So I recently watched a webcast provided by Rapid7. It was called “Ironclad vulnerability Management: Why Scanning Doesn’t Cut it.” I saw vulnerability management and was immediately interested. It all goes along with the interest grabbing title technique of stating something is not good enough, or something is bad. I figured this is Rapid7 so they will most likely discuss how validation is needed in addition to scanning.
During and after watching the webcast, what stood out to me was how Passive Vulnerability scanning is not ideal and may even not cost efficient or too much work to be worth it. Specifically stating that there were too many events and false positives to deal with. I immediately thought, they are slamming one of their main competitors, Tenable Security. Tenable Security, the makers of Nessus, have a product called PVS or passive vulnerability scanner. In the webcast, the guest stated that they trialed a passive scanner and that it didn’t provide much value.
These types of competitive webcasts are familiar even from the other side. Tenable had a Nessus vs. Qualys webcast not too long ago. Sales tactics in full effect.
So I just want to give my perspective on PVS in the entire Vuln Mgt life cycle.
Vuln scanning is great. Vuln scanning with credentials for patch verification is greater. Exploitation to validate vuln scan findings is even better. Rapidly fixing all these findings on a continuous basis is the best.
Passive vulnerability scanning is not really scanning at all. It is monitoring. It is sniffing packets, nothing more. Its basically wireshark or tcpdump. Tenable PVS basically looks at those packets it sniffs, and as Snort would, detects things. Unlike Snort though, PVS detects signs that a system is vulnerable. If an old Firefox browser surfing the web is sniffed and headers detected, PVS could tell you your browser is vulnerable to some Firefox vuln, and needs to be updated. Sure many of these PVS events could be false positive, because a lot of times these headers can be incorrect. Such as an apache header, that is configured to display the wrong version of Apache on purpose. PVS would trigger a false positive. So no matter what the sales pitch, PVS is limited.
On the other side, some things PVS can do is, as the speaker in the webinar stated, help you monitor traffic you can’t run active scanning on. Sure it’s still limited, but it’s something. Also PVS can help you identify new systems as they come up and generate traffic on the network. New systems that maybe you don’t have configured to scan in your IP ranges. Maybe new IPs that are firewalled off and your scans returns 0 results for. So PVS is good for something and not a complete waste. Also, PVS in Tenable’s implementation can be combined with Nessus scans using Security Center. This way you can view PVS data with Nessus data and validate both results. Another thing PVS can do is detect potentially compromised systems using plugins looking for traffic to malicious sites. This is similar to IDS or even what Sourcefire used to call RNA. Now called FireSight.
In the webinar, an excellent question was asked. “Does Rapid7 have a PVS technology?” The answer is No, but they work with Sourcefire and could help customers that way. I would say that Sourcefire’s FireSight is not exactly the same as Tenable’s PVS. Sourcefire FireSight, focuses a lot on finding data on endpoints like OS version, even app versions so that it can be used to tune IPS/IDS rules. Tenable’s PVS is used to find vulnerabilities, to take remediation action on. So while they both use packet sniffing techniques, the end results are a bit different.
Finally, my intention for this post is to clarify some fear that may have been transmitted in the webinar by saying that PVS has very little value. I don’t recall Tenable calling it the best tool ever, so be aware of that side of the coin as well. Every tool has its uses, and Rapid7 has a very good suite of tools, as does Tenable. Take a look at all of them and make the decision.
My personal preference, of which parts can be found in my twitter history and previous blog posts, is to use Nessus and import results to Metasploit. Also use PVS to fill in any gaps. On the IDS/IPS side, Sourcefire IPS and FireSight is a great combination. I will even run wireshark on my desktop. Thats 3 packet capturing tools in total.