SpreadSheets of Excitement and Convenience

I've been at several conferences and forums where a panel of CIOs or CSOs gives their guidance about enterprise risk and compliance reporting.  When asked which products are up to the task, as each vendor in the audience is leaning forward on the tip of their chair hoping for a free product placement, the answer most commonly is -- Excel.

One of the very cool features of the Security Center that our customers continually remind me of is the ability for anyone with an account to download anything they are authorized to see as a spreadsheet. This includes vulnerabilities, configuration settings, intrusion events, failed logins and much more. This blog entry focuses on the different kinds of things we've seen our customers do with spread sheet exporting of security, log and compliance data.

Exporting Data via CSV

CSV stands for "Comma Separated Variables". For any type of query performed by the Security Center, the data rendered will also have a corresponding [CSV] link, such as this shown below:

This link also includes the appropriate access control such that someone who is only supposed to have access to the IT systems in Milwaukee only sees vulnerabilities, logs and compliance data from the IT systems in Milwaukee.

The data is also automatically sorted and presented based on the tool the user has invoked. For example, you may have 10,000 unique vulnerabilities you are dealing with, but have chosen to view a "Vulnerability Summary". Your spreadsheet will also be rendered as a summary of vulnerabilities and not list all 10,000 unique entries. This makes working with and manipulating the data very easy.

Obtaining CSV Export by Asset List

A very common request of the Security Center is to find all of the systems with some sort of property, such as an open port, installed software, the existence of given vulnerability or so on. With more than 15,000 active checks and 4000 passive checks, a Security Center that is managing Nessus and Passive Vulnerability Scanners will have a large volume of data to work with and create dynamic asset lists. These asset lists can be used as a filter to create spread sheets just like any others.

Customers have shared with us several different types of useful dynamic asset lists including:

• Highlighting all devices which host some sort of office document through web, FTP or network shares.
• Finding unmanaged devices by looking for certain vulnerabilities that are older than a time period such as 30 days.
• Finding which systems in DMZs and other protected networks connect to the Internet and/or accept connections from the Internet.
  
• Finding devices that do not have credentials to log in as an administrator. The Security Center tracks when Nessus can or can't successfully log into a Windows or UNIX host.
• Finding all systems that have certain software installed on them. Customers have used text filtering for the software name, and plugins #22869 and #20811 for UNIX or Windows software enumeration.
• Finding specific non-compliant servers. Customers pick some or all of the available configuration auditing results and then create a dynamic asset list against this list.
• Finding specific types of certain operating systems and network devices. A query for certain types of detected operating system is performed and lists are created for various operating systems.

In each of these cases, a customer performs a query for vulnerability names, system names, networks, IP addresses or open ports and then downloads the spread sheet.

Obtaining Log and System Events for Compliance and Security

For evidence collection, a wide variety of logs and events can also be collected in spread sheet form. Storing certain types of data in a spread sheet is sometimes more efficient than keeping the raw logs. Of course, raw logs should be maintained for legal purposes, but for summaries, investigations and reporting, spread sheets can be extremely useful. 

When managed by the Security Center, the Log Correlation Engine can be used to sort and list many different types of events. Common events which are relevant for compliance and security monitoring include:

• User creation events
• User deletion events
• Access of certain audited objects
• Password changes
• Detecting system and network change events
• Network and login events to show who is accessing key systems
• Times that certain types of activity is occurring
• Statistical deviation events
• Events related to compromise and botnet activity
• Never before seen events

Saving this data as an Excel spreadsheet can make it available to other users in your organization who don't easily read logs or make use of web consoles.

Visualizing Security, Compliance and Event Data

Tenable's 3D Tool makes use of data obtained through the Security Center's CSV exporting functions. An example topology image of a large network is shown below:

A video demonstration of the 3D Tool is available here.

Currently, Tenable's 3D Tool does not support visualization of IDS or Log data. However, several customers have used a variety of commercial and free tools (such as Many Eyes, AfterGlow, Miner3D and Advisor) that work with different types of data.

Typically, a customer will perform some sort of query, such as obtaining a list of all port 22 connections, and then save a raw list of each event as a spread sheet. When feed into a tool such as Miner3D (this was an evaluation copy, but I was really impressed with the flexibility of the tool) you can get very cool visualizations such as shown below:

These images above were obtained from a Log Correlation Engine running at a large university that was running the blacklist.tasl script. The site was scanned by a system tracked by the Dsheild list of known scanners. These images had the X and Y axises mapped to the detected source and destination IP addresses. The Z axis was time. The images show a few hosts making a sweep of the IP space at this location. Also, the target port is indicted in color.

Typically, these tools require an analyst to pick which columns in the spread sheet correspond with which axis of the plot. Source IP might be on one axis, time on another. Color could even be used in some tools to indicate port, protocol or type of event.

For More Information

To learn more about visualization of security data, I recommend visiting the AfterGlow web site  and to also take a look at the Security Visualization web site.

To learn more about what sorts of types of data you can obtain via spread sheet from the Security Center, I suggest requesting a copy of the Real Time Compliance paper. This paper summarizes the specific types of data which should be monitored and reported for as required or recommended by NIST, the PCI standard and many others.