CSF: Data Leakage Monitoring

Data leakage happens when organizations lose track of where sensitive data is stored, the flow of sensitive data traversing the network, and who had access to that data. Any type of information on finances, credit cards, and personally identifiable information (PII) can be leaked both intentionally and unintentionally. Incidents can increase the risk of identity theft, stolen account information, and leakage of sensitive internal data, which can be costly and damaging to an organization’s reputation and business. This dashboard aligns with the NIST Cybersecurity Framework (CSF) PR.DS-1, PR.DS-2 and PR.DS-5 subcategories that allow an organization to monitor its network for data leakage, as well as detect vulnerabilities and activity on the network that could lead to data leakage.

The CSF provides guidance based on existing standards, guidelines, and practices that can be tailored to specific organizational needs. The Protect category is divided into multiple subcategories that address specific security requirements with Access Control, Awareness, Data Security, Policies and Procedures, Maintenance, and Technology Protection. The Data Security category (PR.DS) allows for information and records to be managed consistently and protects the confidentiality, integrity, and availability of organizational data.

This dashboard can assist the organization with monitoring data at rest, data in transit, and ensure the protection of sensitive data within a network. The Nessus Network Monitor(NNM) analyzes data in motion and can detect sensitive data, such as credit card numbers and Social Security numbers, as well as files traversing the network. Logged events from Data Loss Prevention (DLP) systems can be forwarded to the Log Correlation Engine (LCE). Nessus scans can identify vulnerabilities by keywords, services, and other events that could lead to data leakage. NNM also reports passive detections of data leakage across systems, ports, and subnets with the highest number of data leakage vulnerabilities. Lastly, a trend chart displaying both logged and passive detections of data leakage events is also included. The information presented in this dashboard can assist the organization by reducing data leakage, securing sensitive data, and monitoring for suspicious activity.

The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The dashboard requirements are:

• Tenable.sc 5.2.0
• Nessus 8.5.0
• LCE 6.0.0
• NNM 5.9.0

Tenable.sc Continuous View (CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable’s Nessus Network Monitor (NNM), as well as log correlation with Tenable’s Log Correlation Engine (LCE). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network changes.

The following components are included in this dashboard:

• Data Leakage Monitoring - 25-Day Trend: This chart presents a 25-day data trend of both passive detections of data leakage and logged data leakage events. The passive detections are vulnerabilities reported by NNM in the 'Data Leakage' plugin family. The logged events are reported by LCE under the 'data-leak' event type. This component can be used to determine if any data leakage activity has occurred over the last 25 days.
• Data Leakage Monitoring - Vulnerabilities that Could Lead to Data Leakage: This component presents indicators by keyword for actively and passively detected vulnerabilities that could lead to data leakage. Vulnerabilities at all severity levels except Informational are included. The keywords cover disclosures, cryptographic issues, man-in-the-middle vulnerabilities, and weak authentication concerns. A purple indicator means that one or more vulnerabilities contain the keyword. Clicking on the indicator will bring up the analysis screen to display details on the vulnerabilities. In the analysis screen, setting the tool to IP Summary will display the systems on which the vulnerabilities are present. This component can be used to investigate vulnerabilities that could lead to data leakage.
• Data Leakage Monitoring - Activity with Potential for Data Leakage: This component presents indicators for activity detected on the network that has the potential for data leakage. The indicators are based on events logged in the last 72 hours and on actively and passively detected vulnerabilities. Indicators are included for such things as cloud interaction, outbound traffic to external IP addresses, peer-to-peer file sharing vulnerabilities, and USB usage. A purple indicator highlights a vulnerability/event detection. Clicking on a highlighted indicator will bring up the analysis screen to display details on the vulnerabilities/events. In the analysis screen, setting the tool to IP Summary will display the systems on which the vulnerabilities/events are present. This component can be used to investigate the potential for data leakage.
• Data Leakage Monitoring - Indicators: This component presents warning indicators to draw attention to types of data that may have been leaked and methods whereby data may be leaking. These indicators make use of both passive detections and events logged within the last 72 hours. A purple indicator highlights a vulnerability/event detection. In two cases (Credit Card Number and Social Security Number), there are two indicators: one to highlight data leakage detected passively and one to highlight data leakage detected through logged events. Clicking on a highlighted indicator will bring up the analysis screen to display details on the vulnerabilities/events. In the analysis screen, setting the tool to IP Summary will display the systems on which the vulnerabilities/events are present. This component can be used to further investigate any data leakage.
• Data Leakage Monitoring - Top 10 Subnets with the Most Passive Detections: This table presents the top 10 Class C subnets with the most passive detections of data leakage. These passive detections are vulnerabilities reported by NNM in the 'Data Leakage' plugin family. The list is ordered so that the subnet with the worst data leakage is at the top. A count of detections and a bar graph indicating the severity of the detections are given for each subnet.
• Data Leakage Monitoring - Top 10 Systems with the Most Passive Detections: This table presents the top 10 systems with the most passive detections of data leakage. These passive detections are vulnerabilities reported by NNM in the 'Data Leakage' plugin family. The list is ordered so that the system with the worst data leakage is at the top. A count of detections and a bar graph indicating the severity of the detections are given for each system.
• Data Leakage Monitoring - Top 10 Ports Most Associated with Passive Detections: This table presents the top 10 ports associated with the most passive detections of data leakage. These passive detections are vulnerabilities reported by NNM in the 'Data Leakage' plugin family. The list is ordered so that the port associated with the worst data leakage is at the top. A count of detections and a bar graph indicating the severity of the detections are given for each port.
• Data Leakage Monitoring - Top 10 Most Prevalent Passive Detections: This table presents the top 10 most prevalent passive detections of data leakage. These passive detections are vulnerabilities reported by NNM in the 'Data Leakage' plugin family. A count of detections is given for each vulnerability; the list is ordered so that the vulnerability with the greatest number of detections is at the top. The severity of the vulnerability and a count of hosts on which the vulnerability was observed are also given for each vulnerability.
• Data Leakage Monitoring - Top 10 Most Prevalent Passive Events (Last 72 Hours): This table presents the most prevalent logged data leakage events in the last 72 hours. The logged events are reported by LCE under the 'data-leak' event type, and include events forwarded via syslog from NNM. A count of occurrences is given for each logged event; the list is ordered so that the event that occurred most often is at the top. A trend graph is also given for each event.