SecurityCenter 4 Introduction – Pushing the envelope for scanning and event management products

Tenable Network Security will shortly release SecurityCenter 4. It embodies our entire Unified Security Monitoring^TM strategy. SecurityCenter 4 places everything you need to know about vulnerabilities, missing patches, intrusion events, anomalies, log searches, configuration audits, file integrity auditing and much more right at your fingertips. It centralizes all system and event alerting for any type of security, IT or compliance regulations. But most of all, it makes your job as an auditor, a “risk mitigator”, a compliance monitor, a security analyst or even an IT executive, much easier. This blog post discusses the major functions of SecurityCenter 4 and provides several screen captures to illustrate them.

Tenable Unified Security Monitoring Architecture

If you are new to Tenable’s product offering, you should be aware that SecurityCenter 4 is the management console for several other Tenable products, which include:

Nessus Vulnerability Scanner – One or more of these scanners can be placed throughout your network to perform vulnerability scans, credentialed patch audits, web applications tests, operating system configuration audits, SQL database configuration audits and file searches for sensitive content.

Passive Vulnerability Scanner (PVS) – One or more of these sniffers can be placed throughout your network to monitor network traffic to identify new hosts, open ports, client/server applications and their vulnerabilities. The PVS also logs all Web, DNS, SMB, FTP and NFS traffic to provide a real-time log of all file access events and passively enumerates all shared files.

Log Correlation Engine (LCE) – One or more of these log aggregators can be placed within your network to consume syslogs, operating system events, file modifications, USB inserts and network traffic. The LCE has advanced normalization of thousands of different log types, automatic statistical anomaly alerting, IDS event to vulnerability correlation and supports full “raw log” searches of unstructured data.

SecurityCenter 4 Dashboard

Any type of data managed by SecurityCenter 4 can be used for a live dashboard. This includes vulnerability trending, open port counts, events such as USB device inserts, system status with compliance regulations such as PCI or FDCC and much more.

For example, graphing Snort events over time filtered for port 80 alongside “web error” logs from your Apache web server is very easy. You would create a “line graph”, select the length of time for the graph and then select two different queries that corresponded to the Snort and Apache activity. This would allow you to see web probe and attack trends for your web server in one spot. If you wanted to add a third series, perhaps events from a web application firewall or even graphing the number of web vulnerabilities over time on the same graph, the dashboard element can be edited and a new series can be added.

Below are several example dashboard screen captures for SecurityCenter 4:

Listing current Vulnerabilities for all IP and Assets	Trending Vulnerabilities found with active, passive and patch audits
Display of Correlated event types alongside generic intrusion event types	Graphing network activity, DNS queries and most common ports in use

SecurityCenter 4 Alerting

Each SecurityCenter 4 user can schedule a query for any type of event or vulnerability condition and specify if an alert should be generated if the value returned is more than, less than or equal to a certain value. Actions to be taken include sending email alerts, sending a syslog message, opening a ticket, open an in-system SecurityCenter notification message and even launching a Nessus scan. All active alerts are also available to the user as an RSS feed as well. Below are some screen captures of alert screens and configurations:

Active list of alerts for a variety of vulnerability, security and IT events

Detailed event creation to alert any time a new MAC addresses is found in a log

SecurityCenter 4 Reporting

Reports in SecurityCenter 4 are also very convenient, quick to generate and very easy to create. All vulnerability, compliance and log data is available. Every element and filter on the dashboard is also available as a report. SecurityCenter 4 ships with a variety of IT auditing and security reports, and also several specific reports for SANS CAG, FISMA and PCI. These reports combine a variety of unique templates that feature core functions of Tenable products. For example, there is a PCI report template that leverages Nessus’ ability to report on USB device history and there is also a similar report that leverages the LCE’s real-time ability to identify USB device inserts and removals. Below is a set of screen captures from the SecurityCenter 4 interface:

