https://community.tenable.com/s/article/What-s-the-difference-between-Tenable-io-WAS-and-Legacy-Nessus-WAS?language=en_US
Threat
- Recency — How recently have there been attacks utilizing this vulnerability?
- Intensity — Number and frequency of recent events (very low to very high)
- Sources — What data was used?
Exploit Code Maturity
- Parallels CVSS: Unproven → High
Product Coverage
- Number of unique products: Low → Very High
Impact Analysis
- Availability
- Integrity
- Confidentiality
Dashboard
✔ Dashboards provide access to key cyber risk data in an easy to understand format.
✔ Each dashboard consists of a series of widgets.
✔ Widgets can be created from existing templates or customized.
✔ A user can create multiple dashboards.
✔ Each Tenable Vulnerability Management user has their own set of dashboards that can be shared with other users or user groups.
Summary
● Tenable Vulnerability Management provides pre-built dashboards to display cyber risk data.
● Assets can be filtered for an entire dashboard, and for individual widgets.
● Dashboards are shareable with other users or user groups.
● Dashboards can be exported once or on a schedule, and delivered as an encrypted attachment via email to appropriate personnel.
You can create custom dashboards to display cyber risk data in a useful format. You can set also set a default dashboard view to see when you sign in.
Reports
Similar to Dashboards, Tenable Vulnerability Management has pre-designed report templates that
update automatically.
Report Features
● PDF format
● Share with users/groups
● Filter on tags, or custom
● Add/remove chapters
● Add a logo
Summary
● Tenable Vulnerability Management provides pre-built report templates to display cyber risk data.
● Customize reports for specific assets, as well as upload an organization’s logo.
● Reports can be exported on a one-time or scheduled basis, shared with other users, and delivered via email to appropriate personnel.
Report Components
● Name
● Description
● Executive Summary
● Additional Chapters
Exports
● Maintain export schedules in Tenable Vulnerability Management
● Demonstrate where to locate exported data, dashboards and reports
● Exported data can be found in different places depending on the type of data.
● The Exports page is for grid page exports.
● Many grid pages such as Assets, Findings, Users, Tags and more can be exported.
TenableCore Tenable NNM – Nessus Network Monitor
Tenable Nessus Network Monitor (NNM) – Schedule: Automatic
- Operates 24×7
- Requires access to a SPAN/mirror port for data
- Scans network traffic for cyber risk data
- Two operational modes: Host Discovery or Full
Host Discovery
● Assets discovered while in this mode do not count against your license
● Safest option to start with to ensure sensor setup is correct
Full
● In this mode, NNM will report on vulnerabilities it sees via the network
● This is a good option for vulnerability assessment for fragile devices that can not be scanned
Identifying Unscanned Assets
● Source is equal to (Cloud Discovery Connector, NNM, ServiceNow, etc.) AND Source is not (Nessus Scan, Nessus Agent)
● Assessed vs. Discovered Only
Tenable Nessus Network Monitor Installation
What is Tenable Nessus Network Monitor?
● Monitors network traffic for cyber risk data
● NNM identifies:
○ Assets
○ Services
○ Vulnerabilities in services and applications that generate network traffic
○ Traffic between hosts
● Supports IPv4 and IPv6
● Tenable Nessus Network Monitor is limited to monitoring 1 Gbps
● Can be licensed at an additional cost for 10 Gbps operations (high performance)
Summary
● Tenable Nessus Network Monitor identifies assets, services, vulnerabilities and traffic between hosts.
● NNM requires two network interfaces, one of which is a SPAN port set in promiscuous mode.
● NNM instances can run in two modes: Discovery mode and Full mode.
● NNM offers two performance levels: 1 Gbps for monitoring small networks and network segments; and 10 Gbps, for high-performance data centers and internet ingress/egress points.
NNM Installation
- RHEL, Windows and other operating systems
- Install using the appropriate package manager.
- Tenable Core + NNM is also available
- Install on virtual platforms.
NNM Configuration:
- Connect to NNM using a web browser on port 8835 (https)
- Sign in with username “admin” and password “admin”
- Reset password
- Use “Cloud” as activation code
- Provide linking key
- Give scanner a name
- Select Network Interface
- Provide managed range
- Set exclusion range(s) – optional
Certificates for NNM
Place the SSL certificates in appropriate location. Refer to:
https://docs.tenable.com/nessus-network-monitor/Content/ConfigureNNMForCertificates.htm
Troubleshooting NNM Installation
● Sufficient hardware (RAM, core, HD)
● Connectivity
● Local firewall rules
● Local malware/antivirus application
● Can NNM connect to cloud.tenable.com on port 443?
