Diagnosing Discovery Failures - when good scans go bad

  by Simon Woodward | 03 Apr 2009 | Permalink |

Agentless Discovery: the good

Tideway Foundation’s strength in its approach to scanning has always been its ability to quickly gather lots of critical data from the estate without needing to deploy agents. It’s a very quick, very lightweight method of gathering data. There’s no need to test agents, pilot them and roll them out across thousands of hosts. There’s no need to upgrade them. Most scanning agent activities are the sorts of things that virus- and trojan-detection tools raise alarms about: there’s no need to worry about this if you have no agents.

All that’s required is that Tideway Foundation has the use of login credentials that it can use to log in to the hosts that it’s scanning.

Agentless Discovery: the not-so-good

Agentless discovery is not without its drawbacks, however. Most of the drawbacks of agentless discovery stem from the fact that the people running the Tideway appliance are not the people who manage the hosts that Tideway is scanning. The result is that rolling out the credentials that Tideway uses requires work:

• Permission needs obtaining from the security organisation.
• Credentials need rolling out by the sysadmins – with all the attendant complications.
• To-ing and fro-ing on credentials that don’t work as expected is tricky.
• The data quality issues that result from using a credential with insufficient permissions are often obscure and hard to diagnose.

Scanning Windows hosts is both easier and harder than Unix:

• Easier than Unix because most Windows estates use domain accounts. Rolling out a single credential per domain is usually sufficient.
• Harder than Unix because the methods of getting data back (WMI, remote commands) are not as straightforward to debug as Unix commands are.

How Tideway can help

A lot of these issues are products of the environment: they’re not things that the product can do anything about directly. However, it absolutely needs to support our users when they have these problems, and make sure that they’re as easy to find and resolve as possible.

We’ve spent the last few weeks in the Engineering department working on improving Tideway’s abilities in these areas:

• We’ve made it a lot easier to tell which credentials are failing and where. See here for details.
• The error reporting that comes back from failures scanning Windows hosts is now really clear and detailed.
• The information presented about what happened during a scan has been restructured and clarified (See here for details).

This work is all about making Tideway a much more friendly system to roll out and maintain. There’s more to come in the next weeks; don’t go too far!