Why Is Snapshot Scanning Not Enough?

Parag Bajaria

As new scanning technologies are released, their supposed superiority is touted over the others. The problem is, however, that there is no best scanning technology, all of them have strengths and limitations. If recent claims from several vendors are believed, a “best” scanning method called snapshot scanning exists. But when we look closely, snapshot scanning has advantages for specific use cases, like being able to scan paused workloads, but there are also many areas where a different scanner type would be a better choice. So, is there an optimal scanning method? After reading this blog, it should be clear that the answer is no. At Qualys, we recommend you do not rely on a single scanning method – instead, use multiple scanning technologies when and where they make the most sense. To that end, Qualys has developed a technology to make various scanner types easy to use and manage, which we call FlexScan.

What Is Snapshot Scanning?

Snapshot scanning uses scanners that capture images of workloads, i.e., snapshots, from a cloud services provider’s (CSP) runtime block storage and then scans them. Runtime block storage is where CSPs store updated images of cloud workloads and resources. Snapshot scanning is essentially an indirect method of scanning cloud workloads by looking at this block storage instead of directly looking at them with agents.

Places Where Snapshot Scanning Makes Sense

Snapshot scanning has several advantages that sometimes make it the best choice; the main one is that they allow fast and easy setup to quickly onboard a company’s cloud workloads. Because of how simple it is to get this type of scanner up and running in cloud-only environments, they are perfect for use cases where you need to evaluate cloud environments quickly with comprehensive coverage, like mergers and acquisitions (M&A) scenarios. API-scanning has this same quick assessment capability and is even slightly faster at assessing new workloads than snapshot scanning, but API-scanning doesn’t provide comprehensive coverage.

A capability other scanner types don’t provide is a snapshot scanner’s ability to look at images of paused or suspended workloads. Remember, though, that most vendors charge by the number of assets, and paused workloads count as assets, so this capability is not an advantage for everyone.

Even though expensive from a resource standpoint, snapshot scanners can look for malware and sensitive data that require significant computational power. Agents can also do this, but usually, you don’t want to expend workload resources to scan for malware. If you wish to detect malware, snapshot scanners are the best option.

Limitations of Snapshot Scanning

There are limitations with snapshot scanners. The most obvious one is that they only work on public clouds. So, suppose you have a hybrid environment, which almost all companies have; you will need to add a second security solution if your vendor only provides snapshot scanners.

Snapshot scanning is also the most expensive detection method due to storage and scanner costs. It is a costly technology to employ, and because its only real strength is easy onboarding, in most use cases, we recommend that it only be used when one-time assessments are needed and leave other use cases to more efficient scanning technology.

The resource-intensive nature of snapshot scanning also means it is expensive to scan frequently, so most customers that exclusively use this technology scan at most once every 24 hours. A lengthy manual rescan is triggered if a critical zero-day vulnerability is announced. We can compare this to Qualys’ Cloud Agent, whose default scan window is 4 hours.

Two other limitations of snapshot scanners are that there is some information in workloads that cannot be discerned by examining a static snapshot. The other is that snapshot scanning does not provide an external view of cloud workloads. For these reasons, snapshot scanning should be supplemented with other scanning methods. Here are two examples of vulnerabilities that snapshot scanning has problems with:

Spring4Shell (CVE-2022-22965) – You are only affected by Spring4Shell vulnerability if Java v9 or later is used. By looking at a snapshot image, you can determine whether you have a vulnerable version. However, you cannot know which Java versions are present on the system and, if there are multiple installed versions, which one is being used. This type of uncertainty can lead to false positives.

WebLogic 0day (CVE-2020-14882) – To detect this vulnerability, you need to determine the install path of WebLogic and assess whether it has already been patched or not. This information can only be determined by executing specific run-time commands and therefore are hard to detect by just looking at a snapshot.

When Agents Should Be Used

What Is Agent-Based Scanning?

Agent-based scanning works by placing a small piece of software, an agent, on the host or workload to scan for vulnerabilities, misconfiguration, and other security issues. Modern agents are usually very lightweight, consume minimal resources, and are easy to deploy and maintain.

Where Agents Make the Most Sense

Agents are the most flexible scanning method because they excel at detection tasks and can also do it continuously. They are also necessary if you want an integrated patch management strategy because they can perform active functions like patching and executing customized mitigation scripts. Some technologies only support public clouds; however, we all know that almost every large enterprise has a hybrid environment that includes on-premises, private, and public clouds. Agents excel at supporting hybrid environments.

Another significant benefit of agents is that they excel at providing continuous scanning or short scan window support. No other technology even comes close to agents at monitoring assets continuously or supporting short scan windows. Qualys has a scan window as small as 4 hours, while most vendors typically have a 24-hour scan window.

Limitations of Agents

Agents require the use of some host resources. However, agent implementations like Qualys’ lightweight agent allow you to control this and limit resources to 2% or less of the server, workload, or desktop. 

