SecurityCenter Continuous View and the Australian Signals...

SecurityCenter Continuous View and the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions September 3, 2014

(Revision 1)

2

Table of Contents

Introduction .......................................................................................................................................... 3

How SecurityCenter Continuous View Can Help .............................................................................. 3 Top 4 Mitigation Strategies ............................................................................................................................ 6

Mitigation Strategy #1 – Application Whitelisting .......................................................................................... 7 Mitigation Strategy #2 – Patch Applications ................................................................................................. 8 Mitigation Strategy #3 – Patch Operating System Vulnerabilities ................................................................. 9 Mitigation Strategy #4 – Restrict Administrative Privileges ......................................................................... 10

Additional Mitigation Strategies .................................................................................................................. 12 Mitigation Strategy #5 – User Application Configuration Hardening ........................................................... 12 Mitigation Strategy #6 – Automated Dynamic Analysis .............................................................................. 12 Mitigation Strategy #7 – Operating System Generic Exploit Mitigation ...................................................... 14 Mitigation Strategy #8 – Host-based Intrusion Detection/Prevention System ............................................ 15 Mitigation Strategy #9 – Disable Local Administrator Accounts ................................................................. 15 Mitigation Strategies #12 and #13 – Software-Based Application Firewall ................................................. 16 Mitigation Strategy #14 – Non-Persistent Virtualised Sandboxed Trusted Operating Environment ........... 17 Mitigation Strategy #15 – Centralised and Time-Synchronised Logging of Events .................................... 18 Mitigation Strategy #16 – Centralised and Time-Synchronised Logging of Network Activity ..................... 19 Mitigation Strategy #17 – Email Content filtering ........................................................................................ 20 Mitigation Strategy #18 – Web Content Filtering ........................................................................................ 21 Mitigation Strategies #19, #32, and #34 – Web Domain Blacklisting/Whitelisting ...................................... 21 Mitigation Strategy #21 – Workstation and Server Configuration Management ......................................... 22 Mitigation Strategies #22 and #30 – Antivirus Software ............................................................................. 22 Mitigation Strategy #23 – Deny Direct Internet Access from Workstations ................................................ 23 Mitigation Strategy #24 – Server Application Configuration Hardening ...................................................... 24 Mitigation Strategy #25 – Enforce a Strong Passphrase Policy ................................................................. 25 Mitigation Strategy #26 – Removable and Portable Media Control ............................................................ 25 Mitigation Strategy #27 – Restrict access to Server Message Block (SMB) and NetBIOS ........................ 27 Mitigation Strategy #31 – TLS Encryption between E-Mail Servers ........................................................... 27 Mitigation Strategy #33 – Network-based Intrusion Detection/Prevention System ..................................... 28

The Next Steps ................................................................................................................................... 29 Scanning Methodology ................................................................................................................................ 29 Continuous Network Monitoring ................................................................................................................. 29 Asset Lists ..................................................................................................................................................... 30 Analysis and Reporting ................................................................................................................................ 30

Summary ............................................................................................................................................ 31

About Tenable Network Security ..................................................................................................... 32

3

Introduction In February 2014, the Australian Signals Directorate (ASD, formerly DSD) updated the publication Strategies to Mitigate Targeted Cyber Intrusions (available here). The publication contains a list of 35 strategies to mitigate targeted cyber intrusions, ranked in order of overall effectiveness. According to ASD, over 85% of the cyber intrusions that ASD responds to could be prevented by following the top four mitigation strategies on the list.

The threat of targeted cyber intrusion has reached an all-time high and by implementing these mitigations, an organisation can reduce the impact to Australia’s economic well-being and thereby to all Australian citizens. A finite number of resources are available to organisations, thus requiring management to use staff and monetary assets to their full potential. The Top 4 mitigation strategies, when implemented as a package, provide a large reduction of risk for a relatively small investment of time, effort, and money. ASD recommends implementing these Top 4 mitigation strategies first on workstations of users who are most likely to be targeted by cyber intrusions, and then on all workstations and servers across the organisation. As resources become available, ASD recommends selecting and implementing additional mitigation strategies from the remaining 31 on the list until an acceptable level of residual risk is achieved.

