been my experience that your inventory lays the foundation for your entire program, and quite frequently cyber does not manage the CMDB. Make sure to have conversations with stakeholders and ensure that you are starting from a position of data quality before you burn all your political capital on noise.

The first step in performing vulnerability scanning is to define the scope of the scan. This means deciding which assets, systems, and networks you want to scan, and how often. The scope of the scan should be aligned with the business objectives, risk appetite, and compliance obligations of the business unit. For example, a business unit that handles sensitive data or critical operations may need more frequent and comprehensive scans than a business unit that has less exposure or impact. You should also consider the technical limitations, such as bandwidth, performance, and availability, of the assets you want to scan.

Technical limitations of the assets you want to scan should be taken into account. Some systems may have limitations in terms of bandwidth, performance, or availability, which can impact the scanning process. Adjust the scanning scope to accommodate these limitations.

Vulnerability scan should be as broad as possible on the asset in use. This enables the organization to have a wide perspective on the surface they have and reduce the unknown vulnerabilities Scanning can be done on - software source code - build files and libraries - website and api Infrastructure - operating system - software installed - container images and/or running containers - cloud environment for misconfiguration

While defining the scope, try to communicate the business context. What is the business critical process and: Conduct via "which assets"? How it is protected by "what devices"? "When" is the operation hours? "Who" should maintain it in perfect condition? With these which, what, when, who, you can get you scoping in the view of stakeholders.

Not all apps are built the same and you shouldn't treat your customer-facing app the same way you treat your interal apps. Take a risk based approach to your coverage and put more emphasis on your business critical apps so you get more coverage here and "tick the box" with the rest of your apps. This way you can ensure the right apps gets the right coverage and developers are not exhausted with alert fatigue.

Authenticated scanning vs non authenticated scanning is often done in parallel. An agent based scanning tough intrusive can lead to better and more accurate results Scanning can be done on - software source code - build files and libraries - website and api Infrastructure - operating system - software installed - container images and/or running containers - cloud environment for misconfiguration

In practice, organizations often use a combination of both authenticated and unauthenticated scans to gain a comprehensive view of their security posture. Authenticated scans are valuable for internal systems, while unauthenticated scans help identify external-facing vulnerabilities. The choice between the two types should be based on the specific assets you're assessing and the objectives of your vulnerability management program.

If you're doing vulnerability scans for the first time, it's usually best to avoid authenticated scans to begin with. My preference is: 1. Patching 2. Secure configurations 3. Unauthenticated scans 4. Remediate 5. Authenticated scans 6. Remediate Running authenticated scans too soon with give you too much to work with. Get the basics right first, and then move to the more complex testing that will help you work towards defence-in-depth.

Unauthenticated, network based scans can be very useful in determining your external attack surface as it would simulate (at least to some extent) the view of a possible threat actor, therefore it will provide the biggest value for the external-facing assets. Unauthenticated scans would also expose any default credentials that could be an open door to further network exfiltration. Critical internal assets like domain controllers, applications storing sensitive data or high-value business assets would most likely be things looked for by the attacker when pivoting through the internal network, therefore it's also important to combine authenticated and unauthenticated scans to better evaluate the security posture of those assets.

Selecting a tool can be complex and different tools perform different solution (some suggestions on tools I’ve used before) Surface management - phoenix security Scanning can be done on - software source code - semgrep - build files and libraries - cyclone dx, dependency tracker - website and api - zap Infrastructure - operating system - nuclei - software installed - nuclei - container images and/or running containers - helm - cloud environment for misconfiguration - prowler

For most organisations, there's probably a small number of tools that will work best. There's the usual favourites like Nessus, Metasploit, Tenable, but there's also some other that can do more specific discovery such as OWASP ZAP and Burp suite for web application scanning, SQL Map for finding SQL injection vulnerabilities and Dirt for directory brute force.

When it comes to selecting the right cybersecurity tools, it's not just about crunching numbers like detection percentage and false positive rates, or even considering the cost alone. A holistic approach is key. Start by conducting a manual assessment of your target, whether it's software, networks, operating systems, or other elements. Identify vulnerabilities that you already know to be valid. Additionally, experiment with a few open-source "purposely vulnerable" items that share similarities with your environment, and run them through the tools you're evaluating. Then, compare the results based on various factors. But don't stop there. Engage with stakeholders to gather their unique perspectives on the potential impact of these tools.

