Cybersecurity Asset Management

by Cody Dumont
March 13, 2014

Security professionals are often blindsided by some new corporate regulation or industry regulation, which a company has to be compliant with.  For the users of SecurityCenter CV, this is not as big of an issue, as the data may already exist and the components to collect the data may also be developed.  With the recent release of the Cybersecurity Framework, there are 22 categories, and numerous subcategories.  This dashboard is the first of many to come that illustrate how to use previously developed components to meet new reporting requirements. 

A whitepaper that discusses how Tenable products can help your organization meet the guidelines of the Cybersecurity Framework can be found at Vulnerability Management and Risk Assessment for the Cybersecurity Framework.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Discovery & Detection.

The dashboard requirements are:

  • SecurityCenter 4.7.1
  • Nessus 5.2.5
  • LCE 4.2.2
  • PVS 4.0.1

The first function in the Cybersecurity Framework (CSF) is Identify.  Per NIST, CSF Identify is defined as “Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”  Each function has different categories, the first of which is Asset Management (ID.AM).  Assets are defined as the data, personnel, devices and systems used to accomplish the business’ purposes.

Tenable customers using SecurityCenter for past 6 months have been able to take advantage of the app feed with over 700 components.  Using the existing components, how can we create a dashboard without reinventing the wheel?

app feed landing screen

To accomplish this, we create a new blank dashboard.  Next, add the components using the app feed shown above.  The first component category we look at is the “Discovery & Detection” category.  Here we find over 50 components with a focus on discovery of devices and users on the network. To identify the devices, we need to understand what type of device the hosts are, and the “Device Profile” component is clearly the best for this example.  We can easily find this component by using tags such as “identify, asset, device, profile”.  This allows users to easily find components they are looking for.  

The next component we might look for is one that identifies new hosts.  Just as NIST did during the development of the CSF, we can look to other standards for this.  The SANS Critical Security Control 1 directs organizations to identify devices on the network.  There is a SANS Top 20 dashboard, and sure enough the first component is “SANS Control 1 - New Devices Detected”.  Some keywords that can be used to find this component are: asset, compliance, discovery, hosts, identify, new, and SANS. 

Next, we should look to other methods of asset identification.  Using LCE and PVS, new devices can be identified using the New_MAC and PVS-New_Host_Alert events.  Both allow LCE and PVS to report new hosts.  The significance of the PVS-New_Host_Alert over the PVS plugins is that LCE can maintain the history of the event, while PVS data is only stored for 7 days by default.  If we look into the app feed and choose Discovery & Detection, we find the component “New Hosts (Last 5 Days)”.  Keywords used to search for and find this component are: 5 days, discovery, hosts, identify, mac address, and new.

When using SecurityCenter CV, there are many methods of collecting data and inventorying systems.  The next component shows the user the percentage of systems discovered using Nessus, PVS and LCE.  Look in the app feed and choose the monitoring category.  Next, select each method to discover, scan, log, and sniff a component, called “Scan, Sniff and Log Coverage”.  This is a great component as it shows how systems are detected, and the security analyst can get a detailed view of how systems are detected.  Keywords to search for to find this component are: analysis, events, hosts, identify, log, scan, sniffed, and systems.

Another useful view shows which networks have the most hosts.  Using SecurityCenter CV, you can not only see the hosts, but with the Class C Summary tool, you can also see the host count for each subnet.  To locate a component for this purpose, we can go back to app feed and select the Discovery & Detection category, and then choose the keywords “subnet” and “asset”, a component called “Hosts Per Class C”.  This component is a table showing all networks on a Class C (24 bit subnet mask). Keywords to search for to find this component are: asset, discovery, hosts, identify, network, and subnet. 

The final component in this dashboard collection is a summary of vulnerabilities discovered on new systems.  For this table, we look in the category “Executive” and choose the keywords “identify” and “totals”.  The component “Executive Summary - Vulnerability Age” will become available.  This component provides a summary of each vulnerability severity and when the vulnerability was discovered.  Keywords to search for to find this component are: 30 days, 7 days, 90 days, hosts, identify, summary, totals, and vulnerabilities.

The app feed is a great tool for all Tenable customers using SecurityCenter, and it can provide them with a wealth of preconfigured components.  These components are easily arranged in a manner which streamlines the security reporting process.