When Tenable built out our cloud infrastructure, we focused on three key areas: security, cost and scale. For most information security professionals, these are the principal drivers that factor in to cloud service choices. Listen to Sean Molloy, Tenable’s Vice President of Cloud Services, as he discusses the Tenable cloud philosophy and the advantages of Nessus® Cloud.

Tenable’s vision is to get all of our products into the cloud and available. Nessus is available both on-premises and cloud-based with the same functionality in both versions. Nessus Cloud is fully distributed internationally.

In many respects, end users are the weakest links in data security. With the proliferation of personal devices and cloud services at work, firewalls are not enough protection.

In Getting Users to Take Security Threats Seriously, Diane Garey proposes several methods to help end users take security seriously, including education, awareness programs, and protective technologies.

This article appears on behalf of Tenable Network Security as part of a BrandPost initiative that CIO.com is hosting this month.

Read the full article

Nessus® Cloud provides comprehensive vulnerability management (VM) in an easy to deploy cloud-hosted solution running on Amazon Web Services (AWS). AWS provides significant benefits over privately hosted cloud VM solutions. Scalability, scanners located across the globe, and regional data pinning are just a few of the most significant features of an AWS deployment. Listen to Matt McClellan, Tenable’s Product Manager for Nessus, as he discusses the advantages of Nessus Cloud for our international customer base.

Almost every day we face the constant challenge of choosing from things that need our urgent attention and ones that are important. How we classify and prioritize these items largely reflects our true character. Procrastinate enough, and it doesn't take long for important items to become urgent. Fail to distinguish urgent items from the important, and it could lead to catastrophic failure. In short, identifying our priorities and executing them in our daily workflow is the key to success in any walk of life. And when it comes to vulnerability management, it’s no different.

Identifying our priorities and executing them in our daily workflow is the key to success in any walk of life

Not a day goes by when we don’t hear about a new breach affecting another major corporation. In fact it has become so common these days that we aren’t far from the day when it would be newsworthy to have no breaches. IBM even mocked this concept in their latest ad. And when that eventual breach does happen, the usual scapegoats (admins/CISOs/CIOs) get rounded up by the media, pundits and anyone who wants to publicly humiliate these people—who in most cases are just trying to do the best job they possibly can do.

Assigning blame to scapegoats and embarrassing them is easy. I routinely hear comments such as “oh, these guys were so lame they had default accounts all over the place” or “we could break into the network with a year old code execution flaw.” One thing that rarely gets mentioned is maybe—just maybe—the security teams were overwhelmed with the data that came out of all the sensors they bought, or the security team was short staffed and couldn't possibly deal with the avalanche of data that was reported.

How you patch, what you patch and how you prioritize the use of your resources is very important

To give you an example, if you assume a typical 5,000 host Nessus® scan, and a conservative hit rate of 0.0025% for approximately 90k Nessus plugins, you still end up with a million results. And even if you patched 99.99% of those vulnerabilities, and missed just one really critical flaw, it could be game over. So how you patch, what you patch and how you prioritize the use of your resources is very important.

With the release of Nessus 6.5, we are adding several more filters to help you make those decisions, and to make them quickly. Our engineers brought this feature to life by curating vulnerabilities that we deemed to be critical.

Curated vulnerabilities

So what are curated vulnerabilities? These are the choicest of vulnerabilities, plucked from your organization’s garden, ripe for hackers to plunder.

Internally, we refer to this feature as #CaughtWithPantsDown. Why? Well, if your organization gets breached, is investigated post-breach and these vulnerabilities show up on your report, then you will be caught with your pants down—at least figuratively. There is just no excuse.

New criteria

So what are some of the new filters/criteria that you can use to prioritize your remediation workflow?

Exploited By Nessus

Frequently when Nessus is trying to verify a vulnerability, it will actively try to exploit the flaw and show the results in a report. For example, run a command such as ipconfig or id or grab the contents of /etc/passwd or boot.ini and display it in the plugin output. If Nessus can exploit it, then anyone with a free HomeFeed® Nessus subscription or above can, and most likely will, review the plugin source and take it to the next level. Therefore, such vulnerabilities should be patched immediately.

Default/ Known Accounts

This one is self-explanatory. There is no reason to have default or known accounts with default passwords on the network. They should either be disabled or updated with non-default passwords.

Malware/Suspicious IPs

Over the past few years Nessus has made major strides in the area of malware detection and reporting. For example, Nessus can tell if a scanned host is on a known botnet list, is communicating with a known botnet IP, is hosting malicious content associated with botnet propagation, has some malicious process running or even checks against some custom malware MD5 hash list. And if you get a hit for any of those plugins, you should take care of them right away.

In the News

For folks who work at Tenable or other security-focused companies, our world revolves around vulnerabilities and compliance. But that’s not the case if you are, say, an oil company. Given today’s oil prices, whether your organization has patched CVE-2014-0160 or not is probably the least of your problems. The point I am trying to make is that keeping your network secure is not why you are in business, so it’s possible you might not be up on the latest vulnerabilities. That’s why we have a new filter called In the News. These are vulnerabilities that have received a lot of media coverage in the recent past. For example: Heartbleed, Shellshock, Conficker, etc. These should be patched right away.

