Most readers should be familiar with the concept of "Microsoft Tuesday" as the day when Microsoft, and many other OS vendors, release security patch information. These releases occur on a regular basis. Because of this, we've had many Tenable customers configure their Security Center to automatically update Nessus and Passive Vulnerability Scanner plugins, perform a scan and then email a report on the following Wednesday. This blog post discusses how this is accomplished.
Research of Vulnerabilities
Tenable's research team publishes all new plugins to this RSS feed. This information is publicly available to anyone. Anytime we release a remote check or patch audit, it shows up there. Patch audits are usually the first (and easiest) plugins to produce, and then more complex remote "service" audits come next. Checks that can be accomplished purely through sniffing are also produced for the Passive Vulnerability Scanner (PVS) which also has it's own RSS feed of new plugins as well. Typically, within the first 12 hours of major bug releases, the checks will be available for Nessus Direct Feed subscribers, and Security Center and PVS users.
Automatic Monitoring with the Security Center
If your Security Center is updating the Nessus and PVS plugins on a nightly basis, than scheduling a scan for early "Wednesday Morning" can give you very good insight as to how open your network is to the immediate vulnerabilities. If the PVS is also deploiyed on the network, then it will also alert to new vulnerabilities without the need for a scan.
Scans can automatically be scheduled to perform patch audits of certain types of network assets such as all of the domain controllers, all of the mail servers, all of the server farm and so on. The Security Center manages the updating of each Nessus scanner as well as the credentials required for a full audit of each asset. Security Center users accomplish this with a "vulnerability policy" and a "scan policy".
The vulnerability policy specifies what you want to scan for. This includes scan configuration settings, such as credentials and target ports, as well as which Nessus plugins (by family or individual plugins). Since the Security Center uses the Nessus Direct Feed for its source of plugins, you can also create a vulnerability policy that makes use of the most recent plugins in each family. For example, you could create a policy to scan for just "Windows Patches" and only those, including the latest patch audits, would be executed.
Scanning polices can be very simple or quite sophisticated. For example, a scanning policy could launch a credentialed scan against the "Windows Servers" everyday at 5:00 AM. Scans can also occur at specific days of the week, weekends, certain days of the month and so on. Scans can also be chained together such that the results of the first scan can be used to update a dynamic asset list which is scanned by the second scan. Scan policies can also select which Nessus scanners (or groups of scanners we call "zones") perform the audit.
If the PVS is deployed on the network, the Security Center will update those sensor with the latest vulnerability plugins. No policies, scan schedules or credentials are required to configure the PVS. It just montiors the network and accurately reports client and server side vulnerabilities to the Security Center.
For active Nessus scans, each scan policy also has the option to generate an email of any vulnerabilities found, or just "new" pieces of information. When these scans occur immediately after a "Microsoft Tuesday", they will identify all of the systems which have the "brand new" missing security patches.
The Security Center can also automatically create a scheduled PDF report of vulnerabilities which can be emailed to you. This report is generated from the Security Center's "cumulative" vulnerability database. This database includes any passively discovered vulnerabilities from the PVS.
A very useful part of the cumulative database is the filtering of vulnerabilities based on when they were "first seen". A "Tenable Wednesday" report could easily be limited to all vulnerabilities that have been discovered within the past day. This is a very convenient way to automatically report on all "new vulnerabilities" identified by multiple Nessus scans and PVS monitoring.
For some customers who do not scan that often, but use the PVS, the passively discovered vulnerabilities are their first indication that there may be new security issues.
Reporting on the most recent vulnerability information available is a method of finding out the "bad news" as quickly as possible. This is a completely different process than our previous blog post, which suggested reporting about vulnerabilities based on classes of systems that were managed or un-managed. The intent of scanning for the latest and greatest vulnerabilities should be to discover any critical security issues that will impact your business in the short term.