ASD notes that organisations should perform continuous monitoring and mitigation, using automated methods to regularly test and measure the effectiveness of the implemented mitigation strategies. As required, additional mitigation strategies should be implemented to further protect information, workstations, servers, and other critical assets.

Tenable Network Security’s® SecurityCenter Continuous View™ (SC CV™) provides an organisation with a proactive method of discovering cyber intrusions, so the organisation will not have to just rely on individual products reporting partial findings. SC CV provides the unique ability to correlate vulnerabilities, configuration audits, and event logs in a single location, enabling a proactive approach to continuous network monitoring.

The objective of this guide is to demonstrate to Tenable customers and prospective customers how SecurityCenter Continuous View can support and enhance their implementations of the ASD mitigation strategies.

How SecurityCenter Continuous View Can Help SecurityCenter Continuous View (SC CV) is the market-defining continuous network monitoring platform that provides a unique combination of detection, reporting, and pattern recognition to deliver the most comprehensive and integrated view of network health. SC CV continuously monitors the network to identify vulnerabilities, reduce risk, and ensure compliance, enabling organisations to react to advanced threats, zero-day vulnerabilities, and new regulatory compliance requirements. SC CV offers tight integration with a large number of SIEMs, malware defences, patch management tools, BYOD, firewalls, virtualization systems, and an API for extending this integration to other devices and applications. Organisations using SC CV have a wide variety of prebuilt dashboards, reports, and assets available to them to aid in network administration, incident response, and reporting.

As an organisation embarks on the journey to implement the ASD Strategies to Mitigate Targeted Cyber Intrusions, SC CV can assist in three main ways.

First, SC CV can discover vulnerabilities and track remediation progress. SC CV uses the Nessus® vulnerability scanner to actively detect vulnerabilities, the Passive Vulnerability Scanner™ (PVS™) to passively detect vulnerabilities, and the Log Correlation Engine™ (LCE™) to detect vulnerabilities ascertained from log events. With this information, SC CV can identify the biggest risks across the organisation and assist in prioritising and tracking remediations.

The vulnerability discovery aspect of SC CV is particularly applicable to these mitigation strategies in the ASD document:

• Mitigation Strategy #2 – Patch Applications

• Mitigation Strategy #3 – Patch Operating System Vulnerabilities

Second, SC CV can monitor the network for unauthorized or malicious activity, such as botnet activity, intrusions, data leakage, and suspicious user behaviour. PVS continuously monitors network traffic for any suspicious activity, while LCE can accept logs in real-time via syslog from PVS and many other network devices and applications, normalize the events, and correlate these logs to discover unauthorized or malicious activity. Note that if a device or application is not yet supported with normalized events by LCE, the organisation can contact Tenable Customer Support and the LCE team will create appropriate normalization rules.

4

To properly gain all relevant log information, the organisation should deploy the Tenable LCE Client to both workstations and servers. Monitoring of systems with the LCE Client provides the detailed information needed by the LCE to properly correlate events and discover vulnerabilities. LCE policies can be configured to perform actions such as tail log files and monitor files for changes. The LCE Client can also be configured to monitor specific files and directories where log events may be stored.

To optimally monitor network traffic, PVS must be placed in a strategic location. In some cases, more than one PVS will be required. The LCE NetFlow and/or Network Monitor should also be installed in strategic locations. For more detailed information, see the Log Correlation Engine Best Practices.

SC CV retains all the collected log data. Any future analysis, such as forensic analysis, can easily access this log history if needed.

