Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

"Reducing Your Patch Cycle to Less Than 5 Days" Webcast: Recording and Q&A

Jack Daniel and I recently presented the "Reducing Your Patch Cycle to Less Than 5 Days" webcast. This was part 1 in the “Vulnerabilities Exposed” webcast series, which will consist of four sessions delivered before the end of the year.

If you missed the webcast or would like to re-watch it, view the recording.

View Recording


Here is a summary of the outstanding questions asked during the webcast.


Will the slides be available for download?

When will SecurityCenter 4.7 be released?

  • SecurityCenter 4.7 was released on August 29, 2013. Read more about this release.

In my environment, I'm looking at Windows 7, OSX, and Linux (multiple flavors). How can I be sure I'm finding everything on everything?

  • In the presentation, we covered using active scanning, credentialed scanning, configuration auditing, passive scanning, and analyzing logs for vulnerabilities. The combination of these techniques provides outstanding coverage for vulnerability discovery, covering all of the platforms you've listed (and more).

Can you change the vulnerability severity level based on security policies?

  • Yes, in both Nessus and SecurityCenter you can set the severity for each vulnerability.

Any suggestions on how testing patches in networking devices could be performed? Switches and routers are unique for a certain infrastructure, and creating a testing environment that mimics the production one is expensive.

  • Some networking products (such as Juniper's JunOS) allow you to create virtual machine instances of the routers. Similar techniques exist for Cisco IOS as well.

What schedules do you typically see for scanning? Monthly? Weekly? What about during patch release week? In other words, I'm asking you to define "frequently." What factors go into the decision about how often to scan?

  • Scanning frequency is something you must work out between the security staff, systems administrators, network engineers, and management. Organizations will typically scan, on average, once per quarter. The exact frequency is up to you, but Jack and I always recommend "more frequent." Frequency should take into account your patch cycle, resources, and communications plan. If you have a mechanism for distributing actionable results and a team in place that works together, you can set a much higher frequency. For example, scan your desktops each week and report on the anti-virus software (Is it the latest version, and are definitions up-to-date?). Then send that information to the folks responsible for managing the AV software and integrate it into their processes for keeping AV software up-to-date.

Competitive Comparisons

We're using a competing vulnerability scanner and are having big issues with the amount of workload to actually manage vulnerabilities once found. There is a massive amount of manual effort each scan to compare the new scan with old vulnerabilities/tickets and figure out what is new, what is old, what is verified, etc. Is there a good vulnerability management program to work with other teams and track vulnerabilities across thousands of hosts?

  • SecurityCenter is Tenable's enterprise vulnerability management platform, and it simplifies the tasks you outlined above including ticket tracking, comparison of scan data, and remediation tracking. Read about SecurityCenter.

Do you think using a vulnerability scanner is better than using exploitation frameworks, or is using a vulnerability scanner a pre-cursor to using exploitation frameworks?

  • The goals and results between vulnerability scanners and exploitation frameworks are different. In short, your vulnerability management program must effectively reduce your attack surface on a continual basis. Exploiting vulnerabilities will help define the risk for a subset of vulnerabilities in your environment.


When is Nessus implementing the DoD IAVA database and reporting on it? We're currently transitioning to Nessus, but our customers only understand their results broken out as IAVA-As/Bs.

  • You can search report results using the IAVA index, however, no other IAVA features are currently included or planned.

When will xTool be updated to support Windows 8/Server 2012 XCCDF conversion?

  • The xTool works with Windows 8/Server 2012 XCCDF content. SecurityCenter 4.7 supports SCAP as well.

Does SecurityCenter allow you to conduct a STIG compliance scan of a group of network devices, servers, and workstations, and then summarize results in an executive dashboard?

Patch Management Integration

Do Nessus reports have similar information or formats compared to something like WSUS or SCCM reports? I am hoping to start looking at scanning desktops and wondering how Nessus reports would be comparable to anything Microsoft has.

Do you integrate with the BigFix patching solution? Can you provide a list of patch management solutions that Nessus integrates with?

My question refers to PVS - can I change the alert level of different findings? For example, if Chrome shows up missing a patch, I may like that to be higher than the default.

  • SecurityCenter has the ability to adjust severity level for vulnerabilities coming from either Nessus or PVS.

Is it possible for Nessus to report incorrect patch levels when integrated with a patch management system like SCCM?

  • It is possible, however, we have worked extremely hard to ensure that this situation does not occur. If you do find that Nessus has reported something incorrectly, please contact Tenable Support and we will get it fixed right away.

Tenable reports vs. Microsoft reports – sometimes they don't match. Tenable finds more missing patches most of the time. Who should I believe ?

  • This situation requires troubleshooting and a collaborative effort between the security team and the Windows systems administrators. However, Nessus is able to check both the patch level of the system and what is being reported by the patch management system, making Nessus more of an authoritative source.

Credentialed Scanning

Do any of the Tenable solutions actually DO the patching of third-party products such as Java/Flash/Reader?

  • No, Tenable products report the conditions in your environment with respect to vulnerabilities and other information (such as application usage).

Any recommendations on what access rights should be granted for the purpose of credentialed scans?

  • Credentialed scans require system-level privileges (on UNIX/Linux it is root; on Windows it is Administrator, or if a domain is used Domain Administrator). The Nessus documentation details the implementation and covers how the credentials are secured.

Do you have any documentation about a strategy that can help us do an internal scan with Nessus and how to manage it?

An uncredentialed vulnerability scan can extract all vulnerabilities that can be seen by attackers. Why should we do credentialed scans for all systems?

  • Attackers are not limited to network-based vulnerabilities. In fact, the most common type of attack is to go after the client software (such as the web browser, Java, Flash, etc.), making credentialed scanning an extremely important part of you vulnerability management program.

Does Nessus store its administrative credential in plain text on disk?

  • Nessus stores credentials securely, and the Nessus server data can be encrypted (refer to the Nessus User Guide for more information). The next version of PVS will offer full encryption of all credentials.

"Vulnerabilities Exposed" Webcast Part 2 – Virtualization

The next webcast will be held on September 24th at 2 pm EDT, and we'll discuss how to address the security challenges of virtualization. Register today!

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets


Buy Now

Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.