Configure the vulnerability scanning tool to meet the specific requirements of each business unit. This may involve creating different scanning profiles or policies for different asset categories or units. Consider automation options to schedule scans at convenient times for each business unit. Automated scans can help ensure regular assessments without disrupting daily operations.

Scanning has to be done in the right context to look for the things that you are most concerned about. With that in mind, you need to 'tune' the scanning so it gives you actionable information in a timeframe that is beneficial. It also has to be minimum impact. There's no point setting off a directory brute force attack at high intensity during working hours if it's doing to slow down your IDP and lock everyone out through account login limits! Run it out of hours at a lower intensity outside the parameters of the account lockout policy so it doesn't impact users, just like an attacker would!

Results interpretation is crucial, and the report you generate should mean something to the business. Critical and high level vulnerabilities really should be that. Report recipients will take the opportunity to critique your analysis and argue that the scoring is too high and that 'these aren't real risks'. Understand what's important to the business, make sure the context and scope are agreed up front and documented in the report. Provide advice and guidance on why these items are critical or high, and provide practical examples of how they can be remediated, or the risk reduced or controlled by counter-measures.

This is really important as this step will define your actions in future to deal with security issues. Each and every parameter should be validated in detail. Must keep in mind that the results generated by tools may give false positives. So do cross check multiple times.

In managing vulnerability scans, I've found that communicating outcomes effectively is crucial. Using the language of the audience helped me to gain trust and understanding. In one particular client, I tailored communication post-scan, providing technical details to IT staff, strategic insights to management, and general awareness to users, ensuring everyone was well-informed and aligned with remediation steps. Additionally, I emphasized follow-up communication and monitored the remediation process, fostering a culture of continuous improvement. Through tailored communication and diligent follow-up, I've helped nurture a resilient and informed organizational ecosystem.

Management: I would provide management with a summary of the key findings of the scan, as well as recommendations for remediation. I would also discuss the implications of the findings for the organization's risk posture. Users: I would provide users with a general overview of the findings of the scan, as well as guidance on how to protect themselves from cyberattacks. I would also use visuals, such as charts and graphs, to communicate the results of the scan in a clear and concise way.

The most important thing to consider is that vulnerability scanning is just one part of a vulnerability management program. Implementing any technology, especially in security where you need to remediate the findings requires a comprehensive program. Conducting these scans is going to produce lots of results, results that need to be validated by knowledgeable staff. Findings need to be fixed, business processes integrated into, other teams to impact. You must be able to know which are truly impactful, and have a process to document the false positives, among many other things. Really think about the impact and management end to end of this in program terms. people, process & technology. If you can't, find a partner who can.

Automate the communication process. You can use scripts and templates to automate the process of generating and delivering reports and summaries. This can save you time and ensure that the communication is consistent and timely. Use a risk-based approach. When communicating the results of the scan, focus on the vulnerabilities that pose the greatest risk to the organization. This will help to prioritize the remediation efforts. Be proactive. Don't wait for a security incident to happen before communicating the results of a vulnerability scan. Regular communication will help to keep stakeholders informed of the organization's security posture and to ensure that they are taking the necessary steps protect the organization from cyberattacks.

In handling vulnerability issues, building a security-aware culture is key. I've led regular training sessions to boost the organization's readiness for security challenges. Having clear communication channels for discussing vulnerabilities is vital as it encourages a proactive stance towards security threats. At one point, I started a monthly security update, keeping everyone informed. Valuing feedback from all sides has offered new viewpoints, helping to improve our vulnerability management process. Additionally, staying current on the latest security technologies is essential, as it enhances the vulnerability management process, making it more adaptable to new challenges.

Create unique vulnerability scanning profiles for various AI deployments. Tailor parameters like frequency and depth to align with each unit's specific AI system needs. For instance, R&D AI may prioritize data protection, while finance AI requires stringent controls. This approach optimizes security and minimizes disruptions, utilizing AI to adapt scanning parameters based on asset characteristics and importance.