Thoughts on Cyber security vulnerability scans?

[-]

msprm@reddit

A lot of frustration with vulnerability scans comes from the handoff, not the scan itself. Raw findings rarely help unless they are turned into: what is externally visible, who owns it, what changed, what is actually relevant, and what should be fixed first. The most useful reports I’ve seen are short priority lists with business context, not giant CSVs.

Reply

[-]

Latter_Community_946@reddit

Vuln scanning is useful but reducing the number of things that can be vulnerable is better. We moved our containers to minimus and our cve count dropped from triple digits to single digits. The scanner still runs, it just has almost nothing to report.

Reply

[-]

smc0881@reddit

I wouldn't consider those cyber security guys. I ran into this problem a lot when I was in the military, lol. Some person runs Nessus and thinks they are an elite hacker, but can't explain basic networking concepts to you. I work in DFIR consulting now and I'd still recommend doing those scans since they are usually required and fixing any true findings, but a lot of them are pointless. Focus more on defense-in-depth, patching, MFA, and actually learning how to use the shit. I can't tell you how many MSPs or IT teams get ransomed because they have no idea how to properly use their tools or even monitor them. I've literally seen exclusions for *.exe, C:\, C:\Users\, and other stuff that just makes me cringe. If anything get a real pentest performed, but expect to pay at minimum 20K for a reputable company.

Reply

[-]

Ssakaa@reddit

They weren't paid to fix things. That's what you get paid for. They were paid to highlight the gaps in what you're doing, identify the low hanging fruit you can use to a) improve your security posture with even just the most basic layer of patching properly, and b) pitch a need for more staff and tools based on the guidance of external security professionals. Their reports are a tool to use to talk to leadership. Work *with* them to tailor things if you need to, get *your* wants into their recommendations list, get your budget/staff, and get to work closing the gap.

Reply

[-]

sublimeprince32@reddit

Bruh. Thats like saying your doctor provided a comprehensive report on the different health conditions you have and now youre frustrated because you dont know what to do about it.

Reply

[-]

Ssakaa@reddit

Worse, it's like being the dietitian and physical therapist that can't interpret the pretty basic, routine, list of issues identified by the physician.

Reply

[-]

SevaraB@reddit

YMMV. Skilled pentesters != automated vulnerability scanners. Cheap/crappy ones aren’t sophisticated enough to understand that SPOFs are themselves a problem and complain that you have stuff exposed “unnecessarily,” no matter how many compensating controls you’ve got on your secondary ingress. Or purely theoretical stuff like Spectre/Meltdown, which nobody has successfully leveraged to date.

Reply

[-]

Helpjuice@reddit

So there should be internal and external parties scanning your systems and the company should be moving between vulnerability assessments, penetration testing and red team assessments. You start with vulnerability assessments to fix all of the low hanging fruit. When you think you are good to go or you just need a wide understanding of how bad it is right now you can bring in a penetration testing team. Never use someone that is not actually paid to do this as the people doing the penetration test as it needs to be down by a professional human penetration testing team not someone just learning with no experience conducting offensive operations against information systems. Their goal is to show you how bad it is and find as many vulnerabilities possible that your company has missed, half fixed, misconfigurations, etc. Then when they have done their thing you bring in the red team to break through your new shiny setup to validate acting as an actual adversary to determine the actual security of your systems and networks. There should be continuous vulnerability scans in chunks across all your systems and networks going on that are unauthenticated and authenticated across all your systems where possible to provide continuous understanding of your current state. There should also be SBOMs and HBOMs being send very regularly as in hourly to be processed to show everything on your systems to allow for thorough deep dependency understanding. Mirror that with a production grade SIEM that enables you to see it all, be alerted, and enable monitoring, etc. and you are in a good place. This would allow you to see how really bad things are now and the improvements or regressions over time.

