Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Web Activity

by David Schwalenberg
September 23, 2015

Monitoring web activity for known threats or other related vulnerabilities is often difficult for security operations.  Many organizations have content filters, anti-virus gateways, and intrusion detection/prevention systems; but security analysts often times do not have direct access to the logs for these systems.  SecurityCenter Continuous View (CV) allows the operations team to monitor web activity via sniffing DNS requests and monitoring related traffic.

Monitoring DNS activity can be accomplished by setting the Passive Vulnerability Scanner (PVS) to monitor communication paths between clients and DNS servers. Additionally the DNS server can be configured send logs to the Log Correlation Engine (LCE).  LCE then creates summary events of DNS queries and the information can be logged and analyzed.  The dashboard uses the Domain_Summary, Domain_Failure_Summary, and SSL_Cert_Summary events, which all provide lists of domains accessed.  Searches are performed within these events to find specific domains of interest. Each summary event for a given IP address provides the domains accessed by that IP address since the last such event for that system (which may be as often as hourly). The dashboard components can be altered as needed to add or remove domains of interest. If failed attempts to access domains do not need to be tracked, remove the Domain_Failure_Summary event from the filters in the components.

There are two key items to remember when performing DNS analysis. First, the detection of a DNS query for a site does not necessarily mean that the site was visited.  The event can be the result of site-related icons or thumbnails being displayed on other web pages. Second, this dashboard relies on PVS detections being forwarded to the LCE. Make sure that the PVS is configured to send syslog messages to the LCE: in Configuration > PVS Settings > Syslog, include the LCE host (with port 514) in the Realtime Syslog Server List. The LCE listens for syslog messages by default.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Monitoring.

The dashboard requirements are:

  • SecurityCenter 4.8.2
  • PVS 4.4.0
  • LCE 4.6.0

Tenable provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. PVS provides deep packet inspection to continuously discover vulnerabilities and Indicators of Compromise (IOC) traveling the wire. LCE correlates real-time events, such as DNS queries, and then performs analysis to discover vulnerabilities and IOC.  LCE also has the capability to discover users, operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and other critical infrastructure. SecurityCenter CV allows for the most comprehensive and integrated view of network health.

For a procedure to get sorted lists of websites accessed, see Use SecurityCenter to Obtain a List of Websites Accessed.

Listed below are the included components:

  • Web Activity - Suspicious Activity Detected in Last 72 Hours - This matrix presents detections of potentially suspicious web activity that have occurred in the last 72 hours. Red indicators signify activity of high severity; orange indicators signify activity that is less severe, but warrants further investigation.
  • Web Activity - SSL Activity Detected in Last 72 Hours - This matrix presents informational indicators of SSL events that have occurred in the last 72 hours, including access to cloud file storage, access to social media (such as Facebook or Twitter), access to media/communication services (such as Netflix or Skype), access to anonymous proxy services (which allow anonymous access to the Internet), access to services commonly used for sensitive data, and access to services used for processing credit card transactions.
  • Web Activity - Top-Level Domain Accesses in Last 72 Hours - This matrix presents informational indicators of top-level domains of interest accessed in the last 72 hours. This component can be altered to add or remove top-level domains of interest as needed. These indicators use the Domain_Summary, Domain_Failure_Summary, and SSL_Cert_Summary events, which all provide lists of domains accessed; searches are performed within these events to find specific domains of interest. Each summary event for a given IP address provides the domains accessed by that IP since the last such event for that IP (which may be as often as hourly). This component can be altered to add or remove domains of interest as needed. If failed attempts to access domains do not need to be tracked, remove the Domain_Failure_Summary event from the filter for these indicators. Note that the PVS-DNS_Top_Level_Domain_Queries event is not used here, as its output will not necessarily be limited to the last 72 hours.
  • Web Activity - Potentially Unauthorized Accesses in Last 72 Hours - This matrix presents warning indicators of popular but potentially unauthorized domains of interest accessed in the last 72 hours. This component can be altered to add or remove domains of interest as needed. These indicators use the Domain_Summary, Domain_Failure_Summary, and SSL_Cert_Summary events, which all provide lists of domains accessed; searches are performed within these events to find specific domains of interest. Each summary event for a given IP address provides the domains accessed by that IP since the last such event for that IP (which may be as often as hourly). This component can be altered to add or remove domains of interest as needed. If failed attempts to access domains do not need to be tracked, remove the Domain_Failure_Summary event from the filter for these indicators.
  • Web Activity - 7-Day Trend of SSL Activity - This chart presents a 7-day trend graph of various SSL events, including access to cloud file storage, access to social media (such as Facebook or Twitter), and access to media/communication services (such as Netflix or Skype).
  • Web Activity - 7-Day Trend of Potentially Unauthorized Accesses - This chart presents a 7-day trend graph of accesses to popular but potentially unauthorized domains, including several games, video, dating, torrent, and porn sites. This component can be altered to add or remove domains of interest as needed. This chart uses the Domain_Summary, Domain_Failure_Summary, and SSL_Cert_Summary events, which all provide lists of domains accessed; searches are performed within these events to find specific domains of interest. Each summary event for a given IP address provides the domains accessed by that IP since the last such event for that IP (which may be as often as hourly). This component can be altered to add or remove domains of interest as needed. If failed attempts to access domains do not need to be tracked, remove the Domain_Failure_Summary event from the filter in each series.
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.