Get Started with Alert Logic Scans
A scan detects and identifies network and host vulnerabilities in your environment. Scans can perform external attack simulations as well as comprehensive vulnerability checks including registry evaluation. For more information, see the detailed About Alert Logic Scans documentation. Alert Logic scans can also help you meet Payment Card Industry (PCI) compliance requirements. For more information, see Manage PCI Scans.
You can check the operational status of your automated and scheduled scans in the Service Status page in the Alert Logic console. Alert Logic recommends that you subscribe to the Service Status page and all your Alert Logic components, including scans. For more information about the Service Status page and how to subscribe, see Service Status.
There are four types of supported scans:
- Discovery scans
- Internal scans
- External scans
- PCI scans
A discovery scan is used to identify hosts on a network. The scanner makes a reasonable attempt to identify live systems, including systems that do not respond to common Internet Control Message Protocol (ICMP) echo requests.
An internal scan runs from an Alert Logic appliance or agent in your environment.
Internal scan with no credentials or agent-based scan:
If you do not provide credentials or enable agent-based scanning, Alert Logic scans your network without logging on to each host and performs as many vulnerability as possible.
Internal scan with credentials and no agent-based scan:
When you define a scan, you can specify credentials to use with the internal scan. If you provide credentials, Alert Logic can log on to each host on your network and collect information about the host while it performs comprehensive vulnerability checks including registry setting evaluation. To learn how to provide credentials, see Manage your credentials.
Internal scan with agent-based scan:
You can enable agent-based scanning by deployment. Agent-based scans and credentialed network scans provide similar internal vulnerability assessment. When the network scan begins an internal assessment of a host, it checks with that host for the presence of agent-based scan configuration. The network scan will not run redundant vulnerability assessments for the host. For more information, see Agent-Based Scanning.
An external scan runs from the Alert Logic network against your environment. This type of scan simulates attacks from outside your network and identifies potential issues from these attack types.
A PCI scan is a type of external scan that is used specifically for Payment Card Industry (PCI) compliance requirements. For more information on PCI scans, see Manage PCI Scans.
Scanning best practices summary
When configuring your scans, use the following guidelines to create successful scans and scan results. For more in-depth best practices, see the detailed Scanning best practices.
- Scan often
- Scan everything in your network
- Scan at the right times
- Scan your servers, firewalls, and routers during off-peak times
- Scan your workstations during working hours
- Scan your staging devices and remediate any issues findings before scanning production devices
- Do not scan during service windows
Optimize your scans
When configuring your assets for scanning, consider and implement a strategy that is particular to your scanning targets and environment.
- Use agent-based or credentialed scans on everything, and use un-credentialed scans as fallback. Agent-based scanning or credentialed scans produce the most accurate results and should be used on all servers and workstations. Un-credentialed network scans should be used only for devices where agent-based or credentialed scanning is not available, for example, routers, switches, and printers.
- Be mindful of what you are scanning. In terms of length, not all types of scans are equal. Windows-credentialed scanning takes longer than all other credentialed or non-credentialed scans. Under test scenarios, Windows-credentialed scans have taken up to four times as long as other scans. The web application scanning component used in Alert Logic PCI scans can also run long due to the amount of web pages present and the number of fields on each page, multiplied by the number of sites being scanned. Consider these factors when defining your scans and determining scan windows.
- Multitask. Scan your networks separately in a staggered schedule to allow for remediation in stages.
- Try not to scan over WAN links or VPN. The traffic between the scanner and the scan target is high compared to the relatively low traffic between the scanner and Alert Logic. Place the scanner on the same side of the VPN or WAN link as the scan target for the best use of your bandwidth.
For printer devices that are not using web services, Alert Logic recommends stopping services that reside on ports 80 and 443, and disable “LPD/LPR” on the printer port 515/TCP to prevent the device from printing scan activity log messages.
Manage your scans
To learn how to manage scans and scan results, see Manage Scans and Scan Results.
- Manage Scan Schedules—Manage your scan schedules and scan frequency for each deployment.
- Exclude assets and ports from scans—You can exclude certain assets and ports from scans in each deployment.
- Scan Now—Alert Logic allows you to expedite scanning for individual assets when necessary.
Exclusions, scan frequency, and scheduling options apply only to assets that are scanned using Alert Logic appliances. Cloud configuration checks performed using cloud APIs, such as checks that are part of the CIS Foundations benchmark, are not affected.
The Alert Logic console contains several pages where you can access data pulled from scan results:
- Vulnerabilities Reports—Provide valuable summary, breakdown, variance, distribution, and trending data for vulnerabilities discovered across your environments by all scans.
- Scan Schedule Breakdown—Provide summary, detailed, and variance vulnerability results for specific scan schedules.
- Exposures—Lists exposures found in your deployments resulting from vulnerability scans and remediations to resolve an exposure or a group of exposures.
You can review scan results and their outcomes in several different pages in the Alert Logic console:
- Vulnerabilities Reports—For full reports of all scan results
- Scan Schedule Breakdown—For full reports of specific scan schedule results
- Exposures—For viewing and addressing individual issues
Scanned assets, credentials, and performance adjustments
The Last Scanned Breakdown report, available from the Vulnerabilities Reports page, lists when assets in your deployments were last scanned for vulnerabilities. For more information, see Last Scanned Breakdown.
On the Topology page, you can filter your assets by regions, networks, subnets, hosts, tags and other assets to see which assets are being scanned. You can also manage scan settings such as your credentials to set up credentialed scanning for assets and adjust scan performance settings. For more information, see Topology and Adjust Scan Settings.