We do 20,000+ machines in a single evening. The trick is to divide-and-conquer. Whenever possible, we install the agent on the hosts, so that the only load on the server(s) is to receive the uploaded reports. "Remote scanning" is reserved for machines incompatible with the agent and is done by the nearest scanning server to minimize WAN utilization/latency.
Use the results more as a prioritization tool than an exhaustive checklist. For example, higher CVSS scores deserve quicker mitigation. Also, pick a threshold below which the only mitigation you will attempt is "system updates during the next maintenance window".
You will also find that some hosts are missing from any given report (due to outages, maintenance, or scaling events). Worry first about those that have failed to check-in the longest (with adjustments for publicly exposed severs and for critical assets).
Finally, periodically tune your thresholds to match your organizational mitigation capacity and use the numbers to justify claims that staffing-up is the trick to achieving lower scores sooner.
Have you tried IBM Cloud Pak for Security? Where it automatically scans for the assets, but leaves the original data where it is? Have a look at: https://www.ibm.com/security/digital-assets/cloud-pak-for-security/demos/
Threat Insights are attached to IBM Security Intelligence feeds, so as assets are discovered they are scanned passively and associated with threats in near real time.
It also uses STIXII and Open Source Cybersecurity Alliance (OCA).
I have spread the scans out over two weeks because I do it during business hours. I capture more machines that way. Do I capture 100%, Not sure. What I am doing is hitting some vulnerabilities each week in order to reduce the number of total vulns. I attack in groups while looking for root causes. Patch all the Adobe family of products one cycle. Patch Outdated browsers another cycle or different team this cycle. Determine if our patching software is working like it should and if not, fix it. Turn on automation of updates when possible, etc.
One area I see a lot of people getting caught up in is trying to eat the elephant (100% of all vulnerabilities) during one cycle. This usually leads to a defeatist attitude of feeling hopeless like you'll never reach your goal. Break it up into smaller, completable steps. Then attack some more the next cycle. Once you get the total number down, then look to see if you are getting 100% of everything. If that is your goal (100%) you will probably never get there if you try to do both 100% coverage AND every Critical and High within X number of days.
Once you get your vulnerabilities to a manageable level, then look to find if some have been missed. One of the things we did for laptops is set a policy that if they haven't been logged into for 30 days we disable them. for workstations it was 90 days. To get reconnected to the network the user had to bring it in to be unlocked. At that time it would also be updated.
@CISOScott how many bites (separate focus cycles) does it take to eventually eat your elephant? And do you start eating the next one right away after the first one goes down?
Honestly it feels like I am running on a globe. I get to see all the countries in the world but can never stop on one. But it is also what I signed up for and enjoy.
The biggest thing is to get moving and getting something accomplished. I was at one organization and they would give us weekly reports even though we didn't have time to fix the vulnerabilities from the last one. This also lead to very sloppy reports with false positives. I tried to get management to reduce the cycle to monthly or even biweekly, but they refused saying the team was contracted to provide weekly reports. So I spent lot of time chasing ghosts in that organization.
In another organization we just finished up closing as many findings as we could from an assessment done last year and I got management to call it done so we wouldn't be chasing ghosts (findings on machines that no longer existed in our environment) since we now had our own vulnerability management program set up.
Yes. The elephants keep popping up. The key is to find out why they keep popping up. Just fixing vulnerabilities doesn't necessarily mean the problem is fixed. Automated updates can be wonderful, but if they only get applied if the application is launched, you could be vulnerable while thinking you are covered. Google Chrome is a great example of this. It will auto update when you launch it, but if no one launches it, it will remain vulnerable. So look for root causes and opportunities to improve on a bigger scale (better tools, better processes, etc.)
One of the ways we did this was the auto lockout of laptops that haven't connected for 30 days. It helps keep unpatched systems off the network and from returning to the network in a vulnerable state.