Vulnerability Scanning Frequency Best Practices
So you’ve decided to set up a vulnerability scanning programme, great. That’s one of the best ways to avoid data breaches. How often you should run your scans though isn’t such a simple question. The answers aren’t the same for every type of organisation, or every type of system you’re scanning. This guide will help you understand the questions you should be asking, and help you come up with the answers that are right for you.
How often should vulnerability scans be run
A lot of the advice below depends on what exactly you’re scanning. If you’re not sure about that yet - check out our vulnerability scanning guide.
Once you’ve decided which systems should be in scope, and what type of scanner you need, you’re ready to start scanning. So how often should you ideally be running vulnerability scans?
Here are five strategies to consider, and we’ll discuss in which scenarios they work best:
- Emerging threat-based
Fast-moving tech companies often deploy code or infrastructure changes on a daily basis, while other organisations can have a relatively static setup, and not be making regular changes to any of their systems. The complexity of technology we use means that each change can bring with it a catastrophic configuration mistake, or the accidental introduction of a component with known vulnerabilities. For this reason, running a vulnerability scan after even minor changes are applied to your systems is a sensible approach.
Because it’s based on changes, this approach is most suited for rapidly changing assets, like web applications, or cloud infrastructure like AWS, Azure and GCP, where new assets can be deployed and destroyed on a minute-by-minute basis. It’s also particularly worth doing in cases where these systems are exposed to the public internet.
For this reason, many companies choose to integrate testing tools into their deployment pipelines automatically, via an API with their chosen scanning tool.
It’s also worth considering how complex the change you’re making is. While automated tools are great for regular testing, the bigger or more dramatic the change you’re making, the more you may want to consider getting a penetration test to double check no issues have been introduced.
Good examples of this might be making big structural changes to the architecture of web applications, any sweeping authentication or authorisation changes, or large new features introducing lots of complexity. On the infrastructure side the equivalent might be a big migration to the cloud, or moving from one cloud provider to another.
Even if you don’t make regular changes to your systems, there is still an incredibly important reason to scan your systems on a regular basis, and one that is often overlooked by organisations new to vulnerability scanning.
Security researchers regularly find new vulnerabilities in software of all kinds, and public exploit code which makes exploiting them a breeze can be publicly disclosed at any time. This is what has been the cause of some of the most impactful hacks in recent history, from the Equifax breach to the Wannacry ransomware, both were caused by new flaws being uncovered in common software, and criminals rapidly weaponising exploits to their own ends.
No software is exempt from this rule of thumb. Whether it’s your web server, operating systems, a particular development framework you use, your remote-working VPN, or firewall. The end result is that even if you had a scan yesterday that said you were secure, that’s not necessarily going to be true tomorrow.
New vulnerabilities are discovered every day, so even if no changes are deployed to your systems, they could become vulnerable overnight.
Does that mean that you should simply be running vulnerability scans non-stop though? Not necessarily, as that could generate problems from excess traffic, or mask any problems occurring.
For a yardstick, the notorious WannaCry cyber-attack shows us that timelines in such situations are tight, and organisations that don’t react in reasonable time to both discover and remediate their security issues put themselves at risk. Microsoft released a patch for the vulnerability WannaCry used to spread just 59 days before the attacks took place. What’s more, attackers were able to produce an exploit and start compromising machines only 28 days after a public exploit was leaked.
Looking at the timelines in this case alone, it’s clear that by not running vulnerability scans and fixing issues within a 30-60 day window is taking a big risk, and don’t forget that even after you’ve discovered the issue, it may take some time to fix.
Our recommendation for good cyber hygiene for most businesses, is to use a vulnerability scanner on your external facing infrastructure on at least a monthly basis, to allow you to keep one step ahead of these nasty surprises. For organisations with a heightened sensitivity to cyber security, weekly or even daily scans may make more sense. Similarly, internal infrastructure scans once a month help maintain good cyber hygiene.
