Get Started with Alert Logic Scans
A scan detects and identifies network and host vulnerabilities in your environment. Scans can perform external attack simulations as well as comprehensive vulnerability checks including registry evaluation. For more information, see the detailed About Alert Logic Scans documentation. Alert Logic scans can also help you meet Payment Card Industry (PCI) compliance requirements. For more information, see Manage PCI Scans.
You can check the operational status of your automated and scheduled scans in the Service Status page in the Alert Logic console. Alert Logic recommends that you subscribe to the Service Status page and all your Alert Logic components, including scans. For more information about the Service Status page and how to subscribe, see Service Status.
Supported scans include:
- Discovery scans
- Agent-based scans
- Internal network scans
- External network scans
- PCI scans
A discovery scan applies to Data Center deployments only. It scans for new assets or asset changes on your networks. The scanner makes a reasonable attempt to identify live systems, including systems that do not respond to common Internet Control Message Protocol (ICMP) echo requests.
An agent-based scan runs from an Alert Logic agent on a host in your environment.
Alert Logic scans your host using a locally installed program to identify vulnerabilities and missing patches.
Internal network scans
An internal network scan runs from an Alert Logic appliance in your environment.
Internal network scan with no credentials (unauthenticated):
If you do not provide credentials or enable agent-based scanning, Alert Logic scans your network without logging into the host and uses exposed ports, protocols, and services to identify vulnerabilities, misconfigurations, and default account exposures.
Internal network scan with credentials (authenticated):
You can specify credentials to use with the internal network scan. If you provide credentials, Alert Logic can log into each host on your network and collect information about the host while it performs comprehensive vulnerability checks including registry setting evaluation, misconfigurations, and missing patches. To learn how to provide credentials, see Manage your credentials.
When the internal network scan begins an internal assessment of a host, it checks with that host for the presence of agent-based scan configuration. The internal network scan does not run redundant vulnerability checks for the host. For more information, see Agent-Based Scanning.
External network scans
An external network scan runs from the Alert Logic data centers against your internet-facing environment. This type of scan simulates attacks from outside your network and identifies potential issues from these attack types.
A PCI scan is a special type of external scan that is used specifically for Payment Card Industry (PCI) compliance requirements. For more information on PCI scans, see Manage PCI Scans.
Scanning best practices summary
When configuring your scans, use the following guidelines to create successful scans and scan results. For more in-depth best practices, see the detailed Scanning best practices.
- Scan often
- Scan everything in your network
- Scan at the right times
- Scan your servers, firewalls, and routers during off-peak times
- Scan your workstations during working hours
- Scan your staging devices and remediate any issues findings before scanning production devices
- Do not scan during service windows
Optimize your scans
When configuring your assets for scanning, consider and implement a strategy that is particular to your scanning targets and environment.
- Use agent-based or credentialed scans on everything, and use unauthenticated scans as fallback. Agent-based scanning paired with unauthenticated scans or credentialed scans produce the most accurate results and should be used on all servers and workstations. Unauthenticated network scans should be used only for devices where agent-based or credentialed scanning is not available, for example, routers, switches, and printers.
- Be mindful of what you are scanning. In terms of length, not all types of scans are equal. Windows-credentialed scanning takes longer than all other credentialed or non-credentialed scans. Under test scenarios, Windows-credentialed scans have taken up to four times as long as other scans. The web application scanning component used in Alert Logic PCI scans can also run long due to the amount of web pages present and the number of fields on each page, multiplied by the number of sites being scanned. Consider these factors when defining your scans and determining scan windows.
- Multitask. Scan your networks separately in a staggered schedule to allow for remediation in stages.
- Try not to scan over WAN links or VPN. The traffic between the scanner and the scan target is high compared to the relatively low traffic between the scanner and Alert Logic. Place the scanner on the same side of the VPN or WAN link as the scan target for the best use of your bandwidth.
For printer devices that are not using web services, Alert Logic recommends stopping services that reside on ports 80 and 443 and disabling “LPD/LPR” on the printer port 515/TCP to prevent the device from printing scan activity log messages.
Manage your scans
To learn how to manage scans and scan results, see Manage Scans and Scan Results.
- Manage Vulnerability Scan Schedules—Manage your vulnerability scan schedules and scan frequency for each deployment. You can also exclude certain assets and ports from vulnerability scans in each deployment.
- Manage Discovery Scan Schedules—For Data Center deployments, manage your discovery scan schedules and scan frequency for each deployment.
- Scan Now—Alert Logic allows you to expedite scanning for individual assets when necessary.
Exclusions, scan frequency, and scheduling options apply only to assets that are scanned using Alert Logic appliances. Cloud configuration checks performed using cloud APIs, such as checks that are part of the CIS Foundations benchmark, are not affected.
Scan results and statistics
The Alert Logic console contains several pages where you can access data pulled from scan results:
- Vulnerabilities Reports—For full reports of all scan results. Provide valuable summary, breakdown, variance, distribution, and trending data for vulnerabilities discovered across your environments by all scans.
- Scan Schedule Breakdown—For full reports of specific scan schedule results. Provide summary, detailed, and variance vulnerability results for specific scan schedules.
- Exposures—For viewing current vulnerabilities and addressing individual issues. Lists current exposures found in your deployments resulting from vulnerability scans and remediations to resolve an exposure or a group of exposures.
Scanned assets, credentials, and performance adjustments
The Last Scanned Breakdown report, available from the Vulnerabilities Reports page, lists when assets in your deployments were last scanned for vulnerabilities. For more information, see Last Scanned Breakdown.
On the Topology page, you can filter your assets by regions, networks, subnets, hosts, tags and other assets to see which assets are being scanned. In the deployment configuration and on the Topology page, you can manage scan settings such as your credentials to set up credentialed scanning for assets and adjust scan performance settings. For more information, see Topology and Adjust Scan Settings.