Get Started with Alert Logic Scans

A scan detects and identifies network and host vulnerabilities in your environment. Scans can perform external attack simulations as well as comprehensive vulnerability checks including registry evaluation. For more information, see the detailed Manage Scans and Scan Results documentation. Alert Logic scans can also help you meet PCI compliance requirements. For more information, see Manage PCI Scans.

Scan types

There are four types of supported scans:

  • Discovery scans
  • Internal scans
  • External scans
  • PCI scans

Discovery scans

A discovery scan is used to identify hosts on a network. The scanner makes a reasonable attempt to identify live systems, including systems that do not respond to common Internet Control Message Protocol (ICMP) echo requests.

Internal scans

An internal scan runs from an Alert Logic appliance in your environment. You can specify credentials to use with the internal scan in topology. If you provide credentials, Alert Logic can log on to your network and collect information while it performs comprehensive vulnerability checks including registry setting evaluation. If you do not provide credentials, Alert Logic scans your network without logging on and performs as many checks as possible.

External scans

An external scan runs from the Alert Logic network against your environment. This type of scan simulates attacks from outside your network and identifies potential issues from these attack types.

PCI scans

A PCI scan is a type of external scan that is used specifically for Payment Card Industry (PCI) compliance requirements. For more information on PCI scans, refer to the Manage PCI Scans.

Scanning best practices

When configuring your scans, use the following guidelines to create successful scans and scan results.

  • Scan often
  • Scan everything in your network
  • Scan at the right times
    • Scan your servers, firewalls, and routers during off-peak times
    • Scan your workstations during working hours
  • Scan your servers, firewalls, and routers during off-peak times
  • Scan your workstations during working hours
  • Scan your staging devices and remediate any issues findings before scanning production devices
  • Do not scan during service windows

Optimize your scans

When configuring your assets for scanning, consider and implement a strategy that is particular to your scanning targets and environment.

  • Use credentialed scans on everything, and use un-credentialed scans as fallback. Credentialed scans produce the most accurate results and should be used on all servers and workstations. Un-credentialed scans should be used only for devices where credentialed scanning is not available, for example, routers, switches, and printers.
  • Be mindful of what you are scanning. In terms of length, not all types of scans are equal. Windows-credentialed scanning takes longer than all other credentialed or non-credentialed scans. Under test scenarios, Windows-credentialed scans have taken up to four times as long as other scans. The web application scanning component used in Alert Logic PCI scans can also run long due to the amount of web pages present and the number of fields on each page, multiplied by the number of sites being scanned. Consider these factors when defining your scans and determining scan windows.
  • Multitask. Scan your networks separately in a staggered schedule to allow for remediation in stages.
  • Try not to scan over WAN links or VPN. The traffic between the scanner and the scan target is high compared to the relatively low traffic between the scanner and Alert Logic. Place the scanner on the same side of the VPN or WAN link as the scan target for the best use of your bandwidth.

Manage your scans

Alert Logic performs automatic internal and external scans on all of the assets in your deployments once a day, unless you change the schedule. However, there are several ways to manage automatic scans in your deployments. To learn how to manage scans and scan results, see Manage Scans and Scan Results.

  • Manage scan schedules: Manage your scan schedules and scan frequency for each deployment. Default scan frequency is once a day.
  • Exclude assets from scans: You can exclude certain assets from scans in each deployment.
  • Scan Now: Alert Logic allows you to expedite scanning for individual assets when necessary.
  • Exclusions, scan frequency, and scheduling options apply only to scans of host assets by Alert Logic appliances. Cloud configuration checks performed with cloud APIs, such as checks that are part of the CIS Foundations benchmark, are not affected.

Statistics

The Alert Logic console contains several pages where you can access data pulled from scan results:

You are also notified when assets have not been scanned in the Remediations page. See Configuration Remediations for more information.

Scan results

You can review scan results and their outcomes in several different pages in the Alert Logic console:

Search vulnerabilities

You have access to view vulnerabilities. The Vulnerability Analysis reports allow you to view and filter vulnerabilities in the your environment. The Vulnerability Summary in the Vulnerability Summary displays all vulnerabilities in the filters you choose.

Scanned assets and credentials

You can filter your assets by regions, networks, subnets, hosts, tags and other assets to see what is being scanned from the Topology page. You can also manage your credentials to set up credentialed scanning for assets on this page. See Topology for more information.