Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Uncovering SSL Anomalies In Your Network Using SecurityCenter

Note: Tenable SecurityCenter is now Tenable.sc. To learn more about this application and its latest capabilities, visit the Tenable.sc web page.

Looking in More than One Place

Nessus, PVS, and LCE offer several methods for auditing SSL protocol usage on your network(s). SSL is commonly used to secure websites, but also protects email, file sharing, and many other services. This post lists some generic SSL capabilities found in all Tenable products, and shows how you can combine them to generate useful reports and dashboards.

On the vulnerability identification side, Nessus uncovers many issues with SSL certificates, such as outdated certificates, unsigned certificates, and much more (see the screenshot below for more examples). SSL implementations shipped with appliances often use unsigned certificates, and rely on the administrator to install their own valid certificate. Without a properly signed certificate, man-in-the-middle attacks become considerably easier. If you’re an e-commerce shop, improper SSL implementations will also cause you to become non-compliant with PCI DSS standards.

SSLNessuplugins sm

A sample of Nessus plugins associated with identifying problems with SSL certificates. (Click for larger image)

Passive SSL Protocol Detection

PVS can sniff SSL traffic across your network, providing broader coverage of SSL problems since it sees traffic in real time. While network-based scanners will typically discover SSL on port 443, PVS can more easily identify SSL regardless of the port. For example, most active network scans have a tough time enumerating multiple SSL-protected websites being hosted on a single IP address. However, since PVS looks at active network traffic, enumerating all the websites hosted on a given IP address is much easier.

PVS can also identify the following situations and associated vulnerabilities in SSL:

    • PVS can aggregate SSL certificates and CNs (common names) inside web browsing traffic, allowing you to see the sites users are visiting. Often, the SSL traffic is very self-explanatory. For example, the following entry clearly identifies an Apple iPhone using SSL on the network:
      SSL_certificate_Summary since 10/2/2012 21:14:32 host 192.168.1.55 had SSL sessions involving these server certificates: Akamai 
      Technologies Inc configuration.apple.com courier.push.apple.com iphone-ld.apple.com

  • Tracking communications using SSL is a common feature for most firewalls, a requirement listed in the SANS CAG, and an integral part of your situational awareness strategy. PVS identifies hosts connecting to and listening for SSL services, and the ports being used to do so, making it easy to audit SSL usage.

  • LCE brings traditional SIEM correlation for the events uncovered by both Nessus and PVS, in addition to syslog events generated by your hosts. SSL traffic can be analyzed to detect several types of anomalies (see "Tracking SSL Activity Anomalies"). This level of analysis can be used to detect botnet activity, aid in forensic investigations, detect policy violations, and more.

For example, you can track SSL browsing activity on a per user basis:

Trackssl sm

I highlighted an individual user's activity ("rgula"). No traffic exists for the previous day because Ron was out of the office. Drilling into the actual logs provides us with some detail on Ron's SSL traffic:

Userssltrack sm

Fortunately there is nothing abnormal to report — Ron has been using Twitter, a remote instance of SecurityCenter (obfuscated for security reasons), and some Tenable resources (also obfuscated).

Tying It All Together Using SecurityCenter Dashboards

Tenable provides SecurityCenter customers with numerous dashboards free of charge. Here’s an example dashboard for customers that leverage SSL monitoring:

PVS-SSL

This dashboard graphs passively-monitored SSL traffic occurring on a variety of ports for the past 72 hours (Click for larger image).

In the above dashboard, PVS data is being used to detect SSL on non-standard ports, providing both a graph of the traffic patterns and a detailed list of ports. You can download this dashboard from our SecurityCenter Dashboard sites from the entry titled "SSL Activity Monitoring."

Conclusion

Monitoring protocol usage and traffic patterns supports the advice given by many — know your network. The ability across Tenable's products to detect vulnerabilities and anomalies in SSL traffic helps you do just that. A single vulnerability on a given host or one particular event may not be interesting on its own. However, correlating network-based vulnerabilities, passively discovered vulnerabilities, and log events allows you to see the big picture and detect anomalies that require immediate attention.

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.