I often get the chance to speak with our Security Center customers who perform active Nessus scans or monitor networks in realtime with the Passive Vulnerabiltiy Scanner (PVS). These customers generally have more than 5 Nessus scanners, 2-3 PVS sensors and need to watch and report on more than 5000 active hosts.
For many of them, deploying Security Center is the first time they've been really able to unify patch/config auditing, active scanning and network monitoring and have this information shared securely across multiple departments.
A common question I get asked is how to make sense of all the data collected. This blog entry considers several different strategies and ideas that use "asset lists" to make sense out of the various technologies, applications and configurations that can occur on an enterprise network.
Dividing the Network into Asset Groups
I've blogged before about how the Security Center can use asset lists to split a network up into "things you know" and "things" that can be discovered independently of any corporate knowledge. Each asset list is simply a list of IP addresses that all have the same sort of property.
For example, if one were to ask an enterprise networking group for a list of all "Cisco router" IP addresses, this list could be loaded into the Security Center and used to report, filter and analyze all vulnerabilities, as well as logs and IDS events if the Log Correlation Engine were in use, just on the "Cisco Routers". At the same time, the Security Center could also use something we call a dynamic asset list that can rely on the operating system fingerprinting (or any other plugin) of Nessus and the PVS to come up with its own list.
What gets interesting is when the "official" list of what constitutes a corporate asset differs from what has been actively or passively derived by the Security Center. These discrepancies usually indicate a failing or lack of a process to disseminate information accurately to security, audit or other types of groups. Many of our customers have also said they've been able to rectify issues or gaps in the accuracy of their corporate asset management systems by comparing their lists to the lists and data within the Security Center.
Standard Dynamic Asset Lists
Dividing your network up into different types of asset classes can map into normal technologies you and your organization are already familiar with. The following is a very easy list of default items and methods to help classify your network:
- DNS and Netbios names can be used to classify hosts. If an organization has a naming convention (my Tenable laptop is named LAP5506 -- guess what the 'LAP' means?) then dynamic asset lists can be used to generate on-the-fly lists based on naming conventions already used in the organization.
- Operating System classification can automatically label various systems in different networks. For example, combining the output of the Nessus OS ID plugin and a domain name filter could result in list of all Windows XP servers in a specific domain.
- If the Passive Vulnerability Scanner is involved, a tremendous amount of client side application and network browsing behaviors can be used to classify hosts. For example, the PVS can list all systems which make outbound connections on port 143. This is a quick way to identify all systems that receive email through IMAP.
- Nessus scanners can differentiate between live hosts and systems running in a VMWare environment. This can allow for a quick and easy way to identify which of your systems are "real" or "virtual".
- Nessus 3 can also make a variety of Windows WMI queries. The data contained on a Windows server available through WMI is richer than what can be queried for in just the registry. These include CPU type, manufacture and hardware type. All of this information is available to help classify your environment. WMI can be used to different not only different types of manufactures such as Dell and Sony, but to also differentiate different types of platforms within a manufacturer.
This list is just a portion of the types of classifications that can be performed with the Security Center and the data obtained about your network with Nessus and the PVS.
Advanced and Innovative Ideas for Classification
Over the past few years I've picked up a few tricks from customers for helping to classify systems and identify devices that have been installed that should cause alarm.
One of the easiest things to do is search for systems that aren't in the DNS system. Nessus plugin #12053 attempts to perform a DNS lookup of each active IP address that is scanned. If you are on a large network, finding systems that are alive, but are not in DNS is a great way to find test networks, non-production systems, networks and hosts that have been "forgotten" and so on.
Another interesting form of classification is to look for systems that don't have a valid OS fingerprint. Nessus uses a wide variety of techniques to accurately identify the operating system of a host. If this process does not result in a guess of the target OS, this could indicate that a host has some sort of firewall or IPS blocking the scan. If this is the case, then this asset might be more important to the organization and should be further analyzed. Some of our customers who also deploy the PVS have taken this concept a step further and have deployed rules to list systems that don't have an active fingerprint, a passive OS fingerprint or are missing both.
Creating assets based on combinations of open ports and browsed ports can also indicate how a system is used. Creating a rule which combines Nessus and PVS plugin '0' (an open port) with PVS's client side port browsing rule can identify a wide variety of systems. For example, if all we know about a host is that it browses on ports 53, 80 and 443 it is likely just performing web browsing. If a system had port 80 open (such as a web server) and also browsed on port 80, this could indicate that a production web server is reaching out to the Internet for update and is not being centrally managed.
Mapping Assets to Corporate Policy
An important item I tell our customers to keep in mind is to map their asset classification efforts into corporate policy. With more than 20,000 active and passive plugins to draw data from for classifying a host, there is ample opportunity to over-classify assets based on today's security headlines or the technical whims of the audit or security staff.
For example, due to PCI, it might be a corporate practice to alert on any system with a vulnerability older than 30 days. With the Security Center, it is fairly trivial to classify and report on any host that has a vulnerabilities older than 30 days. It is much more useful to consider the overall state of a host and how it impacts a standard such as PCI.
For More Information
If this blog entry was useful to you, the following previous entries will also likely be of interest:
- Using Manufacturer Information for Automatic Dynamic Asset List Creation
- Testing The Effectiveness of your Patch Management System
- Knowing When To Patch
- Advanced Dynamic Asset Rules
- Enumerating Corporate Data