Alert Logic Managed Detection and Response customers now have access to several enhancements in the Alert Logic console for configuring vulnerability scans. These updates simplify working with Alert Logic scans and can help you get the most value from vulnerability scanning, whether it is agent-based, external, or internal scanning.
With these enhancements, you can now:
- Exclude assets from agent-based scanning
- Manage more scan settings in a single location
- Maximize your use of scanning with new scan health remediations
Additionally, default scan schedules are now disabled upon deployment, and a new warning can help you understand the negative impacts of scanning a large network in your environment.
Read on to learn more about each enhancement.
Exclude Assets from Agent-Based Scanning
You can now exclude assets from agent-based scanning in the Alert Logic console. This exclusion function was previously available for external and internal network scans, and the same functionality is now available for agent-based scans.
To exclude assets from agent-based scanning, navigate to navigation menu > Configure > Deployments > select a deployment > Vulnerability Scanning: Scan Exclusions.
On this screen, there is now a tab for Agent-Based Scans, where you can set up your exclusions using the same process used for internal and external network scans. For more information on setting exclusions, refer to our Agent-Based Scanning documentation.
Navigate Through Scan Settings More Easily
Several scan settings and features have been moved in the Alert Logic console to more logical places, making it easier for you to access and update scan configurations. The main configuration options that have been moved include:
- Discovery scan settings
- Scanning exclusions
- Scan credentials
- Scan performance settings
With this reorganization, more scan settings are available in a central location, simplifying the process to manage scans. Additionally, the discovery scan scheduling feature has been separated from vulnerability scan settings and moved under Assets, since discovery scans focus on identifying hosts in your networks and are required for data center deployments.
Refer to the following table to determine the new location for actions you commonly perform.
If you are looking to: |
New location |
Previous location |
Manage discovery scan schedules |
Configure > Deployments > select a data center deployment > Assets: Discover Assets |
Configure > Deployments > select a data center deployment > Scan Schedules |
Exclude assets or ports from vulnerability scans (agent-based, internal, or external) |
Configure > Deployments > select a deployment > Vulnerability Scanning: Scan Exclusions |
Configure > Deployments > select a deployment > Protection: Scope of Protection > click Exclusions |
Exclude assets from the scope of network intrusion detection |
Configure > Deployments > select a deployment > Network IDS: Network IDS Exclusion |
Configure > Deployments > select a deployment > Protection: Scope of Protection > click Exclusions |
Add or edit scan credentials |
Configure > Deployments > select a deployment > Vulnerability Scanning: Scan Credentials |
Investigate > Topology > select an asset to manage > Scan Settings (these settings are still also available in this location) |
Edit scan performance settings |
Configure > Deployments > select a deployment > Vulnerability Scanning: Scan Performance |
Investigate > Topology > select an asset to manage > Scan Settings (these settings are still also available in this location) |
These changes simplify navigating through scan settings by providing a single location in the Alert Logic console to manage configuration settings for vulnerability scans.
New Asset Selector for Scan Credentials and Scan Performance
With the ability to manage scan credentials and performance while configuring a deployment, a new way to select the assets to manage is now available. Previously when working with scan settings from the Topology screen, you selected the asset to manage from the Topology view before accessing the scan settings for that asset.
Note: This functionality is still available within the Topology screen.
Now, when managing scan credentials and performance within your deployment configuration, navigate to navigation menu > Configure > Deployments > select a deployment > Vulnerability Scanning: Scan Credentials or Scan Performance. On both the Scan Credentials screen and the Scan Performance screen, a new asset selector is available for you to easily search, filter, and select the asset(s) you want to configure.
To select which asset to edit, simply click the asset on the left side of the screen. A sidebar displays where you can add or view your scan credentials or manage your scan performance, depending on which screen you are on. On the Scan Performance screen, the Credentials column allows you to easily identify which assets already have scan credentials. This new functionality simplifies locating assets to edit for scan credentials and performance, while allowing you to manage these settings alongside other scan settings within a deployment.
New Scan Health Exposures and Remediations
To help customers get the most out of their vulnerability scanning, several new scan health exposures and remediations can now be triggered in the Alert Logic console. Seven new possible exposures and related remediations may display, notifying you of ways to optimize your scan configuration and ensure all assets get scanned.
You can check if these new health exposures and remediations have been triggered under navigation menu > Respond > Health. Select Unhealthy in the left navigation, then select Remediations or Exposures in the View list. New filters display on the left navigation; select Scan in the Category list to filter to only scan-related remediations or exposures.
For example, the “Deploy more Alert Logic Scan appliances” remediation will display when Alert Logic identifies that hosts are out of SLA for internal network scanning, and a single appliance is configured to scan more than one /16 network. The remediation directs you to deploy more scan appliances, so all in-scope hosts can be scanned without overloading the appliance.
With these new health remediations and exposures, you can more easily identify when improvements can be made to your vulnerability scanning configuration and verify all your hosts are getting scanned for vulnerabilities.
New Warning for Large Network Scope
In addition to the new scan remediations, a new warning displays when a customer attempts to scan a large network in a data center deployment. When adding or editing a data center deployment, this warning displays if the total addressable space is larger than two /16 networks, which is the recommended scope limit.
Large networks significantly increase scan durations, causing an increased risk of service degradation; this new warning helps you avoid this scenario.
Disable Default Scan Schedules for New Deployments
Lastly, default vulnerability scan schedules are now automatically disabled for new deployments. Previously, when a new deployment was created, the default schedules for internal and external vulnerability scans were automatically enabled and could scanning of vulnerabilities immediately unless the customer manually disabled them. Based on customer feedback, these default schedules are now automatically disabled, allowing you to set up the best scan schedule for your environment and start vulnerability scanning at your own pace.
Additional Resources
Learn more about scanning with the following Alert Logic knowledge base articles and documentation:
Comments
0 comments
Please sign in to leave a comment.