The first step in many security practices guidelines is to identify all the systems on the network. There are several methods that can be used for this purpose, such as actively sending PING messages to each host, identifying hosts from log entries, and passive listening. The Host Discovery dashboard provides an easy method of tracking host counts and detection methods.
SecurityCenter uses active scanning and agent scanning to interactively communicate with targets on the network. Both active scanning and agent scanning use the Nessus vulnerability scanner to craft packets and send said packets to remote hosts. One of the types of messages that is sent is a Packet Internet Gopher (PING), which uses Internet Control Message Protocol (ICMP) to send an “Echo Request” to a host. The remote host sends an “Echo Reply” to each request received. The content of the echo reply varies based on OS implementation, but the exact same payload must be returned to the host that sent the echo request. The process uses Plugin ID 10180 (Ping the remote host) to discover hosts on the network. A second method uses Plugin ID 19506 (Nessus Scan Information), which contains a summary of the scan parameters, time to complete scan, and other useful information. In many cases both plugins 10180 and 19506 will be present, but in some cases 10180 may not be present due to environmental variables. To accurately detect systems discovered using active plugins, ensure both 10180 and 19506 are selected.
SecurityCenter Continuous View (CV) supports active scan data collected using Nessus, but data can also be collected using host data or passive listening. Host data is gathered by the Log Correlation Engine (LCE) to monitor different data sources such as NetFlow, firewall logs, host logs, and other log types of TCP communications. For each TCP communication event not related to TASL events that is discovered, a new plugin 800000 (Host Discovered) is created. The discovered IP addresses must be part of the Internal Host setting and any logs must indicate that a connection is established. Passive listening uses the Passive Vulnerability Scanner (PVS) to detect new devices using plugin 12 (Host TTL Discovered). PVS identifies hosts if they are part of the monitored range configured in PVS, and if the IP address is found in either the source or destination field within the IP packet.
Using the active scanning, agent scanning, passive listening, and host data sensors, SecurityCenter CV can provide a more comprehensive view of devices accessing the network. By practicing continuous monitoring, organizations can more effectively assess risk and identify authorized and unauthorized systems on their network.
The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Discovery & Detection. The dashboard requirements are:
- SecurityCenter 4.8.2
- Nessus 6.5.6
- LCE 4.8.0
- PVS 5.0.0
As hosts connect to network, the race begins to identify all the vulnerabilities and assess how each system will affect the network. Only Tenable can automatically analyze information from active scanning, intelligent connectors, agent scanning, passive listening, and host data. Active scanning periodically examines hosts to determine the level of risk posed to the organization. Intelligent connectors leverage other security investments in the environment to integrate security data in order to improve context and analysis. Agent scanning provides the ability to rapidly assess hosts without the need for credentials and to detect hosts that were offline during active scans. Passive listening provides real-time monitoring to collect information about hosts connected to the network and how the hosts are communicating. Host data uses logs, file system activity, and configuration changes to actively monitor host activities and events to identify malicious activity and anomalous behavior.
Host Discovery - Discovery Methods: This matrix provides a list of host of detection methods allowing the organization to monitor the coverage of each sensor. The “Nessus Discovered” and “OS Discovered” cells identify active scanning and agent scanning. The “New MAC Discovered” and “LCE Discovered Cells” are populated by host data. Passive listening is represented by the “PVS Discovered” cell and is also combined with host data in the “PVS New Host” and “PVS New Web Agent” cells. All the cells together provide a detailed summary of host counts and detection methods.
Host Discovery - Hosts Per Class C: This table displays hosts detected across /24 network blocks using active scanning, passive listening, and host data. The table is sorted by host count in descending order. Security teams can modify the component to report across /16 or /8 network blocks.
Host Discovery - Discovery Over the Last 25 Days: This chart displays hosts detected over time using active scanning, passive listening, and host data.
Network Mapping - New MAC Addresses in Last 30 Days: This table lists all the new MAC addresses that have never been observed before on the network, and that were first observed in the last 30 days. Tenable's LCE sets the New_MAC event when a new, never-before-seen MAC address is observed on the network. This table reports those New_MAC events, displaying the time observed and the raw syslog text, which contains the new MAC address and its associated IP address. Discovering new hosts on the network can assist an organization in maintaining an accurate inventory and detecting rogue devices.