by Cody Dumont
June 22, 2015
As defined in the Tenable Critical Cyber Controls, the first of 5 controls is “maintain an inventory of software and hardware”. Discovery of all assets is a critical first step in setting up continuous network monitoring. This Assurance Report Card (ARC) will help to identify authorized or unauthorized systems and track scan coverage.
As the gaps in the IT landscape are changing, the ability to locate assets in need of protection is changing. The CISO of an organization needs to be able to easily identify hardware and software assets at a glance in order to effectively communicate with the board of directors and the operations teams. The CISO must have the ability to easily understand the risks associated with mobile devices and be able to see if an unacceptable number of devices are not properly classified. When discussing the risk associated with computer assets, the CISO should be able to easily see the detection coverage and validate if devices are authorized on the network.
This Assurance Report Card (ARC) provides the CISO and the operations team with a high-level view of assets within the organization. The ARC uses Tenable.sc’s dynamic assets to identify hosts on the network that have been detected and properly classified. A separate policy statement identifies those hosts that have not been properly classified, while another policy statement identifies hosts properly configured in DNS, indicating the systems are authorized to be present. There are also policy statements detecting application inventory and usage of authorized cloud services.
This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The ARC can be easily located in the feed by selecting category Executive and then selecting tags asset and inventory. The ARC requirements are:
- Tenable.sc 5.0
- Nessus 8.5.1
- LCE 6.0.0
- NNM 5.9.0
This ARC uses all aspects of continuous network monitoring, including scanning, sniffing, and log correlation. Using each of these technologies allows Tenable to provide a unique combination of detection, reporting, and pattern recognition utilizing industry-recognized algorithms and models. Tenable.sc Continuous View (CV) integrates with many technologies such as patch management, mobile device management, malware defenses, network infrastructure, cloud services, and other log analysis platforms to provide a holistic approach to risk analysis, starting with asset discovery.
ARC Policy Statements:
Less than 20% of systems are unclassified assets: This policy discovers any systems without a normalized classification. (This system classification is for asset inventory only and does not reflect any potential security classification.) The system classifications are Windows Hosts, Linux Hosts, Firewalls, Routers, Switches, VPN devices, and Mobile devices. If less than 20% of systems are not classified, this policy will show Compliant in green.
Greater than 75% of systems identified by passive asset classification have also been evaluated by active device scanning: To ensure the network is covered and all devices are identified, this policy shows Compliant in green when more than 75% of systems passively identified by NNM have also been actively scanned by Nessus for further device evaluation.
Greater than 70% of systems are registered in DNS: This policy tracks systems that have been scanned or sniffed, but don’t have a FQDN created. Devices not discovered in DNS could often be rogue devices and should be tracked down immediately to identify their true purpose. This policy statement displays Compliant in green if more that 70% of systems are covered in DNS.
Greater than 70% of systems have had software Inventoried within last 90 days: This policy monitors the software enumeration informational vulnerabilities and determines if the software is inventoried. This policy statement displays Compliant in green when more than 70% of systems have been scanned with an appropriate software enumeration plugin. The software enumeration is supported on Windows, Linux, and Solaris.
All mobile devices assets are found to have no serious vulnerabilities: This policy provides a summary of mobile devices detected using active and passive means. The assets used first detect systems that have been scanned actively or passively, and then matches against many of the common mobile operating systems. This asset will show Compliant if any mobile devices are present and do not have medium, high, or critical severities.
Systems are using only authorized cloud services (Salesforce, Netsuite, Webex): The policy identifies all users of authorized cloud services by first detecting systems using the cloud service identified by active and passive methods. Next, several plugins are searched to match for authorized cloud services. The authorized services are identified as Salesforce, Netsuite, and Webex. While there are certainly more cloud services that may be authorized, each organization should determine that based on their own needs. To add more authorized cloud services, add the appropriate plugins to the "Hosts using cloud services" asset list. This policy will show Compliant in green when any host is communicating only with authorized cloud services.
Greater than 25% of systems are sending logs for analysis: The policy tracks which systems are sending logs to LCE for analysis and normalization. The policy detects all systems that are detected using active and passive methods, then looks for plugin Process Statistics (800024). When systems are correctly configured to send syslogs to LCE, the process statistics will be collected and analyzed by LCE. The policy will show as Compliant in green when greater than 25% of systems are sending logs to LCE.
Systems detected using event correlation: This policy uses three event plugins to track systems discovered using event correlation. The policy uses an asset to identify in the compliant filter. The asset uses three event type plugins, Host Discovered (800000), Login Statistics (800019), Login Failure Statistics (800020). The CISO can gain an understanding of the number of systems detected by collecting logs from other systems. The policy will show as Compliant when any host is discovered by event correlation