● Is the SPAN port configured properly?
Summary
● NNM sensors can run on a variety of platforms.
● Use the package manager for the operating system to install NNM, or use Tenable Core.
● Connect with a web browser and complete the configuration.
● Custom SSL certificates can be uploaded, if required.
● Additional CAs can also be created.
Tenable Core
You can use the Tenable Core operating system to run an instance of Tenable Nessus in your environment. After you deploy Tenable Core + Tenable Nessus, you can monitor and manage your Tenable Nessus processes through the secure Tenable Core platform.
Core Considerations
Deployment Process
1. Download image
2. Install (ISO or virtual image)
3. Connect to core using web browser on port 8000
4. Initial username and password: wizard/admin
5. Create admin account
6. Continue with sensor configuration
To deploy Tenable Core + Tenable Nessus as a VMware virtual machine:
-
Download the Tenable Core Nessus VMware Image file from the Tenable Downloads page.
- Open your VMware virtual machine in the hypervisor.
- Import the Tenable Core + Tenable Nessus VMware .ova file from your computer to your virtual machine. For information about how to import a .ova file to your virtual machine, see the VMware documentation.
- In the setup prompt, configure the virtual machine to meet your organization’s storage needs and requirements, and those described in System and License Requirements.
-
Launch your Tenable Core + Tenable Nessus instance.
The virtual machine boot process appears in a terminal window.
Core Interface
- Operating System (OS) level configuration Networking + storage + updates
- Start and stop sensor
- Command line access
- Resource utilization
Certificates can be installed using the Management interface.
Remote Storage
Remote storage can be enabled:
● Uses Secure File Transfer Protocol (SFTP)
● Username + private key
● Allows for automated backups
Updates can be scheduled to run at boot time, on a schedule, or both.
SNMP v2 and v3 can be enabled.
Tenable Nessus
Traditional Tenable Nessus application installed on OS that you manage : For scanning private IPs
Tenable Cloud Scanner : Managed by Tenable For scanning public-facing IPs
Tenable Core + Tenable Nessus is a pre-built virtual image for:
● VMware
● Hyper-V
● Dedicated hardware
Tenable Nessus is also available for a variety of platforms including:
● Windows
● RHEL/CentOS
● OS X and others
Nessus Installation
- Connect to Nessus scanner using a web browser on port 8834 (https).
- On the Welcome screen, select “Managed by.”
- Select “Tenable.io” and provide the linking key.
- Create a username and password.
- Sign into Tenable Nessus to confirm username and password work.
Certificates for Nessus
Place SSL certificates in the appropriate location. Refer to:
https://docs.tenable.com/nessus/Content/CustomSSLCertificates.htm
Agent Considerations
● Scan using lightweight, low-footprint programs installed locally on hosts
● Collect vulnerability, compliance and system data, and report back to Tenable Vulnerability Management
● Minimal impact on system and network
○ Direct access to all hosts
○ Minimal disruption to end users
Agent Considerations — Benefits
● Extended scan coverage and continuous security
● Deploy where impractical or unable to run networkbased scans
● Assess off-network assets and endpoints with intermittent internet access (ex. laptops)
● Extended scan coverage and continuous security
● Deploy where impractical or unable to run networkbased scans
● Assess off-network assets and endpoints with intermittent internet access (ex. laptops)
Agent Considerations — Efficiency
● Reduces overall network scanning overhead
● Relies on local host resources with minimal performance overhead
● Reduces network bandwidth need; important for slow networks
● Removes challenge of scanning systems over segmented or complex networks
● Updates automatically without reboot or end-user interaction
Agent Considerations — Limitations
Network checks
● Agents are not designed to perform network checks, so certain plugins items cannot be checked or obtained.
○ Combining traditional scans with agent-based scanning eliminates this gap.
Remote connectivity
● Agents may miss items performed through remote connectivity
○ Logging into a database (DB) server
○ Trying default credentials (brute force)
○ Traffic-related enumeration
How an Agent Works
Agent periodically connects to cloud.tenable.com (Tenable Vulnerability Management) via
port 443, and queries for work to be completed.
If there is work, the Agent completes the work and returns the results.
Types of Work
● Software updates
● Plugin updates
● Scans (Vulnerability, Compliance)
Leading Practices — Golden Image
● Include the Tenable Nessus Agent in your gold images
● Configure connections to Tenable Vulnerability Management/Tenable Nessus Manager instance
Consider smaller agent group size to reduce volume of data imported into Tenable Vulnerability Management
● Limit agent groups to 1,000
Scanning
1. Create agent scan.
2. Select group(s).
3. Select scan window/trigger.
4. Set scan schedule.
Deployment Process
1. Download agent.
2. Retrieve linking key.
3. Install agent (manual, or with software management).
4. Configure with linking key.
5. Create groups and assign agents.
Summary
● A linking key is needed to install the agent and connect it to Tenable Vulnerability Management.