Many mitigation strategies in the ASD document involve monitoring the network to determine if the mitigation strategy is working correctly. The network monitoring aspect of SC CV is particularly applicable to these mitigation strategies:

• Mitigation Strategy #1 – Application whitelisting

• Mitigation Strategy #4 – Restrict administrative privileges

• Mitigation Strategy #6 – Automated dynamic analysis

• Mitigation Strategy #8 – Host-based Intrusion Detection/Prevention System

• Mitigation Strategy #9 – Disable local administrator accounts

• Mitigation Strategy #14 – Non-persistent virtualised sandboxed trusted operating environment

• Mitigation Strategy #15 – Centralised and time-synchronised logging of events

• Mitigation Strategy #16 – Centralised and time-synchronised logging of network activity

• Mitigation Strategy #17 – Email content filtering

• Mitigation Strategy #18 – Web content filtering

• Mitigation Strategy #19 – Web domain whitelisting for all domains

• Mitigation Strategy #22 – Antivirus software using heuristics and reputation

• Mitigation Strategy #23 – Deny direct internet access from workstations

• Mitigation Strategy #27 – Restrict access to Server Message Block (SMB) and NetBIOS

• Mitigation Strategy #30 – Signature-based antivirus software

• Mitigation Strategy #32 – Block attempts to access websites by their IP address

• Mitigation Strategy #33 – Network-based Intrusion Detection/Prevention System

• Mitigation Strategy #34 – Gateway blacklisting

Third, SC CV can measure compliance, using audit files that cover a wide range of major regulations and other auditable standards. Tenable provides over 500 audit files, available for download from the Tenable Support Portal, in categories such as operating systems, applications, databases, and network devices. Tenable products can be used to audit systems based on SCAP content, and many Tenable audit policies have been certified by the Center for Internet Security (CIS). For more information on using audit files, see the Nessus Compliance Checks: Auditing System Configurations and Content document.

5

After download, audit files can be customized to match the values defined in the organisation’s corporate policies. The organisation can review several audit files and then create a specific audit file that applies directly its policies.

When an audit is performed, for each individual compliance check, Nessus attempts to determine if the host is compliant, non-compliant, or if the results are inconclusive and need to be verified manually. Unlike a vulnerability check that only reports if the vulnerability is actually present, a compliance check always reports a result. This way, the data can be used as the basis of an audit report to show that a host passed or failed a specific test, or if it could not be properly tested.

Many mitigation strategies in the ASD document involve verifying that recommended actions have been taken. The compliance measurement aspect of SC CV is particularly applicable to these mitigation strategies:

• Mitigation Strategy #5 – User application configuration hardening

• Mitigation Strategy #7 – Operating system generic exploit mitigation

• Mitigation Strategy #12 – Software-based application firewall, blocking incoming traffic

• Mitigation Strategy #13 – Software-based application firewall, blocking outgoing traffic

• Mitigation Strategy #21 – Workstation and server configuration management

• Mitigation Strategy #24 – Server application configuration hardening

• Mitigation Strategy #25 – Enforce a strong passphrase policy

• Mitigation Strategy #26 – Removable and portable media control

• Mitigation Strategy #31 – TLS encryption between email servers

A few of the mitigation strategies in the ASD document involve actions that SC CV cannot monitor or measure. SC CV will not be able to assist with these mitigation strategies:

• Mitigation Strategy #10 – Network segmentation and segregation

• Mitigation Strategy #11 – Multi-factor authentication

• Mitigation Strategy #20 – Block spoofed emails

• Mitigation Strategy #28 – User education

• Mitigation Strategy #29 – Workstation inspection of Microsoft Office files

• Mitigation Strategy #35 – Capture network traffic

In this guide, the details of how SC CV supports each of the ASD mitigation strategies are described. For some strategies, specific relevant dashboards or components of dashboards are emphasized. For each strategy, a table of additional relevant SC CV resources (components, dashboards, and reports) is displayed. Note that there are some mitigation strategies that are similar, so that SC CV would support their implementation in the same way; these strategies have been combined in this guide.

