In many network environments, illegal or unauthorized users may exploit vulnerabilities in the network to gain access, deny access, or otherwise attack systems in the network. As such, to detect and remediate such network vulnerabilities, existing network security systems typically conduct vulnerability analysis in the network through manual inspection or network scans. For example, conventional network scanners (or “active vulnerability scanners”) typically send packets or other messages to various devices in the network and then audit the network with information contained in any response packets or messages received from the devices in the network. Accordingly, physical limitations associated with the network typically limit the effectiveness for active vulnerability scanners because only devices that can communicate with the active vulnerability scanners can be audited, while actively scanning networks distributed over large areas or having large numbers of devices may take long amounts of time. For example, in a network that includes multiple routers, hosts, and other network devices, an active vulnerability scanner would typically have to send packets that traverse several routers to scan the hosts and other network devices, some of which may be inactive and therefore inaccessible to the active vulnerability scanner. Further, in scenarios where one or more of the routers have firewalls that screen or otherwise filter incoming and outgoing traffic, the active vulnerability scanner may generate incomplete results because the firewalls may prevent the active vulnerability scanner from auditing hosts or other devices behind the firewalls.
Furthermore, active vulnerability scanners typically create audit results that become stale over time because the audit results describe a static state for the network at a particular point in time. Thus, an active vulnerability scanner would likely fail to detect that hosts have been added or removed from the network following a particular active scan, whereby the audit results that active vulnerability scanners create tend to steadily decrease in value over time as changes to the network occur. Furthermore, active vulnerability scanners can have the tendency to cause network disruptions during an audit. For example, probing network hosts or other devices during an audit performed by an active vulnerability scanner may result in communication bottlenecks, processing overhead, and instability, among other potential problems in the network. Thus, deployment locations, configurations, and other factors employed to manage networks can often interfere with obtaining suitable network auditing results using only active vulnerability scanners.
As such, existing systems that tend to rely entirely on active vulnerability scanners typically prevent the active vulnerability scanner from obtaining comprehensive information that describes important settings, configurations, or other information associated with the network. In particular, malicious or unauthorized users often employ various techniques to obscure network sessions during an attempted breach, but active vulnerability scanners often cannot detect real-time network activity that may provide indications that the attempted breach is occurring. For example, many backdoor and rootkit applications tend to use non-standard ports and custom protocols to obscure network sessions, whereby intruders may compromise the network while escaping detection. Thus, many active vulnerability scanners can only audit the state of a network at a particular point in time, but suitably managing network security often requires further insight relating to real-time activity that occurs in the network. Accordingly, although active vulnerability scanners typically employed in existing network security systems can obtain certain information describing the network, existing systems cannot perform comprehensive security audits to completely describe potential vulnerabilities in the network, build models or topologies for the network, or derive other information that may be relevant to managing the network.
Furthermore, in many instances, certain hosts or devices may participate in sessions occurring on the network, yet the limitations described above can prevent active vulnerability scanners alone from suitably auditing the hosts or devices. As such, various existing network security systems employ one or more passive vulnerability scanners in combination with active vulnerability scanners to analyze traffic traveling across the network, which may supplement the information obtained from the active vulnerability scanners. However, even when employing passive vulnerability scanners in combination with active vulnerability scanners, the amount of data returned by the active vulnerability scanners and the passive vulnerability scanners can often be quite substantial, which can lead to difficulties in administrating the potentially large number of vulnerabilities and assets in the network because many network topologies may include hundreds, thousands, or even larger numbers of nodes, whereby suitably representing the network topologies in a manner that provides visibility into the network can be unwieldy. For example, an important concern in managing network vulnerabilities relates to detecting viruses or other malware on managed hosts and identifying weak points that may compromise the network or otherwise expose the network to viruses, malware, or other threats. In general, protecting a network against viruses or other malware typically requires information technology administrators to manage anti-malware software themselves and install resident anti-malware agents on managed hosts in the network.
However, existing anti-malware solutions that rely upon resident anti-malware agents have various limitations and drawbacks, including that anti-malware agents typically have millions or billions of signatures and therefore require defended systems to have the anti-malware agent installed thereon and continuously monitor a file system associated with the defended system to perform the in-depth analysis needed to find or otherwise detect malicious data and activity, which can consume substantial resources and hinder performance. Furthermore, anti-malware agents typically only leverage the technology associated with one anti-malware vendor because installing every known anti-malware technology can further severely impact performance, whereby anti-malware agents often do not evaluate defended systems against the entire malware sample that may be known in the industry. Consequently, anti-malware agents can have substantial gaps in coverage because attackers often specifically create infections or malware payloads to bypass detection with certain anti-virus vendor technologies. For example, if an attacker knows that a particular organization has deployed “Brand X” anti-malware agents on managed hosts in a network, the attacker may specifically package malware in a manner that escapes detection with “Brand X” anti-malware agents even though “Brand Y” anti-malware agents may detect the same malware package. In another example, polymorphic and mutating viruses raise the possibility that one anti-virus technology may detect a malicious sample while other anti-virus technologies may completely miss the same malicious sample. Accordingly, because running every anti-virus technology available on the market to close gaps in coverage cannot be feasibly done without severely burdening performance, anti-malware strategies that use resident agents suffer from various drawbacks and limitations that may expose a network to malicious data and activity.
In addition to the drawbacks and limitations that may arise from relying upon resident anti-malware agents, any single or even layered anti-malware strategy may not fully protect a network against all the possible avenues through which viruses and other malware may compromise a network. For example, even if a malware infection has been detected and remediated on certain managed hosts in a network, existing anti-malware solutions typically do not (or cannot) assess how the malware infection arose or the extent to which the malware infection may have spread throughout the network. However, knowing details relating to whether and/or how the malware infection originated and propagated can be critical to properly isolating and remediating the infection (e.g., different concerns may be implicated if the infection arose because one employee opened a bad attachment that compromised a standalone host versus a widespread inspection that has compromised a substantial portion of the network environment). Furthermore, anti-malware strategies that leverage anti-virus, intrusion detection, and/or security information and event management (SIEM) correlation technologies may have little or no ability to identify whether certain managed hosts may be participating in an active botnet, wherein any system that operates or otherwise participates in a botnet should be considered fully compromised and a serious threat to an organization (e.g., because botnets can be exploited to introduce viruses or other malware into the network).
Consequently, although anti-malware technology may be generally available and essential to provide base security protection in a network, anti-malware technology cannot be considered foolproof and organizations must accept the fact that an infection will happen at some point. In fact, many organizations (especially those having large networks) routinely deal with daily infections despite prevalent anti-malware agents that seek to detect mutating threats and new hostile code types that can be introduced into a network. Even more worrisome may be the fact that many organizations with large networks have deliberately chosen to not use any anti-malware solution, much less a multi-layered anti-malware solution, instead relying on network security and system hardening. Accordingly, because the days when Internet-wide worms made front page news are long gone, a substantial need exists for a network security system that can leverage active and passive vulnerability discovery to identify malicious data on managed hosts in a network, detect participation in active botnets, and employ other techniques to protect a network against viruses and other malware without requiring resident anti-virus agents to be installed on the managed hosts.