cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Viewer

VM Scan All Machines or Sampling? Why?

I'm trying to understand perspectives around Vulnerability Management (VM) scanning. Let's say you VM scan all devices in production environment, disaster recovery environment, and any machine that can connect to said environments at your office. You also work at a budget conscious company. In this scenario, would you:

  1. Purchase additional VM licenses and champion getting every machine at your office setup with a VM scan.
  2. Do not purchase additional VM licenses; continuing VM scans on machines which connect to production environments. Leverage these scan results as a sampling to address vulnerabilities on all machines.

...and what is your reason for why you would choose this?

2 Replies
Community Champion

Re: VM Scan All Machines or Sampling? Why?

Everyone is budget conscious.  The answer comes down to risk acceptance.  

 

  • If you don't protect your DR machines to the same level you protect your production machines, you are accepting the increased risk of a failed failover.
  • If you don't protect your unimportant machines, you accept this risk that they can become attack vectors against your important machines.
  • If you vulnerability scan only a fraction of your machines, you accept the risk that
    • ... your staff may not equally apply maintenance across the board,
    • ... that some installs failures are false-negatives (e.g. installed successfully, but the PC was never rebooted), and
    • ... you might forget to remediate temporary patch-exemptions.

At my company, we purchase a site-license and install the Vuln scanner on all devices to raise the bar and redirect everyone't time and attention to those risk decisions that are more business-facing.  Plus it reduces time pacifying auditors.

 

 

Highlighted
Newcomer II

Re: VM Scan All Machines or Sampling? Why?

VM is a pretty fundamental part of a security program, and making sure you have full coverage of your environment is critical. I'd reallocate budget from something else, or even try scanning lower criticality servers with OpenVAS. Risk rate the servers, apply your commercial product to high risk (such as externally connected) and allow low risk servers to be scanned with something else.

It's like driving at 100 kph down a road. You wouldn't do it if you could only see every fifth car.