Unsupported By Vendor

And finally we come to unsupported software.

I once heard a story about a customer who, for some reason, thought Windows 98 was a more secure OS than the modern OSs. And I was curious to find out why. It turns out that Nessus only reported one critical flaw for Windows 98 and hundreds for others. Can you blame him for thinking that Windows 98 was better?

Don’t get tricked into believing that a low severity count for unsupported software applications means that they are better in any way. They are sleepers waiting to be exploited, and should be eradicated from your network as soon as possible.

These are just some of the new filters we have added. You can combine them with existing filters such as Exploit Available, Severity, Vulnerability Publication Date etc. to come up with your own criteria for remediation prioritization.

Sample filter

Post-scan action items and other use cases

With the addition of these new filters, it’s easy to create post scan action items to share with your internal security teams to lower risk and better prepare for an external pentest. All you have to do is apply the filter, and then click Export. The resulting report will be much smaller than your usual scan reports and is almost guaranteed to lower the risk to your organization since it’s most likely that 10 urgent items will be fixed quicker than 100 important ones.

With the addition of these new filters, it’s easy to create post scan action items to share with your internal security teams to lower risk and better prepare for an external pentest.

If you are consultant or a pentester who uses Nessus for vulnerability assessments, you can now share these reports in addition to the regular scan reports to provide extra value for your services.

Conclusion

Like most Nessus features, this feature arose from the sense of purpose we share at Tenable: if we care about something deeply enough and want to see it in our products, then there is a good chance that others would want to see it too.

This feature was also born out of Tenable’s recent Init15 hackathon. Not surprisingly, customers like you voted it as the winner, and now we are delivering on it.

Going forward, we will keep making refinements to this concept, but that shouldn’t stop you from using it right away—or should I say, keeping your pants up!

Last week close to 15,000 attendees descended upon Gartner Symposium, one of the largest gatherings of CIOs and senior IT executives. The Symposium included over 375 presentations that focused on bimodal IT, cloud, IoT, security, mobility and more. We’ve gathered some of the key takeaways and insights from the conference here.

In five years, one million new devices will come online every hour

When Peter Sondergaard, Senior Vice President and Global Head of Research for Gartner, took the stage for the opening keynote at Gartner Symposium/ITxpo 2015, he stressed the growth of digital business. Next year, spending on IoT hardware will exceed $2.5 million every minute; in five years, one million new devices will come online every hour; global digital commerce is now $1 trillion globally. Digital business is exploding and enabling organizations to create more connections than ever before. With every new connection comes added pressure to accurately gauge risk at the endpoint as well as the data’s place of origin. How do you ensure that these connections are secure and not harmful to health and safety, privacy of data, or the infrastructure protection of your business? With so many risks and liabilities associated with IoT, businesses need fast responsive solutions sooner rather than later.

The imminent revolution

Tom Scholtz, VP and Gartner Fellow, delivered a presentation titled, “To the Point: The Imminent Revolution in Information Security.” During his presentation, Scholtz detailed the security concerns of the new digital business arena. He emphasized that the orthodox approach to security—one that is based on control—no longer works. Control does not scale because there are simply too many identities, devices, data and threats that organizations must track. The fundamental security truths that we have come to know—prevention is better than cure, humans are the weakest link, and default should be to deny—are being shattered by digital business.

60% of enterprises’ information security budgets will be allocated for rapid detection and response approaches by 2020

To address these changes, security environments must become foundations for an adaptive, context aware, dynamic, trust-based architecture. This architecture will be built on the philosophy of detect and respond; 60% of enterprises’ information security budgets will be allocated for rapid detection and response approaches by 2020.

Balancing risk

Paul Proctor, VP Distinguished Analyst for Gartner, presented an enlightening session on “What Every CIO Should Know About Security and Risk.” In a recent Gartner survey of over 2,800 CIOS, almost 70% of respondents said that their risk management investments and disciplines are falling behind. With the blurring of the lines between the physical and digital in this digital business era, now is the time to get risk management right before organizations start failing to take advantage of critical business opportunities.

Well positioned risk-based decisions will balance the needs to protect the organization against the needs to run the business

The discussion around risk management is changing. Security professionals are now beginning to enable executives to make business decisions around risk. Risk can never be completely eliminated, so it’s important to prioritize risk in a manner that allows executives to make informed decisions. “Well positioned risk-based decisions will balance the needs to protect the organization against the needs to run the business,” said Proctor.

The Tenable solution

To succeed in this era of digital business, organizations must be willing to adjust the way they think about security. Tenable’s SecurityCenter Continuous View™ provides organizations with a way to continuously measure the effectiveness of their security program while ensuring that the highest priority security problems are being addressed. Assurance Report Cards, available in SecurityCenter Continuous View, communicate an organization’s risk and security posture in a manner that both executives and board members can easily understand.

