Vulnerability scanning: how often should I scan?
The time between a vulnerability being discovered and hackers exploiting it is narrower than ever – just 12 days. So it makes sense that organizations are starting to recognize the importance of not leaving long gaps between their scans, and the term “continuous vulnerability scanning” is becoming more popular.
But what does that actually mean? Does it mean that as soon as one scan finishes another one starts? If a scan never finishes, how do you know when to look at the results, what do you show the auditor? It’s easy to say continuous vulnerability scanning, but we’re here to help you figure out why it’s important, and what it actually means.
Hackers won’t wait for your next scan
One-off scans can be a simple ‘one-and-done' scan to prove your security posture to customers, auditors or investors, but more commonly they refer to periodic scans kicked off at semi-regular intervals – the industry standard has traditionally been quarterly.
These periodic scans give you a point-in-time snapshot of your vulnerability status – from SQL injections and XSS to misconfigurations and weak passwords. Great for compliance if they only ask for a quarterly vulnerability scan, but not so good for ongoing oversight of your security posture, or a robust attack surface management program. With a fresh CVE created every 20 minutes, you run the risk of having an outdated view of your security at any given moment.
It’s highly likely that some of the 25,000 CVE vulnerabilities disclosed last year alone will affect you and your business in the gaps between one-off or semi-regular scans. Just look at how often you have to update the software on your laptop... It can take weeks or even months before vulnerabilities are patched too, by which time it may be too late. With the potential damage to your business these vulnerabilities could cause, there’s simply no substitute for continuous scanning in 2023.
Continuous vulnerability scanning provides 24/7 monitoring of your IT environment and automation to reduce the burden on IT teams. Which means issues can be found and fixed faster, closing the door on hackers and potential breaches.
The slow pace of compliance
Let’s be honest, a lot of companies start their cyber security journey because someone tells them they have to, whether that’s a customer or industry compliance framework. And a lot of the requirements in this space can take time to evolve, still citing things like an “annual penetration test” or “quarterly vulnerability scan”. These are legacy concepts from years ago when attackers were few on the ground, and these things were seen as ‘nice to have’.
As a result, many organizations still treat vulnerability scanning as a nice-to-have or a compliance box to tick. But there is a world of difference between semi-regular scanning and proper, continuous vulnerability testing and management – and understanding that difference is crucial for improving security rather than just spending money on it.
The simple truth is that new vulnerabilities are disclosed every day so there’s always the potential for a breach, even more so if you’re often updating cloud services, APIs and applications. One small change or new vulnerability release is all it takes to leave yourself exposed. It’s no longer about ticking boxes – continuous coverage is now a 'must have’, and organizations who are more mature in their cyber security journey are realizing it.
Continuous attack surface monitoring
It’s not just new vulnerabilities that are important to monitor. Every day your attack surface changes as you add or remove devices from your network, expose new services to the internet, or update your applications or APIs. As this attack surface changes, new vulnerabilities can be exposed.
To catch new vulnerabilities before they’re exploited, you need to know what’s exposed and where – all the time. Many legacy tools don’t provide the right level of detail or business context to prioritize vulnerabilities; they treat all attack vectors (external, internal, cloud) the same. Effective continuous attack surface monitoring should provide the business context and cover all attack vectors - including cloud integrations and network changes - to be truly effective.
Attack surface management is no longer just a technical consideration either. Boards are increasingly recognizing its importance as part of a robust cyber security program to safeguard operations, while it’s a key requirement for many cyber insurance premiums.
How much is too much?
Continuous scanning doesn’t mean constant scanning, which can produce a barrage of alerts, triggers and false positives that are nearly impossible to keep on top off. This alert fatigue can slow down your systems and applications, and tie your team up in knots prioritizing issues and weeding out false positives.
Intruder cleverly gets round this problem by kicking off a vulnerability scan when a network change is detected or a new external IP address or hostname is spun up in your cloud accounts. This means your vulnerability scans won’t overload your team or your systems but will minimize the window of opportunity for hackers. Find out more in our guide to vulnerability scanning best practices.
How often do you need to scan for compliance?
This depends on which compliance you’re looking for! While SOC 2 and ISO 27001 give you some wiggle room, HIPAA, PCI DSS and GDPR explicitly state scanning frequency, from quarterly to once a year. But using these standards to determine the right time and frequency for vulnerability scanning might not be right for your business. And doing so will increase your exposure to security risks due to the rapidly changing security landscape.
If you want to actually secure your digital assets and not just tick a box for compliance, you need to go above and beyond the requirements stipulated in these standards – some of which are out of step with today’s security needs. Today’s agile SaaS businesses, online retailers that process high volume transactions or take card payments, and anyone operating in highly-regulated industries like healthcare and financial services, need continuous scanning to ensure they’re properly protected.
Harder, better, faster, stronger
Traditional vulnerability management is broken. With technology in constant flux as you spin up new cloud accounts, make network changes or deploy new technologies, one-off scans are no longer enough to keep up with the pace with the change.
When it comes to closing the cyber security gaps between scans that attackers look to exploit, sooner is better than later, but continuous is best. Continuous scanning reduces the time to find and fix vulnerabilities, delivers rich threat data and remediation advice, and minimizes your risk by prioritizing threats according to the context of your business needs.
Don’t just take our word for it – why not get a free trial and find out for yourself?
- Raw CVE Coverage
- Risk Rating Coverage
- Remote Check Types
- Check Publication Lead Time
- Local/Authenticated vs Remote Check Prioritisation
- Software Vendor & Package Coverage
- Headline Vulnerabilities of 2021 Coverage
- Analysis Decisions
Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.
Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.
Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
The likelihood that exploitation in the wild is going to be happening is steadily increasing.
Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
We’re starting to lose some of the benefit of rapid, automated vulnerability detection.
Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
Any detection released a month after the details are publicly available is decreasing in value for me.
Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.
With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:
- Have CVSSv2 rating of 10
- Are exploitable over the network
- Require no user interaction
These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.
We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.
In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.
While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.
So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.
I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.
What can we take away from Figure 12?
- We can see that between 2011 and 2014 Greenbone’s release delay was better than that of Tenable, by between 5 and 10 days.
- In 2015 things reverse and for 3 years Tenable is considerably ahead of Greenbone by a matter of weeks.
- But, then in 2019 things get much closer and Greenbone seem to be releasing on average about a day earlier than Tenable.
- For both the trendline over an 11-year period is very close, with Tenable marginally beating Greenbone.
- We have yet to have any data for 2021 for OpenVAS checks for critical show-stopper CVEs.
With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.
The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.