Field of the Invention
The present invention relates to network security and more particularly to an apparatus, system, and method for a multi-context event streaming network vulnerability scanner having advanced host tracking capabilities.
Description of the Related Art
Computer networks have evolved substantially over the last decade due in part to the rise of new network-centric technologies such as hardware virtualization and cloud-computing. Hardware virtualization through software packages such as ‘VMWare’ allows a single computer to host many ‘virtual computers’ that may (and often do) appear alongside their host computer as peer machines with their own IP addresses on the network.
The rise of cloud-computing technology has given rise to large networks of automatically configured virtual nodes that represent a much tighter integration between a single host and its peer nodes than a normal heterogeneous deployment.
One of the traditional methods for assessing the security posture of a network is to use a network vulnerability scanning tool. These tools work by sending out a set of network probes that attempt to identify all computers on the network and then discover any security vulnerabilities on them.
Vulnerability management systems typically provide users with historical vulnerability information for each tracked asset that is assessed across time. This historical information includes asset characteristic changes across time as seen in assessments as well as the assets vulnerability evolution over time. For instance, Vulnerability Management systems typically track when a vulnerability was first detected on an asset, whether or not it was ever fixed and if so, when was the first assessment that concluded the vulnerability was fixed.
Existing solutions, match assessment hosts to assets based on only one of many network device characteristics; the IP address. These solutions works within environments where the host IP addresses never change.
Increasingly, devices may change their IP address often as many devices do not need a static IP address. Even those devices which a network administrator assigns a static IP address, undergo network management changes which periodically involve assigning a different IP address to the device.
Some existing solutions track hosts based on one of several characteristics. For example, either by IP address, by NetBIOS hostname or by DNS hostname, permitting some tracking of hosts across a range of IP addresses even where such addresses may change, however these solutions still fail to provide adequate tracking of hosts due to characteristic changes resulting from regular network administration provisioning maintenance.