We are pleased to announce the release of Nessus 6.5. Like all new releases of Nessus®, this one is chock full of great new capabilities. I’ll hit a few highlights here. Visit the New in Nessus 6.5 web page for more details and a complete list.

Cloud support

Nessus Agents cloud OS support

We know that many of our Nessus customers are moving some or all of their IT assets to the cloud so we’re continuing to add capabilities to help them make sure their cloud environment is free of vulnerabilities and configuration issues.

Nessus 6.5 adds Nessus Agent operating systems support for popular cloud operating systems (Note: You can also use agents on these OSs if you’re running them in a physical or virtual environment):

• Amazon Linux
• Debian Linux
• Ubuntu Linux

According to ZDNet, Ubuntu is by far the most popular cloud operating system, running in Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, Fujitsu, and Joyent. So if you’re spinning up IT services in the cloud and running one of these popular OSs, consider using Nessus Agents to check for vulnerabilities and configuration issues.

New Nessus scanner for AWS

We’re making it easier for organizations using AWS to scan EC2 instances with Nessus. With Nessus 6.5, we’ve introduced a new scanner for AWS that comes with your Nessus Cloud license. Simply install the scanner in your AWS environment, point it at the targets you’d like to scan, and then view and manage the scan results in Nessus Cloud.

Note: This new Nessus scanner will soon be available in AWS Marketplace.

Init15 voting winners

The Tenable hackathon, dubbed Init15, was an intense 60-hour event for the Tenable R&D and product management teams held in Las Vegas this summer. The product teams came up with fantastic new enhancement ideas for Tenable products, customers voted on their favorites, and we're pleased to announce that the top three vote-getting enhancements made it into this release.

Remediation Prioritization (Caught With Your Pants Down)

New filters in Nessus 6.5 help customers prioritize which vulnerabilities they should remediate first. There are five new filters you can use to address the most critical of vulnerabilities. For example:

• Can the vulnerability be exploited by Nessus? If so, that means anyone else using Nessus, including the many people who have the most basic Nessus Home account, can too.
• Is it a vulnerability on an asset that is no longer supported by the vendor, for example a vulnerability in Windows 98? That means it’s never going to be fixed.
• Is it a vulnerability that’s recently in the news, like Shellshock or Heartbleed?

Using these or the other new filters will help you make best use of resources and fix those vulnerabilities that could cause the biggest holes in your attack surface.

SAML Authentication for Nessus Cloud

The second new feature that came from Init15 voting is a micro-services based architecture that lets customers use SAML authentication services (such as Okta) for access to Nessus Cloud.

Nessus Cloud Two Factor Authentication

And finally, thanks to customer votes, Nessus Cloud now includes two-factor authentication using Twilio and SMS.

Note: This capability will initially be available for Nessus Cloud customers in North America; we expect it will be expanded to other regions in the future.

Nessus Cloud regional data center availability

While not part of Nessus 6.5 itself, we made an announcement last week about Nessus Cloud regional data center availability. This includes expansion of Nessus Cloud services into Europe with its software as a service (SaaS) applications hosted on AWS in the AWS EU (Frankfurt) region. For organizations that want or need to maintain data storage in a local region, we're pleased to offer this capability as a Nessus cloud-hosted option.

Congratulations to the entire Nessus team on a successful launch. Many thanks to Matt McClellan, Corey Bodzin and Glen Pendley for their contributions to this article.

In the world of mobile apps, if you are looking for malware, there are apps (yes,plural) for that. How about one that leaks sensitive content? There are apps for that, too. Pick any other mobile attack vector; chances are there is an app for that as well. Regardless of how well your Mobile Device Management (MDM) policies are set up, if mobile apps are not part of your equation, then you are missing a big piece of the problem. After all, a smartphone is only as secure as the most insecure app on it.

A smartphone is only as secure as the most insecure app on it

And with millions of mobile apps to choose from, it seems that the next big opening into your network might just be an app away. To get a sense of how bad this problem is, all you have to do is look around for mobile app reputation services. There is literally a cottage industry built around recommending whether a mobile app is good, bad or ugly.

It’s only natural for our customers to look for a solution to solve this problem. With the release of Nessus® 6.5, we are expanding our MDM auditing capabilities to audit mobile apps installed on mobile devices.

When we set out to tackle this problem, we identified four areas where Nessus could add value. First, provide a way to review which mobile apps were installed on which mobile devices. Second, provide a way to determine whether all required apps are installed. Third, provide a way to verify that only whitelisted apps are installed. And finally flag any non-approved or blacklisted apps. Nessus 6.5 meets all these requirements.

Setup

To use this feature, simply upgrade to Nessus 6.5, use the MDM Config template, and follow the wizard to set up the scan. The existing MDM .audit policies were updated to audit mobile apps to do the job for you.

Installed apps

The Nessus MDM audit policies are updated in version 6.5 to report on all installed apps.

Before you can start creating a policy around mobile apps, you first need to know what kinds of apps are installed on the mobile devices. The Nessus MDM audit policies are updated in version 6.5 to report on all installed apps.