● After installation, agents need to be placed into an Agent Group prior to assessment.
Possible Scanning Challenges
- Lack of reliability in network infrastructure
- Large number of assets in a network partition
- Active assessment is mission critical
- Scanners difficult to identify when configuring scans
Solution — Scanner Groups
● Easy to understand name for scanner(s)
○ Less difficult to locate the appropriate scanner
● Multiple scanners allowed in group
○ Creates high availability/speeds up scans
● Load balancing between scanners
○ Good for large network partitions
○ Good for demand for fast assessment
When to Use Scanner Groups
● Large network partitions
● Hard-to-identify scanners
● High availability scanning requirements
● Network reliability issues
Summary
● Scanner groups can be used for large network partitions to:
○ Provide for high availability of scanners and make it easier to identify the appropriate scanner
○ Speed up scans
The Challenge of Crossover IP
Question: What should the response be when there are two assets that are in different NAT’d subnets, but have the same IP address?
Answer: Define Networks + Scanners and Groups in Tenable Vulnerability Management
Age Out Option
Activating the “age out” option will prompt for a number of days.
Any assets in this network that have not been seen within X days will automatically be deleted.
When To Use Networks
Networks can make it complicated to scan properly.
Do not use networks unless you are in an environment that contains assets with the same IP address.
Summary
● Networks should be used in environments where there are two assets with the same IP Address,
due to Network Address Translation (NAT).
● Networks can complicate the scanning process, so they should be avoided unless necessary.
Access Control Components
The Importance of Access Control
● Improve overall security posture
● Simplify use of Tenable Vulnerability Management
● Improve reporting
● Reduce overall risk of internal threat
Permissions
● Rule-based criteria, based on tags
● What assets can be viewed?
● Scanning of existing, or new, assets
● User groups and/or individual users are assigned permissions
Plan Your Tags
Every tag you create automatically creates a new corresponding Permission!
User Groups
● Individually assigned
● Common permission
● Users can be in multiple groups
Roles vs. Permissions
● Roles control what a user can DO.
● Permissions control what a user can SEE.
Summary
● Access control components are Users, User Groups, Permissions, and Roles.
● Permissions define which assets can be viewed, and scanned.
● User groups and roles can give users common capabilities within Tenable Vulnerability Management.
Setting Up Permissions with Tags
Tags
● Create groups of assets that have common criteria for permissions, reporting, etc.
● Manual or rules-based criteria are available.
Default Permissions
● Administrators: All admin users can see all assets and perform all functions. This cannot be changed.
● Access All Assets: By default, all users can see all assets! This should be changed.
Summary
● Permissions define which assets can be viewed, and whether those assets can be scanned. They also
allow users to use the associated tags for analysis and reporting.
● For every tag, a new corresponding permission is added.
● Be very aware of the default “Access all Assets” permission. Best practice is to either delete or edit it,
to limit your cyber risk.
User Group
● Best practice for assigning permissions
● Common permissions
Single User
● Need to re-assign every permission if user leaves, or another user needs to be added
Summary
● When assigning permissions, it is best practice to assign to a user group instead of an individual user.
● Roles can be used to give users common capabilities
within Tenable Vulnerability Management. Check online documentation for the latest role descriptions.
● To reduce cyber risk, plan out requirements first by ensuring that a user is assigned a role and permissions with the least privilege.
Object User Permissions
- Access to functions
- Access to assets
- Access to objects
What is an Object?
- Scanner Group
- Agent Group
- Managed Credential
- Scan
Permissions Vary by Object
Scan:
● No access*
● Can view
● Can execute
● Can edit
Linked Scanner and Scanner Group:
● Can use*
● No access
● Can manage
Role Access always overrides user permissions:
● Regardless of assigned user permissions, all users with an Administrator role have the
highest permissions for an object by default.
● Other roles limit access (e.g., if you assign ‘Can View’ permissions for a scan to a user
with a Basic role, the user will still not be able to view that scan.)
Summary
● Many objects such as scans, credentials, agent groups and scanner groups allow you to assign
specific permissions to users and user groups.
● The functions of an assigned role will always overrides user permissions.
● Administrators can use the User Assist function to ensure permissions are set correctly.
- www.tenable.com/webinars
- youtube.com/TenableProductEducation
- community.tenable.com
- university.tenable.com
- docs.tenable.com
Leave a Reply