Where Vulnerability Scanners Fall Short (Hint: Its Related to Your Storage & Backup Environment) 

Storage and backup platforms, being the custodians of critical organizational data, have become prime targets for cyber threats. Implementing robust vulnerability scanning practices for these platforms is essential to safeguard against potential breaches and ensure compliance with industry regulations – however this is easier said than done. We’ll explain the challenges and solutions in the next paragraphs.  

Mandatory Use of Automated Security Tools 

Industry standards and regulations increasingly mandate the use of automated security tools for vulnerability management, explicitly discouraging reliance on manual reviews. For instance, the PCI DSS v4.0 requires organizations to perform vulnerability scans using automated tools.  

Specifically, PCI DSS Requirement 11.3.1 states: “Perform internal vulnerability scans at least once every three months and after any significant change, using an independent qualified internal resource or qualified external third party, and rescans as needed, until all ‘High’ vulnerabilities (as defined in PCI DSS Requirement 6.3.3) are resolved.”.  Similarly, European regulatory bodies like the European Securities and Markets Authority (ESMA) emphasize the importance of automated tools in ICT risk management frameworks.  

In the Final Report on Draft Regulatory Technical Standards (RTS) on ICT Risk Management Framework, Article 10(2)(b) highlights the necessity to: “Ensure the performance of automated vulnerability scanning and assessments.” This requirement compels financial entities to utilize automated tools for timely identification and remediation of vulnerabilities, reducing the reliance on manual processes and enhancing the effectiveness of their cybersecurity measures. 

The Shift Towards Both Unauthenticated and Authenticated Scans

The industry is witnessing a significant shift towards the incorporation of both unauthenticated and authenticated vulnerability scans. Unauthenticated scans simulate external attacks by assessing vulnerabilities without privileged access, providing insight into what an outsider can exploit. Authenticated scans involve scanning with legitimate access credentials, leveraging product-specific commands and APIs, offering a deeper analysis of internal vulnerabilities that could be exploited by malicious insiders or through compromised accounts. 

Standards like PCI DSS v4.0 recognize the importance of both scanning methods. Specifically, PCI DSS Requirement 11.3.1.2 states: “Internal vulnerability scans are performed using authenticated scanning and include a review of all system components, including operating systems, applications, and databases.” 

This requirement underscores the necessity of authenticated scans to identify vulnerabilities that unauthenticated scans might miss, ensuring a comprehensive security assessment. By employing both scanning techniques, organizations can identify and address both external and internal security weaknesses, enhancing their overall security posture. 

Challenges in Scanning Enterprise Storage and Backup Appliances

Despite the clear need, conducting automated vulnerability scans on enterprise storage and backup appliances presents unique challenges, and keeps mission-critical systems such as Dell PowerMax, Dell PowerProtect, Hitachi VSP, Hitachi Content Platform, NetBackup Flex and Cohesity DataProtect off the vulnerability scanning radar.  

Traditional vulnerability scanning tools often rely on installing agents on target systems to perform in-depth analysis. However, storage arrays and backup appliances typically do not support the installation of third-party agents due to their specialized operating systems and proprietary architectures. Each storage and backup system may utilize its own operating system, application programming interfaces (APIs), and command-line interfaces (CLIs), creating a heterogeneous environment that complicates scanning efforts.  

The lack of standardization means that a vulnerability scanner compatible with one system may not work with another, leading to significant coverage gaps. Moreover, many common vulnerability scanning tools do not include storage and backup products in their support matrices. This absence results in outdated vulnerability databases for these critical systems, leaving organizations unaware of potential security risks.  

The lack of support and commitment from scanning tool vendors to address these platforms exacerbates the issue, causing major coverage gaps and outdated vulnerability assessments. With the growing number of storage vulnerability exploits, this is more concerning than ever. 

StorageGuard: Bridging the Gap in Vulnerability Scanning

To overcome these challenges, StorageGuard offers a specialized solution designed specifically for storage and backup platforms. StorageGuard understands the unique architectures and operating systems of these appliances, providing a tailored vulnerability scanning approach without the need for agents. By leveraging native APIs and CLIs of various storage and backup systems, StorageGuard can perform a authenticated scan, ensuring comprehensive coverage. It maintains up-to-date vulnerability databases specific to these platforms, addressing the issue of outdated assessments.  

StorageGuard integrates seamlessly into existing security workflows, automating the vulnerability scanning process as mandated by industry standards like PCI DSS, NIST SP 800-53, CIS Controls, DORA and many others.  By utilizing StorageGuard, organizations can effectively close the security gaps in their storage and backup environments, enhancing their overall security posture and ensuring compliance with critical industry regulations.