Required apps

As you start tightening your mobile app policy, you may want to make sure that certain apps are installed on all mobile devices managed by your organization. For example, you may have a requirement to have an anti-virus app or a VPN app installed on all devices. The updated audit policies will help you do that.

Whitelisted apps

Another variant of the required apps feature is the whitelisted apps feature. For example, your organization might decide to approve any app from Google. Therefore instead of approving each individual app, you could have a blanket approval for all apps from Google with a filter such as Google .+. Any app that is not part of the whitelisted pool of apps will be flagged.

Blacklisted apps

And finally, there are certain apps which shouldn’t be installed on mobile devices under any circumstance. This could be due to concerns around malware, privacy or even network bandwidth consumption. Any app that is part of a blacklisted pool of apps will be flagged.

XcodeGhost affected apps

The updated audit policies will also help you look for XcodeGhost affected apps.

Sometimes the best features write themselves and the use cases for them just drop out of the sky. When we set out to implement the blacklisted apps feature in 6.5, XcodeGhost was not even on our minds, and yet when Nessus 6.5 ships, this might be the most important use case for this new feature. The updated audit policies will also help you look for XcodeGhost affected apps.

How are whitelist/blacklisted apps defined?

Now that you know it’s possible to create a blacklisted/whitelisted pool of apps in Nesssus 6.5, the next question you may have is how does one go about configuring these apps? The answer is pretty straightforward. The list is essentially a comma-separated list of apps configurable through the Nessus UI for that specific .audit.

Here’s an example:

Note that it also accepts and regexes version numbers, which is a very powerful way to blanket approve/disapprove apps either by app name or version number. By default, the lists are not defined (.*) and will report a PASS result.

Which MDMs are supported?

Nessus 6.4 includes MDM auditing capabilities for MobileIron and AirWatch, and Nessus 6.5 extends those capabilities to audit Mobile Apps. Nessus 6.5 also includes the ability to audit mobile apps with Apple Profile Manager.

Sample

Final thoughts

If you watch Nessus releases closely, you may have noticed that Tenable’s mobile story is steadily growing. We first released the capability to detect mobile device vulnerabilities including jailbroken devices; we then followed it up by integrating Nessus with MDM platforms such as MobileIron. And just last quarter we took our integrations to the next level by auditing the MDM policies themselves. Now we are adding the ability to audit mobile apps installed on mobile devices. We’re not done! When it comes to auditing mobile devices, we are just getting started.

In the modern IT landscape, detecting threats is no longer enough for an effective cybersecurity program. To be successful in protecting endpoints, you must also remediate vulnerabilities, identify weaknesses, find unprotected hosts, and monitor for indicators of compromise.

In a recent article on Dark Reading, Are You Making This Endpoint Security Mistake?, Manish Patel explains how continuous network monitoring can help round out an endpoint security program. He also invites readers to register for the upcoming Tenable webcast on endpoint security.

This article appears on behalf of Tenable Network Security as part of a Partner Perspectives initiative that Dark Reading is hosting.

Read the full article

“Flying blind” is simply not acceptable in today’s high-stakes cybersecurity environment.

When executives come to you for information about your organization’s security posture, saying “I don’t know” is not an option. In Real-Time Situational Awareness: Never Say “I Don’t Know”, Craig Shumard proposes that keeping updated on cybersecurity requires near real-time situational awareness so you can immediately respond to questions with accurate data.

This article appears on behalf of Tenable Network Security as part of a BrandPost initiative that CIO.com is hosting.

Read the full article

When collecting security metrics, the IT team is typically interested in knowing how many vulnerabilities were found, patched or remediated. But business leaders need different information; executives want to know about improvements, trends, and percentage changes. In Which Security Metrics Matter Most? Scott Hollis points out that the key to a successful security metrics program is knowing your audience.

This article appears as part of Tenable’s Level-up Your IT Security BrandPost initiative hosted by CIO.com.

Read the full article

The next phase of IT security is here, and it starts with ACAS. ACAS—Assured Compliance Assessment Solution—is an integrated security solution that is scalable to an unlimited number of locations. In 2012, the Defense Information Systems Agency (DISA) established ACAS to efficiently and effectively assess the Department of Defense’s (DoD) enterprise networks and satisfy FISMA’s information security requirements. Tenable and HP Enterprise Services have partnered to offer DISA the best integrated software solution and exceed the requirements for a modern, enterprise-class configuration assessment vulnerability management solution.

