Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Customizing a Security Policy with New SecurityCenter Assurance Report Cards

Note: Tenable SecurityCenter is now Tenable.sc. To learn more about this application and its latest capabilities, visit the Tenable.sc web page.

Tenable recently defined 5 Critical Cyber Controls, common themes found in most major security standards and frameworks—such as NIST, PCI, and the SANS/Council on CyberSecurity Critical Security Controls —to help infosec professionals formulate a resilient security policy. Shortly after that, our developers created Assurance Report Cards™ (ARCs) for SecurityCenter Continuous View™ (SecurityCenter CV™). ARCs bridge the communication gap between security professionals and business executives by visually communicating the status of the most critical security issues in a familiar report card format. ARCs that represent Tenable’s 5 critical cyber controls are available with SecurityCenter CV to provide continuous assurance that your security program is effective:

Measuring and communicating security program effectiveness

Each ARC is a customer defined business objective expressed in terms of multiple policy statements

Each ARC is a customer defined business objective expressed in terms of multiple policy statements. These policy statements are continuously evaluated by SecurityCenter, using Nessus® vulnerability scanners, Passive Vulnerability Scanner™ (PVS™) network sensors, and Log Correlation Engine™ (LCE™) logs. For example, when you drill down into CCC3 in SecurityCenter, you view the policies that are measured and monitored to determine the effectiveness of your network security:

ARCs exanded view

ARCs and their underlying policy statements are all customizable so you can create a security program and reporting mechanism that is relevant to your organization’s unique needs.

New ARCs

ARCs have become so popular with our customers that our developers are regularly adding new ARCs to the SecurityCenter Feed. Recent additions include these reports:

Web Services ARC

Web Services

The Web Services ARC references the Open Web Application Security Project (OWASP) Top Ten list of critical web application security flaws that can leave your organization vulnerable to network intrusions and data breaches. For example, the ARC looks for exploitable vulnerabilities, unsupported software, and security misconfigurations on systems running web services. This ARC uses Nessus and PVS information to monitor compliance with OWASP recommendations for secure web services.

Database Setting ARC

Database Settings

In an era of daily data breaches, database protection is crucial. The Database Settings ARC identifies exploitable weaknesses and compliance issues including the percentage of systems complying with patching requirements, the existence of default users and passwords, and default privilege levels left in database environments.

Networking Infrastructure Devices

This ARC monitors the health of network infrastructure devices, and compliance with such policies as anti-malware and data protection. The heart of the ARC is built around standards from NIST 800-53, the PCI DSS, the SANS/Council on CyberSecurity Critical Security Controls, and DoD Instruction 8500.2, measuring for 95% compliance with key policies and requirements. The Networking Infrastructure Devices ARC uses data collected by Nessus and PVS.

Windows Server

A Windows Server that is exposed to exploitable vulnerabilities and misconfigurations is one of the biggest threats to your security program, opening a path for malicious attacks against the entire organization. This ARC uses NIST 800-53, DoD Instructions 8500.2, and the PCI DSS to evaluate compliance with data protection and anti-malware settings, patch management timeliness, and logging parameters. The Windows Server ARC uses data collected by Nessus and PVS to report results.

Windows End Clients

This ARC complements the Windows Server ARC by examining just the Windows end points for vulnerabilities and misconfigurations. Again referencing NIST, DoD, and PCI standards and using Nessus and PVS data for reporting, the Windows End Clients ARC measures for 95% of systems being free from unsupported software and unpatched vulnerabilities, and being compliant with site-defined anti-malware settings, data protection checks, and log settings.

Accounts and Passwords

This ARC measures compliance against password, account lockout and least privilege policies, using standards such as NIST 800-53, PCI DSS, and DoD Instruction 8500.2 as the authoritative sources. For example, policies state that 95% of account lockout, session termination and default password settings must be compliant to receive a passing grade in this ARC. The Accounts and Passwords ARC uses data collected by Nessus to report results.

Customizing ARCs for your security program

The new ARCs can be used to amplify the original 5 critical cyber control ARCs. For example, the Accounts and Passwords ARC measures more detail in support of CCC4: Authorize Users. The Windows Server ARC expands on CCC3: Deploy a secure network. As you harden a security program, you can add to the ARCs that you use for executive reporting, and you can edit the policy statements to match site-specific compliance requirements. ARCs are flexible and not meant to be rigid standards.

Check out the new ARCs and make them your own to visualize the effectiveness of your security program for executives and board members.

More resources

You can find all the new Assurance Report Cards in the Compliance category of the SecurityCenter Feed.

To learn more about ARCs, consult these resources:

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training