Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Order from Chaos on Large Enterprise Networks

I often get the chance to speak with our Security Center customers who perform active Nessus scans or monitor networks in realtime with the Passive Vulnerabiltiy Scanner (PVS). These customers generally have more than 5 Nessus scanners, 2-3 PVS sensors and need to watch and report on more than 5000 active hosts.

For many of them, deploying Security Center is the first time they've been really able to unify patch/config auditing, active scanning and network monitoring and have this information shared securely across multiple departments.

A common question I get asked is how to make sense of all the data collected. This blog entry considers several different strategies and ideas that use "asset lists" to make sense out of the various technologies, applications and configurations that can occur on an enterprise network.

Dividing the Network into Asset Groups

I've blogged before about how the Security Center can use asset lists to split a network up into "things you know" and "things" that can be discovered independently of any corporate knowledge. Each asset list is simply a list of IP addresses that all have the same sort of property.

For example, if one were to ask an enterprise networking group for a list of all "Cisco router" IP addresses, this list could be loaded into the Security Center and used to report, filter and analyze all vulnerabilities, as well as logs and IDS events if the Log Correlation Engine were in use, just on the "Cisco Routers". At the same time, the Security Center could also use something we call a dynamic asset list that can rely on the operating system fingerprinting (or any other plugin) of Nessus and the PVS to come up with its own list.

What gets interesting is when the "official" list of what constitutes a corporate asset differs from what has been actively or passively derived by the Security Center. These discrepancies usually indicate a failing or lack of a process to disseminate information accurately to security, audit or other types of groups. Many of our customers have also said they've been able to rectify issues or gaps in the accuracy of their corporate asset management systems by comparing their lists to the lists and data within the Security Center.

Standard Dynamic Asset Lists

Dividing your network up into different types of asset classes can map into normal technologies you and your organization are already familiar with. The following is a very easy list of default items and methods to help classify your network:

  • DNS and Netbios names can be used to classify hosts. If an organization has a naming convention (my Tenable laptop is named LAP5506 -- guess what the 'LAP' means?) then dynamic asset lists can be used to generate on-the-fly lists based on naming conventions already used in the organization.
  • Operating System classification can automatically label various systems in different networks. For example, combining the output of the Nessus OS ID plugin and a domain name filter could result in list of all Windows XP servers in a specific domain.
  • If the Passive Vulnerability Scanner is involved, a tremendous amount of client side application and network browsing behaviors can be used to classify hosts. For example, the PVS can list all systems which make outbound connections on port 143. This is a quick way to identify all systems that receive email through IMAP.
  • Nessus scanners can differentiate between live hosts and systems running in a VMWare environment. This can allow for a quick and easy way to identify which of your systems are "real" or "virtual".
  • Nessus 3 can also make a variety of Windows WMI queries. The data contained on a Windows server available through WMI is richer than what can be queried for in just the registry. These include CPU type, manufacture and hardware type. All of this information is available to help classify your environment. WMI can be used to different not only different types of manufactures such as Dell and Sony, but to also differentiate different types of platforms within a manufacturer.

This list is just a portion of the types of classifications that can be performed with the Security Center and the data obtained about your network with Nessus and the PVS.

Advanced and Innovative Ideas for Classification

Over the past few years I've picked up a few tricks from customers for helping to classify systems and identify devices that have been installed that should cause alarm.

One of the easiest things to do is search for systems that aren't in the DNS system. Nessus plugin #12053 attempts to perform a DNS lookup of each active IP address that is scanned. If you are on a large network, finding systems that are alive, but are not in DNS is a great way to find test networks, non-production systems, networks and hosts that have been "forgotten" and so on.

Another interesting form of classification is to look for systems that don't have a valid OS fingerprint. Nessus uses a wide variety of techniques to accurately identify the operating system of a host. If this process does not result in a guess of the target OS, this could indicate that a host has some sort of firewall or IPS blocking the scan. If this is the case, then this asset might be more important to the organization and should be further analyzed. Some of our customers who also deploy the PVS have taken this concept a step further and have deployed rules to list systems that don't have an active fingerprint, a passive OS fingerprint or are missing both.

Creating assets based on combinations of open ports and browsed ports can also indicate how a system is used. Creating a rule which combines Nessus and PVS plugin '0' (an open port) with PVS's client side port browsing rule can identify a wide variety of systems. For example, if all we know about a host is that it browses on ports 53, 80 and 443 it is likely just performing web browsing. If a system had port 80 open (such as a web server) and also browsed on port 80, this could indicate that a production web server is reaching out to the Internet for update and is not being centrally managed.

Mapping Assets to Corporate Policy

An important item I tell our customers to keep in mind is to map their asset classification efforts into corporate policy. With more than 20,000 active and passive plugins to draw data from for classifying a host, there is ample opportunity to over-classify assets based on today's security headlines or the technical whims of the audit or security staff.

For example, due to PCI, it might be a corporate practice to alert on any system with a vulnerability older than 30 days. With the Security Center, it is fairly trivial to classify and report on any host that has a vulnerabilities older than 30 days. It is much more useful to consider the overall state of a host and how it impacts a standard such as PCI.

For More Information

If this blog entry was useful to you, the following previous entries will also likely be of interest:

To learn more about Tenable's Unified Security Monitoring strategy, please visit us on the web site, contact us or check out one of the online videos of our product offerings.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training