Tenable and HP Enterprise Services have partnered to offer DISA the best integrated software solution

The ACAS solution includes:

• SecurityCenter™: The most comprehensive and integrated view of your security posture to reduce risk and ensure DISA compliance
• Nessus®: Scanners deployed across the enterprise to create the foundation for DISA-mandated vulnerability scanning, assessment and management capabilities
• Passive Vulnerability Scanner™ (PVS™): Real-time network monitoring and profiling for continuous scanning and assessment of an organization’s security in a non-intrusive manner

Tenable has launched Ask ACAS, a comprehensive microsite that explains the ins and outs of the ACAS solution

ACAS is available to DoD and DISA enterprise systems at no cost. To help understand and use the ACAS solution, Tenable has launched Ask ACAS, a comprehensive microsite that explains the ins and outs of the ACAS solution. Here, ACAS users can learn about the finer points of ACAS, from licensing to plugins, SCAP certification to training, and much more. The information found on Ask ACAS helps users understand the ACAS solution, use it and go beyond compliance with true continuous network monitoring, advanced analytics, and visibility and context into all critical assets. It is truly a necessary resource for taking full advantage of what this vital solution has to offer.

Compliance is static. IT security is dynamic. Visit Ask ACAS and stop by booth 827 at MILCOM 2015 to hear what you can do now to harness the power of ACAS to meet and exceed DISA compliance, while preparing for the next evolution in IT security.

Are you thinking about using Nessus® Cloud? Not sure if it’s the right solution for your vulnerability management program? Listen as Diane Garey, Tenable’s Product Marketing Manager for Nessus, enumerates the key benefits of Nessus Cloud, including:

• The same features as Nessus Professional
• Enterprise-wide usage by multiple users
• Cloud-hosted performance improvements

Learn more about how Nessus Cloud combines the power of Nessus vulnerability management with the ease of a cloud-based solution. Nessus Cloud is also a PCI DSS Approved Scanning Vendor (ASV) solution.

The Cybersecurity Information Sharing Act is missing a key component needed to strengthen America's digital defenses – transparency into what the government itself is doing or not doing to protect its networks from hackers.

A lot is being discussed in Washington about the need to secure our national cyber infrastructure following the massive data breach at the United States Office of Personnel Management (OPM). This week lawmakers are debating the Cyber Information Sharing Act (CISA), which could come up for a vote very soon.

In Opinion: Why the ‘cyber bill’ falls short on protecting critical networks, an article in CSM Passcode, Ron Gula, Tenable CEO, discusses CISA and the need for more transparency into the government’s cyberhygiene. While CISA is a good idea, the bill currently only applies to the private sector; it must be strengthened with directives for federal information sharing. The federal government should demonstrate its commitment to cybersecurity by increasing transparency and accountability to the American public.

Read the full article

When it comes to endpoint security, organizations are challenged to determine what technologies are most relevant and what the security team can do to reduce the most risk. With limited resources, it is critical to minimize risk and to ensure optimum payoff.

In a recent article on Dark Reading, Endpoint Security: Putting the Focus on What Matters, Manish Patel provides five tips to dramatically improve endpoint security programs. He also invites readers to register for the upcoming November 18, 2015 Tenable webcast on endpoint security.

This article appears on behalf of Tenable Network Security as part of a Partner Perspectives initiative that Dark Reading is hosting.

Read the full article

The IT architectures of many organizations are changing as BYOD, cloud and social media continue to affect the way businesses exchange information. As the control over their data and applications decreases, organizations must adjust the way they approach security, which has become a business differentiator rather than a standalone IT activity.

It is in this context that Tenable recently connected with IDC to produce two papers, an Analyst Connection¹ and Technology Spotlight², that discuss the role of continuous network monitoring in this new age of security.

Analyst Connection

Robert Westervelt, IDC Research Manager of Security Products, authored the Analyst Connection, which features a question and answer dialogue between Westervelt and Tenable on behalf of our customers.

According to Westervelt, a continuous network monitoring program utilizes automated and manual processes while also aggregating log data from across the network and various endpoints. The “forward-leaning organizations” that IDC spoke with relied on passive as well as active vulnerability scanning to detect critical vulnerabilities, misconfigurations and malware. The information found from log aggregation and vulnerability management must be supplemented with incident response and asset and configuration management data to provide a holistic view of an enterprise’s IT environment.

Continuous network monitoring provides the context that enables organizations to increase their situational awareness

Westervelt also discusses how the increasing number of prominent breaches over the last year has forced organizations to reassess their security approaches. The ability to aggregate contextual data is essential and continuous network monitoring provides the context that enables organizations to increase their situational awareness and develop faster responses to security incidents when they occur.

Quantifying the value of security is often a difficult task. However, Westervelt identifies several benefits that organizations can expect from continuous network monitoring. An organization with a continuous network monitoring platform can improve their agility and create a security program that is proactive rather than reactive, identifying security holes before they are exploited.

Increased visibility gives organizations a complete understanding of their security posture

Increased visibility gives organizations a complete understanding of their security posture at all times and allows IT managers to allocate resources most effectively. When an organization is able to put all of the components of a continuous network monitoring program in place and maintain those respective components, the program could provide a competitive advantage.

Technology Spotlight

The Technology Spotlight highlights SecurityCenter Continuous View™ and its continuous network monitoring capabilities in relation to the Third Platform of IT, which IDC defines as incorporating, “traditional technologies and networks with clouds, social media and mobility.” The Third Platform of IT has made it difficult for organizations to meet their user’s security expectations, as these users continue to bring new devices into the IT environment.

