There are some great choices for scanning networks for vulnerabilities. Some of the top choices are:
Tennable Nessus Expert
Rapid7 Insight VM
Fortra’s Digital Defense
Qualys Scanner
OpenVAS
Before you scan for vulnerabilities it’s best to map out your network with NMAP to gather a list of subnets to scan. You could do a host discovery depending on the subnet size of the LAN you’re scanning. I like to scan /24 subnets at a time. For instance, if my PC subnet was on 192.168.1.0/24 I would scan 192.168.2.-254. .1 is usually the router and .255 is usually the broadcast address. My servers reside on 192.168.2.0/24. So, I would break out one or two different scans for my PC subnet and my server subnet.

After compiling a list of appropriate subnets to scan, you should scan in two different modes:
Non-credentialed and credentialed. Non-credentialed will give you a view of vulnerabilities that an attacker would see without being authenticated to the device. Credentialed scans will give the attack a view of all the vulnerabilities present after authenticating to that box. Most software-based vulnerabilities and host misconfigurations will show up via credentialed scan. If you have a DMZ or an external presence open to the internet an external scan should be performed from outside your organization. You could setup a server in the cloud to accomplish this. AWS, Azure, and Linode are good examples of Cloud based hosting.
Depending on regulatory requirements your organization may be required to perform a certain amount of scans per year. I would encourage monthly scans.
Some things that have helped keep vulnerabilities to a minimum are creating a test PC/server. Pushing out patches to them right away and testing. That way if there is a problem you can stop a problematic patch from being pushed into production. Group servers via OU into impact levels for patching. For instance, I have a server OU that patches the 3rd Wednesday of every month. This OU contains servers that if rebooted or brought down will not have any adverse impact on business functionality. I have another OU with machines that are more important and can only be rebooted at certain times of the week. These will be grouped according to reboot times so that patches can be applied appropriately. My most important servers will patch the 4th Sunday of every month. This gives plenty of time for the patches to be on other machines.
Some patch management tools include:
Ivanti Sec Controls
ManageEngine
PDQDeploy/PDQConnect
WUS
A1
Intune.

I personally use Ivanti Security Controls and PDQDeploy and they work very well. If you’re running a VMWare environment Ivanti Sec Controls has the ability to take snapshots before installing patches.

Some things to consider is that you should whitelist the vulnerability scanner with host based firewalls and NIPS so you get the most accurate vulnerability assessment for remediation. Focus on fixing the most severe vulnerabilities on your most important assets. Next, if you spot a vulnerability that targets most of your LAN you could tackle that and improve your overall risk posture greatly.

With PDQDeploy a fix can deployed almost instantly. For instance let’s say you encounter a Windows unquoted service path vulnerability: by deploying this cmd to all workstations you could fix several.
