Logging, Monitoring & Intrusion Detection

VNC Detection

by Michael Willison
July 29, 2014

VNC Detection screenshot
By analyzing risks on the network, Tenable SecurityCenter Continuous View (SC CV) with Nessus and PVS provides detailed dashboard information about VNC vulnerabilities, exploits, events, and related traffic flows. Many remote desktop programs are based on Virtual Network Connection (VNC) technology and are supported by a variety of operating systems. VNC uses the Remote Frame Buffer protocol (RFB) to remotely control another computer over the network. The ability to remotely control systems increases productivity and supportability when systems and networks are geographically diverse. A common use for VNC is for a support team to access a user`s desktop while the user is there to observe the tasks, or for applying patches. RFB does not use encryption natively, and therefore VNC is not an inherently secure technology. VNC’s lack of encryption can allow attackers to sniff the network and capture passwords, keystrokes, Social Security numbers, and credit card numbers. Additionally, attackers often use VNC as a post-exploitation method for maintaining access to the victims’ computers. For this reason, Microsoft developed its own technology called Remote Desktop Protocol (RDP). Tenable’s VNC Detection dashboard has six components that report on VNC vulnerabilities, exploits, and VNC network traffic flow. By understanding the vulnerabilities and their severities, SC CV users can better assess risk prioritize mitigations to discovered vulnerabilities. Furthermore, knowing which vulnerabilities are exploitable helps security professionals to resolve threats before attacks occur. Understanding the normal network traffic flow and the direction of VNC communications allows for anomaly analysis and increases the likelihood breach detection. This dashboard provides all these tools and trending to help assist in knowing which VNC vulnerabilities exist, as well as their associated risks.

FireEye Events Dashboard

by Josef Weiss
July 23, 2014

This dashboard displays a summary status of FireEye events, providing an overview of collected events using several techniques. This event data provides the analyst with many different methods to quickly respond to triggered alerts.

SSH Detection Dashboard

by Michael Willison
July 18, 2014

SSH Detection Dashboard screenshot
This dashboard provides information on SSH remote access vulnerabilities, exploits, and network traffic flow. SSH (Secure Shell) is used by *nix, Mac OS, and Windows to remotely manage other devices on the network.

Tenable Admin

by Josef Weiss
July 10, 2014

This dashboard provides an administrative overview of Tenable Applications, and highlights potential problems. These eight components provide indications to common problems, and allow the administrator to quickly take action to resolve concerns, and to minimize the potential loss of vulnerability or event data.

Event Analysis

by Josef Weiss
June 24, 2014

This dashboard contains a series of components that provide an analysis of collected events over time.

Passive Network Forensics

by David Schwalenberg
April 30, 2014

Passive Network Forensics Dashboard Screenshot
This dashboard presents information passively detected over the last 72 hours, such as summaries of domains accessed and indicators of suspicious network activity. This information can be helpful for network monitoring and forensics.

PVS Trust Relationships

by Josef Weiss
March 11, 2014

This dashboard presents trust relationships between clients and servers that have been passively gathered via PVS plugins 3 and 15. These plugins collect data on internal client trusted client connections and internal server trusted connections. Results are sorted by TCP port and displayed in a series of matrix indicators within the individual components. Viewing plugin output provides insight into devices that are establishing trusted connections to each other.

Event Vulnerabilities

by Cody Dumont
February 13, 2014

Event Vulnerabilities Screen Shot
This dashboard highlights the vulnerabilities discovered from the events collected from the Log Correlation Engine (LCE). Using exploitable vulnerability and vulnerability trending graphs, this dashboard helps security managers identify vulnerabilities without scanning the remote systems.

Event Vulnerability Indicators

by Cody Dumont
January 30, 2014

Event Vulnerability Indicators Screen Shot
The dashboard contains a series of components that provide an easy way to view vulnerabilities identified by the Log Correlation Engine (LCE). By using different color schemes, the user is able to identify quickly which vulnerabilities pose more risk than others.

NERC – (CIP-002) Identification of Critical Cyber Assets

by Cody Dumont
January 2, 2014

 CIP-002 Identification of Critical Cyber Assets
For organizations that are required to be NERC compliant, SecurityCenter can lead the way to compliance. The first focus area is the “Identification of Critical Cyber Assets”. SecurityCenter uses Log Correlation Engine (LCE), Passive Vulnerability Scanner (PVS), and Nessus to identify assets. When using the complete Tenable family of products, an organization can easily identify all critical assets and all associated assets.