Despite the advancements of modern security systems, breaches are still occurring, partially due to a lack of prioritization and investigation into alerts, as well as process breakdowns. A security program in today’s IT environment must be able to provide unparalleled visibility, identifying all assets within an organization and communicating security information across the enterprise so that the most immediate risks and can be identified, prioritized and remediated.

Continuous network monitoring is not simply continuous scanning

Continuous network monitoring is needed to develop innovative security programs that integrate people, processes and technology into an organization’s security strategy. Continuous network monitoring is not simply continuous scanning; it is monitoring the network in real time to gain a complete picture of all assets while identifying their weaknesses so they can be mitigated to minimize the attack surface.

SecurityCenter Continuous View

According to the paper, “SecurityCenter CV enables enterprise IT to continuously measure and visualize the effectiveness of its security program to provide assurance that an organization’s security team is addressing the highest-priority security problems facing the business at any time.”

SecurityCenter Continuous View customers are able to take advantage of comprehensive visibility into their security programs thanks to analytics, dashboards and reports that provide insight into vulnerabilities, threats and compliance status.

Tenable’s Assurance Report Cards (ARCs) ensure that Chief Information Security Officers (CISOs) and security leaders can define their security objectives in clear and concise terms, and communicate the effectiveness of their security investments in a way that is easily understood by C-level executives, board members and business managers.

For more information please download the Analyst Connection and Technology Spotlight from the Tenable website.

Sources

1. IDC Analyst Connection: The Role and Value of Continuous Security Monitoring, October 2015

2. IDC Technology Spotlight, sponsored by Tenable: Guarding the Third Platform of IT with Continuous Security Monitoring, October 2015

Scanning with credentials is essential for getting the most out of your vulnerability assessments. Credentialed scans give you a “deeper dive” into your environment by providing access and visibility into assets that could otherwise only be scanned remotely, and therefore remain vulnerable. Scanning with credentials gives you access to the local host, which will get you much richer results.

So we know that for the best results we should use credentials, but we also know that having to manage an ever-changing, increasingly complex set of passwords, usernames and privileges across multiple platforms can be a challenge, especially in large environments. Tenable has a solution.

To make credentialed scanning easier, SecurityCenter™ now integrates with CyberArk, a leading enterprise password vault. With this integration, you will no longer have to manually add passwords into SecurityCenter each time you want to run a credentialed scan. Simply configure your CyberArk credentials once, and you’re good to go.

This new feature will save you valuable time that could otherwise be spent on remediating, or creating beautiful Assurance Report Cards (ARCs) to impress your manager. Additionally, SecurityCenter will automatically update passwords as they change in CyberArk, so you only have to manage one tool.

Credential types that are supported include:

• Windows (domain/username + password)
• SSH (username + password; username + ssh key (w/o password))

For more information including a video and link to technical documentation, please visit our CyberArk integration page.

We are pleased to announce that SecurityCenter 5.1 will be available later this week. Many SecurityCenter and SecurityCenter Continuous View™ customers have been anticipating the integration with Nessus® agents, and SecurityCenter 5.1 delivers it.

SecurityCenter extends visibility of vulnerabilities and misconfigurations by automatically importing Nessus agent scan data. Agents deliver the detailed internal visibility of credentialed scans to Nessus Cloud or Nessus Manager, and SecurityCenter automatically uploads the scan data. The result: security assurance.

Nessus agents help you:

• Secure the mobile workforce– You no longer need to worry about excluding assets that are offline during a vulnerability scan. A Nessus agent runs the scan locally. Later, when a connection is available, it uploads results to Nessus Manager or Nessus Cloud. From there, SecurityCenter or SecurityCenter CV imports the data.
• Secure systems on complex or bandwidth-limited networks – Agents remove the challenge of scanning systems over segmented or complex networks. Plus, they reduce network bandwidth need, which is important for remote facilities connected by slow networks.
• Remove credential headaches– Many organizations struggle with regular password changes unless a credential manager, such as CyberArk, is used. Nessus agents make host credential headaches a thing of the past.

The list of operating systems supported by Nessus agents continues to grow and currently includes Windows, Mac OS X, and Amazon, Debian, Red Hat, Fedora, and Ubuntu Linux.

The integration of Nessus agents with SecurityCenter expands your options to discover assets across your environment, identify vulnerabilities and misconfigurations, monitor network traffic, and detect suspicious activity. Data sources include:

• Network-based scans– Analyze scanned devices from both external and internal points of view. In many organizations, managing credentials for scans is challenging because credentials change regularly and getting updates to all the people and systems that need them can be burdensome.
• Agent-based scans – Analyze scanned devices locally from an internal point of view.
• Integrations – Leverage data from third-party systems, such as patch management and mobile device management.
• Passive monitoring (SecurityCenter CV)– Monitor and analyze network traffic to detect hosts, devices, connections, services, web applications and vulnerabilities.
• Host activity analysis (SecurityCenter CV) – Capture and analyze events from endpoints, security infrastructure, network devices, and NetFlow so you can see what users are doing, detect changes, and know how systems are being used.