Reply

[-]

MyOtherAcoountIsGone@reddit

> There should also be SBOMs and HBOMs being send very regularly as in hourly to be processed to show everything on your systems to allow for thorough deep dependency understanding. Mirror that with a production grade SIEM that enables you to see it all, be alerted, and enable monitoring, etc. and you are in a good place. I have a q. I recently built a system that takes in all the sboms on my network and other external pieces of our systems. Right now all it is a simple web frontend that you can search and parse to find stuff. So when we see a high vuln we can see if we're effected. Do you have any tips on how this can be improved?

Reply

[-]

Helpjuice@reddit

Yeah automate that searching to just show impact in real-time, along with regressions, and other relevant information. Use it to help see in the weeds without having to go down into them. Just because there is a new CVE out doesn't mean the whole world is on fire. Is the vulnerability reachable, who and what put it there, is it due to the vendor, a dev, a sysadmin, and how can it be fixed safely without taking out dev, staging, and prod while still getting done in a reasonable amount of time. Help use this information to prioritize and rate actual risks based on the entire environment not just perimeters or boundaries. Are you also capturing flow logs? So you can see what can go where along with pulling all network device and host configurations? To build a close to real-time map of what can actually get to where?

Reply

[-]

MyOtherAcoountIsGone@reddit

> Yeah automate that searching to just show impact in real-time, along with regressions, and other relevant information. How though? We already have a vuln analysis tool so I'm not into reinventing that wheel. How do you automate this g sboms to recent breaches and vulns? What sort of free use tools do that sort of thing in a way that would be quicker than rapid7 vulnerability detection.

Reply

[-]

Helpjuice@reddit

Build it, free tools and even paid ones will not solve all your problems. You'll need to aggregate this information into your SIEM, Dashboards, etc. and build queries, scripts, etc. to automate the additional things.

Reply

[-]

MyOtherAcoountIsGone@reddit

Yeah, I guess that's where I'm stuck. I'm not sure how you would build it (I'm not a software dev so everything I build ha been on the shoulders of better developers - I just stich things together). Anyways, not your problem, thanks for the help

Reply

[-]

MyOtherAcoountIsGone@reddit

We don't have room for flow logs. We do capture a certain subset of flow logs but it would quickly over power our 10gb/day siem storage

Reply

[-]

Helpjuice@reddit

Switch to something less restrictive like OpenSearch, 10GB/day is very low and not very useful.

Reply

[-]

MyOtherAcoountIsGone@reddit

I think technically our Siem uses some form of open search on the backend. Unfortunately that's above my pay grade, decision was made when I left the company to move from an on prem graylog to a hosted graylog that costs money. Don't ask me why, but I suspect I know.

Reply

[-]

centpourcentuno@reddit

The problem with these 3rd party services is that the internal team itself doesn't know how to even read these reports. Most of these scans are done so the internal "hardly technical" security team can pat themselves on the back I am always shocked by how these so called cybersecurity people can be so clueless

Reply

[-]

digitaltransmutation@reddit

Whenever they turn over a nessus scan that doesnt have plugin_output turned on my opinion of them is immediately through the floor. They are in the business of making scary red numbers, not in solving problems.

Reply

[-]

gumbrilla@reddit

omg. Absolutely, if it doesnt have plug_output then it's useless for me, I'm not going on a snipe hunt. What was tried, what was the output, and what was expected. It's not difficult.

Reply

[-]

dedjedi@reddit

I am always shocked about how many companies get scammed by fake cyber security people.

Reply

[-]

centpourcentuno@reddit

The new scam is "AI" now. CEOs salivating at saving costs by laying off are spending cash on AI "experts" to tell them how to replace Humans I see these scammers on LI now posting about how they can "help"

Reply

[-]

dedjedi@reddit

I was pointing out how your company was scammed.

Reply

[-]

centpourcentuno@reddit

LOL, I am a contractor myself in a different field. I was just pointing out that one would be surprised how incompetent internal teams can be, especially to prove their "worth" You seem to be taking this personally?