For web applications, scanning their framework and infrastructure components on a regular basis makes equal sense, but if you’re looking for mistakes in your own code with authenticated scans, a change-based approach makes much more sense.
If you’re running vulnerability scans for compliance reasons, then specific regulations often explicitly state how often vulnerability scans should be performed. For instance, PCI DSS requires that quarterly external scans are performed on the systems in its scope.
However, Intruder recommends thinking carefully about your scanning strategy, as regulatory rules are meant as a one-size-fits-all guideline which may not be appropriate for your business. Simply comparing this 90-day regulation with the timelines seen in the WannaCry example above shows us that such guidelines don’t always cut the mustard. If you actually want to stay secure rather than simply ticking a box, often it makes sense to go above and beyond these regulations, in the ways described above.
Vulnerability scanners can produce a vast amount of information, and reveal a lot of flaws, some of which will be bigger risks than others. When considering the amount of information that needs processing, and the amount of work that needs to take place to rectify these flaws, it can be tempting to think it only makes sense to scan as often as you can deal with all the output, like once a quarter.
While that would be a nice way to do things, unfortunately new vulnerabilities are being discovered on a much more regular basis than that, so rather than limiting your scans to how often you can deal with the output, it is much more sensible to seek out a scanner that generates less noise in the first place, and helps you focus on the most important issues first; and gives you guidance about on what kind of timescales the others should be addressed.
It’s also the case that as humans, we start to ignore things if they become too noisy. Alert-fatigue is a genuine concern in cyber security, so you should make sure you’re working with a tool that’s not spamming you with information 24/7, as this may make you stop paying attention, and more likely to miss the important issues when they happen. Make sure to factor this in when choosing a scanner, as it’s a common mistake to think that the one that gives you the most output is the best!
So now you’ve decided on what schedule to run your scans, it’s worth considering what happens in the gaps when you’re not running scans.
For example, say you decide that a monthly scan makes sense for you to pick up on any changes you make on a semi regular basis. That’s great, but as the timelines for the Equifax breach shows, you might have a problem even in such a short space as 30 days, if a vulnerability is discovered the day after your last scan. Combining our thoughts around alert-fatigue above though, just scheduling a daily scan may not be the best way to avoid this.
To tackle this problem, some vulnerability scanners provide ways to cover these gaps - some do it by storing the information retrieved on the last scan, and alerting you if that information is relevant to any new vulnerabilities as they are released.
We also offer a similar concept at Intruder, which we call “Emerging Threat Scans”, but we proactively scan all of our customers each time a new vulnerability emerges, to make sure all the information is as up to date as possible, and we’re not raising any false alerts based on old information.
We hope this article has helped you decide how often you should be running your vulnerability scans, and if you haven’t already picked a tool to work with, now might be a good time to try out our free trial.
- Raw CVE Coverage
- Risk Rating Coverage
- Remote Check Types
- Check Publication Lead Time
- Local/Authenticated vs Remote Check Prioritisation
- Software Vendor & Package Coverage
- Headline Vulnerabilities of 2021 Coverage
- Analysis Decisions
Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.
Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.
Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
The likelihood that exploitation in the wild is going to be happening is steadily increasing.
Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
We’re starting to lose some of the benefit of rapid, automated vulnerability detection.
Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
Any detection released a month after the details are publicly available is decreasing in value for me.
Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.
With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:
- Have CVSSv2 rating of 10
- Are exploitable over the network
- Require no user interaction
These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.
We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.
In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.
While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.
So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.
I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.
What can we take away from Figure 12?
- We can see that between 2011 and 2014 Greenbone’s release delay was better than that of Tenable, by between 5 and 10 days.
- In 2015 things reverse and for 3 years Tenable is considerably ahead of Greenbone by a matter of weeks.
- But, then in 2019 things get much closer and Greenbone seem to be releasing on average about a day earlier than Tenable.
- For both the trendline over an 11-year period is very close, with Tenable marginally beating Greenbone.
- We have yet to have any data for 2021 for OpenVAS checks for critical show-stopper CVEs.
With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.
The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.