Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

VMware Threat Management

by Cody Dumont
January 6, 2015

VMware Threat Management

Managing workstation vulnerabilities is often so time intensive that infrastructure vulnerabilities may be overlooked.  Tenable’s SecurityCenter Continuous View (CV) provides the ability to track vulnerabilities and logs from VMware solutions.  This dashboard provides a single view of the current threats to virtual infrastructure.  When analyzing threats to the virtual infrastructure, the security professional should include active, passive, and event based detection methods.  Additionally, Nessus provides the ability to perform configuration audits by using the API in vCenter or by directly querying the hypervisors. 

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Threat Detection & Vulnerability Assessments.

The dashboard requirements are:

  • SecurityCenter 4.8.1
  • Nessus 6.1.1
  • LCE 4.4.1
  • PVS 4.0.3

The analysis of the virtual infrastructure begins with configuring the hypervisors and vCenter to send log data to the Log Correlation Engine (LCE) for event normalization and vulnerability analysis.  LCE currently supports over 20 normalized events.  The normalized events are grouped by event type.  The VMware normalized events are part of the application, login, detected-change, and login-failure event types.  These events detect such things as admin logins, VM movements (such as VMotion), defragmentation, and power changes.

After log data is collected, the detection of hypervisors and virtual machines is possible by combining event-based detections with passive and active detection methods.  The event-based detections use signatures in the logs to identify the servers running hypervisor software.  Using active and passive detection, both hypervisors and virtual machines can be identified.

Once the hypervisors are properly identified, they can be scanned and their configurations audited using Nessus.  When performing active scans of the hypervisors, SecurityCenter CV uses the API in vCenter or the ESXi API to analyze the configuration and detect vulnerabilities.  The VMSA number identifies vulnerabilities found.  VMware publishes VMware Security Advisories (VMSAs) to document remediations for security vulnerabilities identified in VMware products.

SecurityCenter Continuous View supports tight integration and API extensibility with virtualization systems, SIEMs, malware defenses, patch management tools, BYOD, and firewalls.  LCE has the ability to scale to meet the future demand of monitoring virtualized systems, cloud services, and the proliferation of devices. PVS provides deep packet inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities.  When combined, all of these features provide a more complete view into threat detection and vulnerability management.

VMware Threat Management - Detected vSphere Systems: This component displays a list of VMware vSphere systems detected on the network.  Nessus plugin 57396 identifies systems running VMware vSphere.  The table provides the IP address and the DNS name for each system.  The table is sorted by IP address, and shows up to 999 entries.   

VMware vCenter/vSphere Audit Results - Compliance Summary: When performing configuration audit of systems in accordance with a GRC program, security analysts can benefit from a summary view of the data set.  The VMware vCenter/vSphere Compliance Summary table provides a high-level view of the VMware vCenter/vSphere compliance status.  

VMware Threat Management - VMSA Vulns by Year 2008 – 2012: This component lists VMware Security Advisories (VMSA) according to year and severity level.   The years covered in this component are 2008 – 2012.  VMware publishes VMSAs to document remediations for security vulnerabilities identified in VMware products.

VMware Threat Management - VMSA Vulns by Year 2013 – 2017: This component lists VMware Security Advisories (VMSA) according to year and severity level.   The years covered in this component are 2013 – 2017.  VMware publishes VMSAs to document remediations for security vulnerabilities identified in VMware products.

VMware Threat Management - VMware Event Indicators: This matrix provides indicators for the VMware normalized events.  The indicators provide saved event queries for all the normalized events for VMware products. The indicator will turn purple when a match is discovered.  Clicking on a purple indicator will redirect the user to the event analysis page, which presents an IP summary of all hosts where the normalized event was detected.

VMware Threat Management - Active Virtual Machines: This table provides a list of VMware active virtual machines.  Using plugin 57397 (VMware Active Virtual Machines) and credentials, Nessus has identified the following systems running VMware vSphere.  When scanning vCenter, plugin 57397 will attempt to discover active virtual machines.  If virtual machines are detected, then a list of the machines will be displayed along with their operational status.

VMware Threat Management - vSphere / ESXi Vulnerability Summary: This component provides a list of vulnerable vSphere or ESXi servers detected on the network.  The table uses the IP Summary tool and displays columns for the IP address, DNS Name, Total vulnerability count, and the vulnerability bar.  The colors in the bar indicate severity and are as follows: info is blue, low is green, medium is yellow, high is orange, and critical is red.  The number located within each color represents the number of vulnerabilities of that severity detected.  The filter detects vulnerabilities with VMSA as part of the plugin name.  VMware publishes VMware Security Advisories (VMSAs) to document remediations for security vulnerabilities identified in VMware products.

VMware Threat Management - VMware Detection Indicators: This matrix provides VMware infrastructure detections using several different methods.  Using active, passive, and event based plugins, this matrix identifies several different elements of a VMWare deployment.  The matrix provides indicators for workstation-based hypervisors, such as VMware Workstation or Fusion, and more infrastructure devices such as ESXi and vCenter.  When a match is found, the indicator turns purple.

VMware Threat Management - VMware vSphere / ESXi Vulnerability 90 Day Trend: The chart provides a summary of vulnerability count during the past 90 days for VMware Security Advisories (VMSA). VMware publishes VMware Security Advisories (VMSAs) to document remediations for security vulnerabilities identified in VMware products.  The chart displays a line for each severity level, where low is green, medium is yellow, high is orange, and critical is red.  The data points are calculated every 24 hours to allow analysts to more accurately detect changes in the vulnerability count over time.

VMware Threat Management - VMware 7 Day Event Summary: This table provides a list of VMware normalized events detected over the past 7 days.  The results displayed are set to 25, as currently there are less than 25 possible normalized events.  The data is sorted on event count in descending order.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training