Reply

[-]

rootofallworlds@reddit

Vulnerability scans are worth doing, they’re an inexpensive way to catch some security holes. They’re not penetration tests and you shouldn’t be paying pentest money for them. They produce false positives and it’s important everyone concerned understands that (and people don’t keep slinging mud at IT who have checked and confirmed a certain ‘vulnerability’ is a false positive).

Reply

[-]

BeAdaptiveIT@reddit

The frustration is real and most of the comments here are dismissing it instead of engaging it. The actual answer is what the engagement is supposed to deliver, not what the scan itself does. A scan-only engagement that ends with a PDF is a deliverable mismatch. What you want from a vendor running scans for you: 1. A prioritized remediation list ranked by exploitability and business impact, not by CVSS alone. CVSS 9.8 on an internal-only print server is a different conversation than CVSS 7.5 on your edge firewall. 2. Owner assignment per finding. If the report doesn't have a column for "who fixes this" against each item, it's just inventory. 3. A scheduled follow-up scan, written into the SOW, to verify fixes landed. Otherwise the vendor has no skin in the game. 4. An exec summary that translates to dollars or risk language for your business leadership. Without that, you're carrying the translation work alone and that's why the engagement feels empty. 5. Their tool of choice mapped to CVE. Qualys, Nessus, Rapid7 all show their internal ID alongside the CVE. If the vendor's report only shows their proprietary name, push back. That's a real flag. On price. A $5k drive-by scan with a PDF is a $5k drive-by scan with a PDF. If you want remediation tracking, exec translation, and a follow-up, that's $15k to $25k for an SMB-sized environment and worth every dollar. What did the SOW say the deliverables were?

Reply

[-]

automounter@reddit

Most of those scanners are more false positives than useful. BUT that is the job.

Reply

[-]

sburns756@reddit

[depthfirst.com](http://depthfirst.com) is giving $5m in credits for securing OSS

Reply

[-]

dedjedi@reddit

Speaking as a nation state threat actor, you are absolutely 100% right. Do not listen to those guys.

Reply

[-]

TahinWorks@reddit

Are there companies who run a portscan and use AI to generate a fancy looking report? Yes Are there companies who perform penetration testing using multiple teams and give you a comprehensive view of your weaknesses and a robust plan to remediate them? Also yes. You get what you pay for. It sounds like your company hasn't been paying much.

Reply

[-]

Sw33tkill3r@reddit

A vuln scan isn't going to fix anything by itself. You (or whomever makes the decisions) need to use it as a tool to identify shortfalls and concerns. Personally, I have never taken every "concern" in vuln scans as a true issue that needs to be remediation, at least immediately. Find the top items you care about, and fix them. Setup automation where possible, or GPOs, policies, etc to enforce remediation. This assumes you have a good vulnerability scanner. There are many out there, I have used very few, and I have been happy with galactic scan...

Reply

Thoughts on Cyber security vulnerability scans?

Reply to Post

30 Comments

msprm@reddit

Latter_Community_946@reddit

smc0881@reddit

Ssakaa@reddit

sublimeprince32@reddit

Ssakaa@reddit

SevaraB@reddit

Helpjuice@reddit

MyOtherAcoountIsGone@reddit

Helpjuice@reddit

MyOtherAcoountIsGone@reddit

Helpjuice@reddit

MyOtherAcoountIsGone@reddit

MyOtherAcoountIsGone@reddit

Helpjuice@reddit

MyOtherAcoountIsGone@reddit

centpourcentuno@reddit

digitaltransmutation@reddit

gumbrilla@reddit

dedjedi@reddit

centpourcentuno@reddit

dedjedi@reddit

centpourcentuno@reddit

rootofallworlds@reddit

BeAdaptiveIT@reddit

automounter@reddit

sburns756@reddit

dedjedi@reddit

TahinWorks@reddit

Sw33tkill3r@reddit