The first step in many security practices guidelines is to identify all the systems on the network. There are several methods that can be used for this purpose, such as actively sending PING messages to each host, identifying hosts from log entries, and passive listening. The Host Discovery report provides an easy method of tracking host counts and detection methods.
SecurityCenter uses active scanning and agent scanning to interactively communicate with targets on the network. Both active scanning and agent scanning use the Nessus vulnerability scanner to craft packets and send said packets to remote hosts. One of the types of messages that is sent is a Packet Internet Groper (PING), which uses the Internet Control Message Protocol (ICMP) to send an “Echo Request” to a host. The remote host sends an “Echo Reply” for each request received. The content of the echo reply varies based on OS implementation, but the exact same payload must be returned to the host that sent the echo request. Nessus uses Plugin ID 10180 (Ping the remote host) to discover hosts on the network. A second method of host detection uses Plugin ID 19506 (Nessus Scan Information), which contains a summary of the scan parameters, time to complete the scan, and other useful information. In many cases both plugins 10180 and 19506 will be present, but in some cases 10180 may not be present due to environmental variables. To accurately detect systems discovered using active plugins, ensure both 10180 and 19506 are selected in the element filter.
SecurityCenter Continuous View (CV) supports active scan data collected using Nessus, but information can also be collected using host data or passive listening. Host data is gathered by the Log Correlation Engine (LCE) to monitor different data sources such as NetFlow, firewall logs, host logs, and other log types of TCP communications. For each TCP communication event, not related to TASL events, that is discovered a new plugin 800000 (Host Discovered) is created. The discovered IP addresses must be part of the Internal Host setting and any logs must indicate that a connection is established. Passive listening uses the Passive Vulnerability Scanner (PVS) to detect new devices using plugin 12 (Host TTL Discovered). PVS identifies hosts if they are part of the monitored range configured in PVS, and if the IP address is found in either the source or destination field within the IP packet.
Using the active scanning, agent scanning, passive listening, and host data sensors, SecurityCenter CV can provide a more comprehensive view of devices accessing the network. By practicing continuous monitoring, organizations can more effectively assess risk and identify authorized and unauthorized systems on their network.
The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the SecurityCenter Feed under the category Discovery & Detection. The report requirements are:
- SecurityCenter 4.8.2
- Nessus 6.5.6
- LCE 4.8.0
- PVS 5.0.0
As hosts connect to the network, the race begins to identify all the vulnerabilities and assess how each system will affect the network. Only Tenable can automatically analyze information from active scanning, intelligent connectors, agent scanning, passive listening, and host data. Active scanning periodically examines hosts to determine the level of risk posed to the organization. Intelligent connectors leverage other security investments in the environment to integrate security data in order to improve context and analysis. Agent scanning provides the ability to rapidly assess hosts without the need for credentials and to detect hosts that were offline during active scans. Passive listening provides real-time monitoring to collect information about hosts connected to the network and how the hosts are communicating. Host data uses logs, file system activity, and configuration changes to actively monitor host activities and events to identify malicious activity and anomalous behavior.
Executive Summary - This chapter provides the analysts with a current list of host detection methods, allowing the organization to monitor the coverage of each of sensor. There is also a chart element that displays hosts detected over time using active scanning, passive listening, and host data.
Host Detection Details - The chapter provides the details for each of the discovery methods. For each discovery method, a detailed table is presented with information about each discovered host such as operating system, DNS name, discovery time, MAC Address, IP address, and more.