Finding gaps in vulnerability scanning

Your vulnerability scanning is only as good as the coverage. As devices get added and taken off the network, it is important to monitor for gaps in scanning.

Who is this playbook for and why?

This playbook will be useful for security teams who want to close gaps in their vulnerability management program to ensure effective and efficient remediation of vulnerabilities.

How will runZero help?

runZero is able to discover assets on your network without an agent and import asset information from your vulnerability management platform. This allows you to easily identify assets that are not currently being scanned by your vulnerability management platform.

What will I need to do?

To find gaps in vulnerability scan coverage, start by scanning your entire network with runZero. Then, you will configure a runZero integration with your vulnerability management platform to merge vulnerability data with runZero data. Lastly, you will query asset data to find assets that are not being vulnerability scanned.

Prerequisites

A complete asset inventory
A vulnerability management platform supported by runZero

Implementation steps

Configure vulnerability management integration:
Use sample queries to search your inventory for assets not seen in your vulnerability scanning data.
Set up alerts to automatically notify you of gaps or to initiate a workflow.

Sample Queries

There are endless ways to combine terms and operators into effective queries, and the examples below can be used as-is or adjusted to meet your needs.

Qualys

The following queries can be used to monitor the state of your Qualys deployment from within runZero.

Identify assets that have not been scanned by Qualys

source:runZero AND not source:qualys

Identify assets that have not been scanned in the last 14 days

source:qualys AND (@qualys.dev.host.lastScannedDateTimeTS:>14days OR @qualys.dev.host.lastVMScannedDateTS:>14days)

Rapid7 InsightVM or Nexpose

The following queries can be used to monitor the state of your Rapid7 deployment from within runZero.

Identify assets that have not been scanned by Rapid7

source:runZero AND not source:rapid7

Tenable.io or Tenable Nessus

The following queries can be used to monitor the state of your Tenable.io or Tenable Nessus deployment from within runZero.

Identify assets that have not been scanned by Tenable

source:runZero AND not source:tenable

Identify assets that have not been scanned in the last 14 days

source:tenable AND @tenable.dev.lastScanTimeTS:>14days

Outcome demo

This video is a short demo of what the outcome of finding gaps in your vulnerability scanning policies may look like.

Getting help

If you need assistance in building out this process, you can book a session with a runZero Customer Success Engineer to discuss further.

Updated February 8, 2024

Previous: Finding gaps in endpoint protection Next: Scanning OT networks