Security Metrics - How Often Should We Scan?

When vulnerability data is used for pure "situational awareness", it needs to be as up to date as possible. Many organizations have an incident response, security operations or other type of group that monitors security, but has no direct operational roll over the IT or mission critical servers on the network. These organizations need up to date vulnerability information to do their job.

The vulnerability data needs to be very timely and relevant such that it can be readily available to help correlate IDS events, to be fed to a SIM or to be at the fingertips of an incident response team. It also needs to be able to provide executive management visibility into the top security issues facing them.

In order to accomplish this in the most effective manner, vulnerability data needs to be as real time as possible. Daily scans and passive monitoring can ensure that all data is within 24 hours. If a network is so large that it takes a few days or even a week to complete a scan, the data is less useful, but better than no data at all.