Presentation of different Cyberwatch scan modes

Cyberwatch offers multiple ways to add assets to the Cyberwatch scope to be analyzed by the application.

The Assets management menu in Cyberwatch offers the following:

  1. Agents;
  2. Agentless connections;
  3. Air-gapped assets;
  4. Docker images;
  5. Network targets and websites;
  6. Cloud.

The first three scan modes can all be qualified as “authenticated assets” scanning methods described in more details below. These authenticated scanning methods offer exactly the same analyses results.

Authenticated assets scans

This section aims to describe the following scanning methods:

  1. “Agent-based” scans;
  2. “Agentless” scans;
  3. “Air-gapped” scans.

These three scanning methods:

  • aim to scan assets in an authenticated fashion, such as servers, desktops, network devices, hypervisors, industrial devices;
  • offer exactly the same scan results and features;
  • are up to the user’s choice when they can be used to scan the same type of assets.

Differences between these methods are:

  • the direction and/or type of network flow required between the Cyberwatch server and assets to monitor;
  • the type of assets that can be scanned by each of these methods.

Additional information on the systems that can be scanned using these methods are available on the list of supported operating systems.

Our team is also available to help you make a choice on the scanning methods to use for your specific architecture.

A short description of these three methods is also presented below.

“Agent-based” scans

The “agent-based” mode requires to install a light agent on every asset you want to monitor.

This agent is developed in Python and provided with:

  • APT / YUM / ZYPPER / PACMAN for Linux systems;
  • MSI for Windows systems;
  • PKG for macOS systems.

The agent is periodically executed through a service, conducts a diagnostic of the targeted asset, and sends the results to the Cyberwatch node to which it is connected.

Please consult the the Cyberwatch agent documentation for more information.

“Agentless” scans

The “agentless” mode requires a valid connection using usual administration interfaces SSH (Linux) / WinRM (Windows) / SNMP, from a Cyberwatch node, towards every asset you want to monitor.

The connection is periodically used by Cyberwatch to connect to the targeted asset, run a diagnostic, and compute the results.

Please consult the agentless connections documentation for more information.

“Air-gapped” scans

This mode allows to scan assets without requiring a flow between the Cyberwatch node and the assets to be monitored.

It offers the advantage of being able to scan assets completely disconnected from the network, or on which installing an agent or initiating a remote connection is not possible.

The procedure to make it work is as follow:

  1. Download the scripts from the Cyberwatch interface (these scripts are identical to those executed by agent and agentless scans)
  2. Transfer the scripts on the assets to scan, through a mean chosen by the user
  3. Execute the script on the asset, producing text files as an output
  4. Importing the results in Cyberwatch for it to perform its results analyses

For more information on using the air gap scans, please consult adding an air-gapped asset through a form or adding an air-gapped asset using the API.

Docker images scans

This scan mode allows Cyberwatch to scan Docker images hosted on a Docker images registry.

It requires configuring a Docker engine that will allow the following process:

  • download of a Docker image from the registry on the Docker engine;
  • launch of a container from the Docker image;
  • execution Cyberwatch scanning scripts on the container;
  • removal of the container and the image downloaded on the Docker engine.

Please consult the documentation that describes how to add a Docker image for more information.

Network targets and websites scans

This scan mode uses the Cyberwatch external scan module to scan:

  • network targets, as in “asset scanned using an external network scan”;
  • websites, as in web applications with HTML pages and features that can be tested.

In both cases, the scan will try to gather information such as open ports, installed technologies visible from the outside.

For websites, an OWASP scan will also be conducted using modules to identify potential injections, configuration problems, etc.

These websites scans can be run without authentication, in “Black box” mode; or with an authentication depending on the website, in “Grey box” mode.

Please refer to the documentation on how to add a network target or a website for more information.

Cloud scans

This feature offers the possibility to add Cloud infrastructures in Cyberwatch, in order to perform compliance checks on these entities.

Cloud entities that can be scanned by Cyberwatch to this day are:

  • Google Cloud Platform;
  • Amazon Web Services;
  • Microsoft Azure;
  • Active Directory.

Active Directory is listed as a Cloud entity, despite being more of a local infrastructure service, as the way its addition in Cyberwatch and the way compliance scans work on this entity behave in the same way as the other Cloud assets.

Please refer to the documentation on Cloud scans for more information.