VMware Threat Management

Managing workstation vulnerabilities is often so time intensive that infrastructure vulnerabilities may be overlooked.  Tenable’s SecurityCenter Continuous View (CV) provides the ability to track vulnerabilities and logs from VMware solutions.  This dashboard provides a single view of the current threats to virtual infrastructure.  When analyzing threats to the virtual infrastructure, the security professional should include active, passive, and event based detection methods.  Additionally, Nessus provides the ability to perform configuration audits by using the API in vCenter or by directly querying the hypervisors. 

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Threat Detection & Vulnerability Assessments.

The dashboard requirements are:

• SecurityCenter 4.8.1
• Nessus 6.1.1
• LCE 4.4.1
• PVS 4.0.3

The analysis of the virtual infrastructure begins with configuring the hypervisors and vCenter to send log data to the Log Correlation Engine (LCE) for event normalization and vulnerability analysis.  LCE currently supports over 20 normalized events.  The normalized events are grouped by event type.  The VMware normalized events are part of the application, login, detected-change, and login-failure event types.  These events detect such things as admin logins, VM movements (such as VMotion), defragmentation, and power changes.

After log data is collected, the detection of hypervisors and virtual machines is possible by combining event-based detections with passive and active detection methods.  The event-based detections use signatures in the logs to identify the servers running hypervisor software.  Using active and passive detection, both hypervisors and virtual machines can be identified.

Once the hypervisors are properly identified, they can be scanned and their configurations audited using Nessus.  When performing active scans of the hypervisors, SecurityCenter CV uses the API in vCenter or the ESXi API to analyze the configuration and detect vulnerabilities.  The VMSA number identifies vulnerabilities found.  VMware publishes VMware Security Advisories (VMSAs) to document remediations for security vulnerabilities identified in VMware products.

SecurityCenter Continuous View supports tight integration and API extensibility with virtualization systems, SIEMs, malware defenses, patch management tools, BYOD, and firewalls.  LCE has the ability to scale to meet the future demand of monitoring virtualized systems, cloud services, and the proliferation of devices. PVS provides deep packet inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities.  When combined, all of these features provide a more complete view into threat detection and vulnerability management.

VMware Threat Management - Detected vSphere Systems: This component displays a list of VMware vSphere systems detected on the network.  Nessus plugin 57396 identifies systems running VMware vSphere.  The table provides the IP address and the DNS name for each system.  The table is sorted by IP address, and shows up to 999 entries.   

VMware vCenter/vSphere Audit Results - Compliance Summary: When performing configuration audit of systems in accordance with a GRC program, security analysts can benefit from a summary view of the data set.  The VMware vCenter/vSphere Compliance Summary table provides a high-level view of the VMware vCenter/vSphere compliance status.  

VMware Threat Management - VMSA Vulns by Year 2008 – 2012: This component lists VMware Security Advisories (VMSA) according to year and severity level.   The years covered in this component are 2008 – 2012.  VMware publishes VMSAs to document remediations for security vulnerabilities identified in VMware products.

VMware Threat Management - VMSA Vulns by Year 2013 – 2017: This component lists VMware Security Advisories (VMSA) according to year and severity level.   The years covered in this component are 2013 – 2017.  VMware publishes VMSAs to document remediations for security vulnerabilities identified in VMware products.

VMware Threat Management - VMware Event Indicators: This matrix provides indicators for the VMware normalized events.  The indicators provide saved event queries for all the normalized events for VMware products. The indicator will turn purple when a match is discovered.  Clicking on a purple indicator will redirect the user to the event analysis page, which presents an IP summary of all hosts where the normalized event was detected.

VMware Threat Management - Active Virtual Machines: This table provides a list of VMware active virtual machines.  Using plugin 57397 (VMware Active Virtual Machines) and credentials, Nessus has identified the following systems running VMware vSphere.  When scanning vCenter, plugin 57397 will attempt to discover active virtual machines.  If virtual machines are detected, then a list of the machines will be displayed along with their operational status.

VMware Threat Management - vSphere / ESXi Vulnerability Summary: This component provides a list of vulnerable vSphere or ESXi servers detected on the network.  The table uses the IP Summary tool and displays columns for the IP address, DNS Name, Total vulnerability count, and the vulnerability bar.  The colors in the bar indicate severity and are as follows: info is blue, low is green, medium is yellow, high is orange, and critical is red.  The number located within each color represents the number of vulnerabilities of that severity detected.  The filter detects vulnerabilities with VMSA as part of the plugin name.  VMware publishes VMware Security Advisories (VMSAs) to document remediations for security vulnerabilities identified in VMware products.

VMware Threat Management - VMware Detection Indicators: This matrix provides VMware infrastructure detections using several different methods.  Using active, passive, and event based plugins, this matrix identifies several different elements of a VMWare deployment.  The matrix provides indicators for workstation-based hypervisors, such as VMware Workstation or Fusion, and more infrastructure devices such as ESXi and vCenter.  When a match is found, the indicator turns purple.

VMware Threat Management - VMware vSphere / ESXi Vulnerability 90 Day Trend: The chart provides a summary of vulnerability count during the past 90 days for VMware Security Advisories (VMSA). VMware publishes VMware Security Advisories (VMSAs) to document remediations for security vulnerabilities identified in VMware products.  The chart displays a line for each severity level, where low is green, medium is yellow, high is orange, and critical is red.  The data points are calculated every 24 hours to allow analysts to more accurately detect changes in the vulnerability count over time.

VMware Threat Management - VMware 7 Day Event Summary: This table provides a list of VMware normalized events detected over the past 7 days.  The results displayed are set to 25, as currently there are less than 25 possible normalized events.  The data is sorted on event count in descending order.