Your vulnerability scanning is only as good as the coverage. As devices get added and taken off the network, it is important to monitor for gaps in scanning.
This playbook will be useful for security teams who want to close gaps in their vulnerability management program to ensure effective and efficient remediation of vulnerabilities.
runZero is able to discover assets on your network without an agent and import asset information from your vulnerability management platform. This allows you to easily identify assets that are not currently being scanned by your vulnerability management platform.
To find gaps in vulnerability scan coverage, start by scanning your entire network with runZero. Then, you will configure a runZero integration with your vulnerability management platform to merge vulnerability data with runZero data. Lastly, you will query asset data to find assets that are not being vulnerability scanned.
There are endless ways to combine terms and operators into effective queries, and the examples below can be used as-is or adjusted to meet your needs.
The following queries can be used to monitor the state of your Qualys deployment from within runZero.
source:runZero AND not source:qualys
source:qualys AND (@qualys.dev.host.lastScannedDateTimeTS:>14days OR @qualys.dev.host.lastVMScannedDateTS:>14days)
The following queries can be used to monitor the state of your Rapid7 deployment from within runZero.
source:runZero AND not source:rapid7
The following queries can be used to monitor the state of your Tenable.io or Tenable Nessus deployment from within runZero.
source:runZero AND not source:tenable
source:tenable AND @tenable.dev.lastScanTimeTS:>14days
This video is a short demo of what the outcome of finding gaps in your vulnerability scanning policies may look like.
If you need assistance in building out this process, you can book a session with a runZero Customer Success Engineer to discuss further.