In the spring of 2014, the Center for Internet Security (CIS), Council on CyberSecurity (CCS), and the National Governors Association Governors Homeland Security Advisors Council launched a security awareness initiative called the Cyber Hygiene Campaign. This campaign is a multi-year effort to provide a low-cost program to achieve immediate and effective defenses against cyber attacks. SecurityCenter Continuous View (CV) supports the campaign in several ways by detecting vulnerabilities actively, passively, and through event log analysis.
In support of the Cyber Hygiene Campaign, Tenable has created a series of dashboard collections described in the “Tenable Solutions for the Cyber Hygiene Campaign” technical paper. These dashboards focus on the five actions identified by the first phase of the Cyber Hygiene Campaign. SecurityCenter CV’s proactive continuous network monitoring identifies the biggest risks across the entire organization, and Tenable’s unique sensors and analytics enable the organization to assess how well the security program is performing the five actions:
- Inventory Authorized and Unauthorized Devices - SecurityCenter CV performs automated discovery of devices by utilizing its network monitoring capability in conjunction with scanning and log collection. SecurityCenter CV has the ability to discover physical, virtual, and mobile devices across the organization as soon as the devices connect to the network.
- Inventory Authorized and Unauthorized Software - Identifying software installed on a computer is possible using event correlation, passive detection, and active scanning. When performing active scans, Nessus can use WMI and SSH to identify installed software. Nessus can also identify software based on vulnerabilities detected. Each plugin contains the applicable CPE strings as well, which allows for more exact filter matching. Passive detection plugins, which use several fingerprinting techniques to identify the applications on a network, also exist. In addition, when workstations and servers have the LCE Client installed, software installation and update log events can be tracked.
- Develop and Manage Secure Configurations for all Devices - Monitoring for configuration changes can be difficult; however, with LCE Clients installed, workstations and servers can provide detailed log events with each configuration change. For network devices such as routers and switches, event logs can be captured to monitor for configuration change events. Using PVS, events like “Never Before Seen” or “New Port Usage” can also be tracked. PVS also monitors for trusted client and server connections. When a new web server comes online, PVS and LCE can detect this and alerts can be sent to the security team by SecurityCenter CV.
- Conduct Continuous Vulnerability Assessment and Remediation - Many organizations perform periodic scanning and control the scans manually. SecurityCenter CV has the ability to schedule distributed scans across scan zones. Scan zones allow the organization to assign a scanner to group of targets based on IP subnet, so scanning over WAN links or other congestion points can be avoided. The best approach is to consider moving beyond periodic scans to continuous network monitoring with SecurityCenter CV. This allows organizations to monitor their network health in real time, and also to manage any risks, threats, or variances as they emerge.
- Actively Manage and Control the Use of Administrative Privileges - Monitoring the use of elevated privileges and who has them is critical to the security of any organization. However, in today’s environment of client-side attacks, this monitoring is even more crucial. The best practice is to have a system administrator with two accounts: a regular user account and an administrative account. Using Nessus and LCE, SecurityCenter CV can easily track group memberships and admin-related events.
SecurityCenter CV enables the organization to react to advanced threats, zero-day vulnerabilities, and new forms of regulatory compliance. Nessus allows analysts to run credentialed scans and discovery scans to interrogate systems on the network and identify vulnerabilities and compliance status. The Log Correlation Engine (LCE) provides log inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities. The Passive Vulnerability Scanner (PVS) performs deep packet inspection enabling discovery and assessment of operating systems, network devices, hypervisors, databases, tablets, phones, web servers, cloud applications, and critical infrastructure. SecurityCenter CV provides a unique combination of detection, reporting, and pattern recognition utilizing industry recognized algorithms and models.
The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed by searching for the terms Cyber Hygiene.
The dashboard requirements are:
- SecurityCenter 4.8.1
- Nessus 5.2.7
- LCE 4.4
- PVS 4.0.3
Inventory Authorized and Unauthorized Devices - Maintaining an inventory of systems on the network can be a monumental task, as many organizations have different groups responsible for system inventories. This collection of components provides information to analysts and auditors about systems discovered on the network and device inventory.
Inventory Authorized and Unauthorized Software - A good vulnerability management program requires that an organization also know the software installed on its systems. This dashboard and its components provide information to analysts about the software that is discovered on the network.
Develop and Manage Secure Configurations for all Devices - Hardening systems and maintaining secure configurations can be difficult. There are several industry standards available to organizations such as NIST 800-53, CIS, and CSC. SecurityCenter CV has the ability to audit system configurations according to these standards.
Conduct Continuous Vulnerability Assessment and Remediation - Detecting vulnerabilities requires a diligent information security team and the ability to detect vulnerabilities in several ways. SecurityCenter CV has the ability to monitor for vulnerabilities using active, passive, and event-based detection.
Actively Manage and Control the use of Administrative Privileges - A common problem found in networks is that too many accounts with administrative privileges exist. This dashboard provides information about which users have administrative control and how this control is used.