Enterprise Sensitive Data Monitoring

Note: This blog entry was originally posted in April, 2007 and was updated on May 28, 2009

The SecurityCenter can be used to manage multiple Nessus scanners and Passive Vulnerability Scanners for continuous monitoring of sensitive data at rest and data in motion. This blog entry discusses various deployment scenarios that can be used to effectively perform data leakage detection.

Active and Passive Detection Methods

In March 2007, Tenable released the ability for Nessus ProfessionalFeed and SecurityCenter users to scan Windows hosts for sensitive data such as credit cards, employee information and even things like source code. This technology works as part of the regular vulnerability or configuration auditing scans.

Previously, Tenable also released policy libraries for the Passive Vulnerability Scanner (PVS) to identify servers and users transmitting sensitive data in motion. The PVS can not only identify hosted Adobe, PowerPoint, Word and Excel files as Nessus can, it can look into the traffic in email, chat and web browsing to look for specific types of data such as social security numbers and credit cards.

When managed by the SecurityCenter, the combination of active and passive data leakage monitoring is an effective method to discover where sensitive data is and when it leaves the networks.

Why Find Sensitive Data?

When sensitive data is identified through the SecurityCenter, several courses of action can be taken:

• A list of all systems with sensitive data can be obtained by IP address, MAC address, DNS name or Windows name. This list is available as a spreadsheet or can be created as a PDF report.
• A list of all corporate assets with sensitive data can similarly be created, allowing users to see if any systems unauthorized to hold data actually have any.
• The SecurityCenter's ability to combine qualities of vulnerability detection with asset identification also allows it to find hosts with sensitive data that are unmanaged or have vulnerabilities.
• If necessary, different types of sensitive data records can be classified into different asset groups. For example, all systems holding credit card data could be placed into a PCI asset list while all records holding patient health data could be placed into a HIPAA list.
• If the SecurityCenter is able to detect a system compromise, the incident response process can immediately take into account if this was or was not a server or system with sensitive data.

All of these capabilities allow an organization to combine information about system vulnerabilities, system configurations and systems holding sensitive data to identify and manage potential compliance, security and data leakage issues.

Creating Dynamic Asset Lists based on Sensitive Content

Information about sensitive data found by Nessus or the PVS can be used to create a SecurityCenter dynamic asset list. This data can be combined with other attributes such as IP address, system usage, open ports, domain name, system asset information and so on to create unique asset lists.

If we wanted to write a dynamic asset rule for all systems that had this data on it, we'd target ID #60186 and also had the content of "[FAILED]". This second step is required because if a systems did not have any .doc files that had the word "Tenable" in it, it would also have an active ID #60186 but would have the content "[PASSED] in it.

For More Information

For information on purchasing SecurityCenter or the Passive Vulnerability Scanner, please contact [email protected]. To purchase Nessus ProfessionalFeed, visit the Tenable Store.

Readers who are interested in compliance can request a copy of Tenable's "Real Time Compliance Monitoring" paper, as well as any of our application notes on PCI, or HIPAA compliance monitoring.