Additional material about Nessus agents and using them with SecurityCenter is readily available:

• SecurityCenter with Nessus agents FAQ
• Webinar: Demonstration of using Nessus Agents for Configuration Audits
• Nessus agent FAQ
• Nessus agent web page
• Nessus agent whitepaper

The new Nessus® Agents are a really great fit for organizations that have deployments in AWS environments and want a simple, flexible means to scan them for vulnerabilities. Agents effectively let you scan your AWS assets without having to actually install scanners, and with recently announced support for Amazon Linux and Ubuntu, agents now run on the most popular operating systems in AWS.

Agents effectively let you scan your AWS assets without having to actually install scanners

Tenable and AWS

First, let’s review Tenable’s approach towards AWS:

• The Nessus Bring Your Own License (BYOL) model allows customers the ability to scan AWS instances with a pre-built AWS appliance and a Nessus license purchased from Tenable. This can be used with Nessus Cloud, Nessus Manager or SecurityCenter™. The BYOL requires pre-authorization from Amazon before a scan can be done.
• With the most recent Nessus release, we introduced a new scanner for AWS that comes with your Nessus Cloud or Nessus Manager license. Simply install the scanner in your AWS environment, point it at the targets you’d like to scan, and then view and manage the scan results in Nessus Cloud. Currently, this scanner requires pre-authorization from Amazon, though our intention is to have it added to the pre-approved list of scanners.
• Nessus Agents are another option for vulnerability scanning in your AWS environment. Install agents on assets in AWS and those agents will look to Nessus Cloud or Nessus Manager for instructions on what scans to run and when to send results back to the manager. Agent data can also be imported into SecurityCenter if you want to view the information there. Nessus Agents provide the equivalent of a full credentialed scan for the target, without requiring a scanner and without requiring the credentials for the asset of interest.

With so many options, our approach to AWS is by far the most flexible in the industry.

Nessus Agent benefits

While both the BYOL and Nessus scanner for AWS provide excellent vulnerability scanning functionality, Nessus Agents provide many unique benefits when used within AWS:

• A Nessus Agent does not need any additional AWS resources, since it’s installed within the actual AWS asset that you want to scan.
• Since no actual “scanning” between AWS instances is taking place, there is no need to get authorization from Amazon to do a scan.
• No credentials are required for the AWS instance that needs to be scanned.
• The Nessus Agents are fully managed by Nessus Cloud or Nessus Manager, which can interface with SecurityCenter.
• The Nessus Agent can be managed by Nessus Cloud or Nessus Manager independent of where the manager is; in other words, the manager can be located inside or outside the AWS Cloud.
• Nessus Agent deployment can be fully scripted. For example, include it in your Chef recipes to automatically spin up agents on new AWS assets.

Nessus Agent technology uniquely enables simplified vulnerability assessment of AWS assets, both large and small. It’s easy to deploy and maintain, and provides the same extensive results obtained from a traditional Nessus scanner – without the complications of running an actual scanner.

Nessus Agent technology uniquely enables simplified vulnerability assessment of AWS assets, both large and small

For more information about Nessus Agents and the Nessus Scanner for AWS, check out what’s New in Nessus 6.5.

Recently, Bill Glanz of MeriTalk, the public-private partnered news website that focuses on government IT issues, interviewed Matt Alderman, Vice President of Strategy at Tenable, about several measures that government agencies should implement to improve cybersecurity.

Matt recommends a holistic approach to cyber hygiene, emphasizing the need to be more proactive to keep pace with the ever changing IT landscape. Listen as Matt discusses two-factor authentication, password vaults, user awareness, and analytics as some of the key components in a strong security program.

Hear the full interview

The Payment Card Industry Data Security Standard (PCI DSS) requirement 11, “Regularly test security systems and processes,” involves running internal and external vulnerability scans. In this article, I’ll describe these requirements, share tips for successfully submitting external scans to your PCI Approved Scanning Vendor (ASV) and talk about changes the PCI Security Standards Council (SSC) announced earlier this year about the Secure Sockets Layer (SSL) protocol that could cause you to fail the scanning requirement.

Who needs to be PCI DSS compliant?

Who needs to be PCI DSS compliant is very clear. From the official PCI Security Standards Council website, PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

What can be more confusing, though, is figuring out an organization’s assessment requirements. For merchants, there are multiple levels of how to do your PCI reporting, based on the number of credit card transactions processed each year. And to make it a bit more confusing, each credit card brand has its own reporting levels.

PCI requires three types of network scanning

Requirement 11.2 covers scanning. It states that you need to "Run internal and external network vulnerability scans at least quarterly and after any significant change in the network." Scans need to be run by qualified internal or external parties.

Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.

For internal scanning, the testing procedures must verify that four quarterly internal scans took place in the past 12 months and that rescans occurred until all “high-risk” vulnerabilities as defined by requirement 6.1 were resolved. Basically, you can do internal scans with any Nessus® or SecurityCenter™ product and verify the results on your own.