Agents are easy to install; however, the process is not effortless, especially when compared to snapshot scanning. There is a maintenance component involved with agents, but a well-designed architecture like Qualys’ self-updating and self-healing agents can take almost all of the work out of maintenance.

When API-Based Scanning Should Be Used

What is API-based scanning?

API-based scanning is where you use an API to query an information service. It is often used with public cloud service provider (CSP) services from AWS, Azure, Google Cloud, etc., to get configuration and vulnerability information.

Where API-based scanning makes the most sense

API-based scanning is the fastest to implement, assuming CSP-embedded agents like AWS’s System Manager Agents (SSM) are already being used. API-based scanning also makes the most sense when dealing with highly ephemeral workloads. API-based scanning is also the primary scanner type used by Cloud Security Posture Managers (CSPM); without this method of collecting data, CSPMs wouldn’t work. 

What are the limitations of API-based scanning?

They are great at the limited role of getting data quickly from CSP services. That strength is also their weakness, as they are very specialized in their work and are limited by the services they pull data from. API-based scanning cannot detect CVEs like Spring4Shell (CVE-2021-22965) and Log4Shell (CVE-2021-44228) because it does not have information on any software that is not installed using a package manager.

When network scanning should be used

What Is Networking Scanning?

Network scanning uses a scanner that has a network connection to the resource being scanned. This type of scanner is usually virtualized and can reside anywhere, in the cloud, on-premises, etc., as long as it has network connections to the workloads and resources it needs to scan. Network scanning comes in two flavors, authenticated and unauthenticated. The type most commonly used is authenticated scanning, which is the type that will be discussed here—authenticated network scanning, which means that the network scanner has credentials to access the workload or resources that it performs scans on.  

Where Network-Based Scanning Makes the Most Sense

Network scanning is advantageous in two different use cases. It can give you an outside-in view that the other scanners can’t, which is helpful for Payment Card Industry (PCI) compliance and, in a few cases, can find vulnerabilities that are difficult to detect with the other scanning types, because network scanning isn’t limited to only looking at information on the workload or resource. It also can look at network traffic responses, allowing you to detect a small set of vulnerabilities that others cannot.

Network scanning is also useful in several non-cloud use cases outside this blog’s scope. Still, one unique use case is their use in sensitive on-premises environments – because of how well network scanner communications can be controlled and managed.

Limitations of Network Scanning

Network-based scanning is harder to configure, deploy, and maintain than agent-based scanning, primarily due to the complexity of managing the credentials needed.

What Users Want – Multiple Scanner Options

It is clear that there is no scanning technology that is best for every use case. Our customers have told us they want multiple scanner options which are flexible, easy to use, and can be used on the same workloads, which is why we created FlexScan.

Today we are excited to announce – the Qualys TotalCloud solution with FlexScan that helps our customers extend the trusted power and accuracy of Qualys VMDR, augmented with flexible agent-based and agent-less cloud-native assessment to simplify the management of cloud-native security. Qualys TotalCloud brings both Cloud Posture Management and Cloud Workload Security into a unified view for prioritizing and reducing your cloud security risk.

What Is Qualys FlexScan?

Qualys FlexScan is the new zero-touch, cloud-native way of performing agent and agentless security assessments. FlexScan supports four different scanning methods:

  • No-touch, agent-less, cloud service provider API-based scanning for fast analysis
  • Virtual network-based scanning to assess unknown workloads over the network for open ports and remotely exploitable vulnerability detection
  • Snapshot assessment that mounts the workload snapshot for periodic offline scanning including vulnerabilities and OSS scanning
  • Qualys Cloud Agents for comprehensive real-time vulnerability and configuration assessments of workloads

The Advantage of FlexScan

With FlexScan, you can use multiple scanning methods to scan a workload to get a comprehensive view of its vulnerabilities. For example, a customer with an Internet-facing workload can use both agent and network-based scanning to evaluate it for vulnerabilities and configurations from both an internal and external perspective.

And FlexScan does not require complex configurations to get up and running. Qualys FlexScan allows users to use different scanning technologies where they make the most sense, even on the same workloads, with almost no manual configuration.

Recommendations on When To Use Each Scanning Method With FlexScan

Now that you can easily use different scanning methods from the same Qualys platform with FlexScan, we recommend using API-based assessments for your initial scan assessment and evaluating highly ephemeral instances. Use agent-based assessments for long-running workloads because this scan method is the most comprehensive and provides the most accurate six sigma vulnerability detection. If your workloads are externally facing or subject to strict compliance standards, you may want to consider adding network scanning on these assets. Snapshot scanning can look at stopped or paused workloads and instances where examining the entire workload’s file system is required.

Join us for the TotalCloud launch to see FlexScan in action on how it enables security teams to address the most pressing cloud-native challenges – Wednesday, Nov. 9, at 1:45 pm PT. Register at www.qualys.com/totalcloud-live

To learn more about Qualys FlexScan, visit the TotalCloud product page, watch the video, and sign up for a trial.

Additional Resources

Share your Comments


Your email address will not be published.