Drag and Drop Reporting Interface makes creating custom reports easy

Example Selection of the many report templates for CAG, PCI, FISMA, CIS and OWASP

SecurityCenter 4 Asset Discovery

Any user of SecurityCenter 4 can quickly upload lists of IP addresses known as assets. These could be a list of routers, the hosts in the DMZ, a list of Class C networks that make up the network and lots of other scenarios. If a list of devices or networks is not known, the SecurityCenter can be programmed to build its own list based on any of the returned data from a Nessus scan or a real-time vulnerability report from the PVS. Dynamic asset lists can be used to create lists of IP addresses based on an operating system, open port, MAC address, service, missing patch level and much more. And lastly, when analyzing any type of log or event data, the matching IP addresses can also be quickly saved as a static asset list. Asset lists can be used for access control, to target scans, for reporting, for alerting and to drive dashboards. Below are some screen captures that show examples of creating asset lists:

Example wizard for creation of a Dynamic Asset list based on passive data

Example log listing of any assets that have had a login failure in the past 24 hours

Reporting Security Metrics with SecurityCenter 4

Tenable has received feedback from many of our customers who want to track a variety of advanced security metrics. With the wide breadth of data that can be managed by SecurityCenter, there are many different types of items that can be tracked. SecurityCenter 4 can be used to track a wide variety of metrics over time such as:

·         Users with the most antivirus activity

·         Servers that transfer large files

·         Servers with the most statistical anomalies

·         Systems most targeted by attackers

·         Attacks that specifically target known vulnerabilities

·         Changes proceeded by valid logins and changes proceeded by attacks

·         Asset groups or servers that produce logs that have never been seen before

Below are a few examples with some screen captures.

Metric - Vulnerability Trending by Age

When scanning, patch or passive vulnerability data is imported into the SecurityCenter and the actual vulnerability is tracked, the time it was “first seen” is labeled. This allows filtering and trending based on the age of a vulnerability. This filter enables discovery of vulnerabilities that exist outside of your patch windows. It also allows discovery of what IP address or assets have older vulnerabilities.

This is an example vulnerability detail filter for missing MS patches older than 30 days

Two system plots of total vulnerabilities versus 7-day old vulnerabilities

Metric - Vulnerability Trending Alongside Administration Events

A powerful feature of SecurityCenter 4 is the ability to display and graph event trends alongside vulnerability trends. This gives opportunities to display patch levels against patching events, compliant configuration counts against administrator logins and much more. Seeing both of these trends on the same graph provides context into any changes that may have occurred.

Below is a screen capture of a trend of measured patch vulnerabilities on a Linux host versus any type of software installations. After running a "yum" update (which was normalized to a Software Installed event), the amount of vulnerabilities dropped off at the next scan sample.

This type of trending is even more powerful when used to track multiple systems. System patch events should cause a drop in measured vulnerabilities.

Metric - Recurring Vulnerabilities

SecurityCenter 4 also adds a new type of filter that tracks when a vulnerability has been detected, been fixed and is detected again. This type of filter is known in SecurityCenter as the “Was Mitigated” filter. There are many reasons a vulnerability can resurface such as system restores, new applications installing old libraries and old virtual systems being reverted.

Recurring vulnerabilities represent a broken process in your organization that is distinctly different than having a system that is not being managed. For example, if your patching policy is to patch all systems within 30 days and you have a vulnerability older than 30 days, you have a problem with your procedures. Perhaps a system is not being managed. However, if you get a vulnerability that was fixed once, but is now present again, you may have a bad piece of software, a bad patch, an unauthorized service or some other issue that needs to be fixed. 

For More Information

There is much more to what can be accomplished with SecurityCenter 4. Tenable expects to ship SecurityCenter 4 before the end of Q1 2010. We have been providing webinars and product demonstrations to existing customers, media and industry analysts. If you would like more information, please contact us by emailing [email protected] or [email protected] to arrange a demonstration. If you are at RSA, please come by booth #956 to get an in-person demo as well.