The external scan must be done via an an Approved Scanning Vendor (ASV)

External scans, like internal ones, must be done at least quarterly. The difference is that the external scan must be done via an an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Tenable, with Nessus Cloud, is a PCI ASV.

Scanning after significant changes (11.2.3) may also be performed using any Nessus or SecurityCenter product and should be repeated until all high or medium risk findings are remediated depending on whether they are internal or external systems.

Submitting external scans to Tenable

Tenable takes being an ASV very seriously. We have a team of PCI ASV certified analysts who apply the external scanning requirements by the book. However, the team doesn’t want to fail anyone – they work closely with customers who need help.

The Tenable ASV service is part of a Nessus Cloud subscription

Our ASV service is part of a Nessus Cloud subscription. To do an external scan for PCI, you must use the pre-built static PCI DSS policy, PCI Quarterly External Scan, that adheres to the quarterly scanning requirements of the ASV Program Guide v2. This policy is one of the scan templates available within Nessus Cloud. Subscribers can run unlimited scans using that policy and when ready, submit scans to Tenable for validation. By clicking Submit for PCI, the scan results will be uploaded to an administrative section of the Nessus Cloud for customer review. This administration area is where you:

• Review any failed items that must be addressed before you qualify for a compliant ASV attestation from Nessus Cloud
• Dispute any result that you believe is a false positive or that has a Compensating Control associated with it
• Submit attachments as evidence for a dispute

This Scan and Submit for PCI ASV Validation video produced by the Tenable Training Department has more detail on how the process of submitting scans to Tenable works.

To pass a PCI ASV attestation, all items (except for denial of service (DoS) vulnerabilities) listed as Critical, High, or Medium (or with a CVSS score of 4.0 or higher) and certain findings that are considered “automatic failure” must either be remediated or disputed by the customer. All disputed items must be resolved, accepted as exceptions, accepted as false positives, or mitigated through the use of compensating controls.

Our goal is to not fail anyone, but to help them get through the process successfully

To get a few tips on how to successfully submit scans, I talked with Jason Turner, one of our PCI ASV certified team members. Jason made the point several times that although Tenable follows the PCI ASV guidelines, our goal is to not fail anyone but to help them get through the process successfully. Here are a few suggestions from Jason:

• Submit your scans 30 days before your submission is due (this is good advice for any ASV you’re working with). Expect that there will be some back-and-forth conversations and requests for information with your vendor, so don’t cut the deadline too close in case you run out of time. If possible, stagger your quarters away from a calendar quarter, which is often busier for your ASV.
• Very few scans get PCI ASV attestation without needing some additional information. Don’t worry if your vendor asks you for additional information, and expect the first scan you submit to have the most issues. You’ll learn as you submit more scans to your ASV.
• Don’t expect a one-size-fits-all for time to review a submission. Reviewing five findings for example, is very different from reviewing 500. Tenable’s SLA guarantees that we will report back within five days of submission, though we try to be quicker whenever possible.

PCI DSS 3.1 SSL changes

Finally, I want to mention some recent SSL changes that likely affect your organization’s compliance with PCI DSS v3.1 and which also impact your scan results.

In April, the PCI SSC released PCI DSS v3.1, largely because NIST determined in April 2014 that the Secure Sockets Layer (SSL) protocol and early versions of the Transport Layer Security (TLS) protocol are no longer acceptable solutions for the protection of sensitive data. The revised PCI DSS v3.1 has been updated based on the PCI SSC definition of “strong cryptography.” Basically, the SSC stated that SSL and early TLS could not be used as security controls in three specific areas to protect payment data after June 30, 2016: the protection of insecure communications protocols (Req. 2.2.3), any non-console administrative access to systems (Req. 2.3), and the transmission of cardholder data over untrusted or open networks (Req.4.1).

Customers can use Nessus or SecurityCenter to detect usage of SSL/TLS in their internal networks and/or their cardholder data environments to assure that your organization maintains compliance throughout and beyond the June 30, 2016 grace period.

The Council also provided special instructions to ASVs to start failing any detected instance of SSL or “early TLS” immediately, but to accept formal risk mitigation or migration strategies through the grace period.

For ASVs like Tenable, this means that for any scans submitted between now and June 30, 2016, we list the usage of SSL V2, SSL V3 and TLS 1.0 as a PCI failure. Up to June 30, 2016, you can submit documentation which demonstrates the presence of a risk mitigation and migration plan as evidence for findings which are listed as failures. After June 30th however, you must update to a later version of TLS. Jeffrey Man’s blog, PCI SSC Announces the End of SSL Usage for the Payment Card Industry, has more details on this change.

Resources

If you’d like to learn more about how Tenable helps organizations meet internal and external scanning, as well as other PCI DSS requirements, please see the following resources:

• PCI Security page
• PCI Discussion forum
• Nessus Plugins

Many thanks to Jason Turner, Jeffrey Man and Kevin Herrett for their generous contributions to this article.