All of the dashboards, components, and reports mentioned in this guide are available in the SecurityCenter app feed, a store of dashboards, reports, and assets. For each dashboard, component, or report, its category and tags are given so it can be easily found in the feed. These dashboards, components, and reports can be used as provided or custom-tailored as desired.

6

Top 4 Mitigation Strategies SC CV’s ability to continuously monitor the network to identify vulnerabilities, reduce risk, and ensure compliance differentiates Tenable from the competition and provides organisations with the ability to be proactive while implementing the Strategies to Mitigate Targeted Cyber Intrusions. This section provides a detailed overview of how SC CV can help with implementing the Top 4 mitigation strategies.

Figure 1 - ASD Top 4 Mitigation Strategies Dashboard

The ASD Top 4 Mitigation Strategies dashboard provides an organisation with detailed information on the implementation of each of the Top 4 mitigation strategies: application whitelisting, patch applications, patch operating system vulnerabilities, and restricting users with administrative privileges. More details on each of the components on this dashboard will be provided in the next few pages with the applicable mitigation strategies.

The ASD Top 4 Mitigation Strategies dashboard and its components are available in the SecurityCenter app feed. The dashboard can be easily located in the feed by selecting category Threat Detection & Vulnerability Assessments, and then selecting tag asd, patching, regex, remediation, software, cpe, and accounts.

Read more about the ASD Top 4 Mitigation Strategies dashboard here.

7

Mitigation Strategy #1 – Application Whitelisting “Application whitelisting of permitted/trusted programs, to prevent execution of malicious or unapproved programs including DLL files, scripts, and installers, implemented at least on workstations used by most likely targets.”

The foundation of application whitelisting is knowing what applications are installed within the organisation. SC CV can collect information on installed applications using the List Software tool, and by collecting logs from several sources such as workstations, servers, and enterprise application whitelisting products. The ASD Top 4 Mitigation Strategies dashboard contains components that support the application whitelisting mitigation strategy:

• List of Software - This table lists all software currently discovered on the network. This list can be used to verify that no unauthorized software is installed. A best practice with this component is to create several copies and apply assets or subnets to each, to provide the organisation with the details for installed software for each segment of the network.

• Software Modification Events - This component provides indicators for several normalized events collected from systems with LCE clients installed, or from systems from which syslogs were collected. For each indicator, when a pattern match is found, the indicator will turn purple. Listed below are some examples of normalized events flagged by these indicators:

- Application_Change - The LCE encountered a log that indicated that an application had a change.

- Daily_Command_Summary - The LCE has generated a report of all commands run in the past day.

- LCE-Windows_Executable_Modified - The LCE Client has detected a Windows library file modification.

- Bit9 - Bit9 + Carbon Black is an endpoint protection suite that specializes in application whitelisting technologies.

- Tripwire - Tripwire Enterprise is a security configuration management suite.

Additional SC CV resources that can provide information applicable to this mitigation strategy:

Dashboard, Component, or Report, with Summary Description Feed Category Feed Tags

Unknown Process - Known Installed Software This component utilizes the List Software tool in SecurityCenter to provide a table of known installed software.

Threat Detection & Vulnerability Assessments

software, windows

File and Directory - Software Installed Events This component graphs the last seven days of file and directory change event details.

Monitoring 7 days, compliance

Software Inventory Report This report lists software installed on Windows, Unix, and Linux hosts. Read more here.

Discovery & Detection discovery, software

8

Mitigation Strategy #2 – Patch Applications “Patch applications especially Java, PDF viewer, Flash Player, Microsoft Office, web browsers and web browser plugins including ActiveX. Also patch server applications such as databases that store sensitive information as well as web server software that is Internet accessible.”

This mitigation strategy focuses on application-based vulnerabilities. SC CV uses the Nessus vulnerability scanner to actively detect vulnerabilities and PVS to passively detect vulnerabilities. Nessus can use credentials to provide a deep analysis of the security posture of a target, or it can obtain a subset of vulnerabilities if credentials are not used. A scan policy can also be created to enable scans to run more efficiently by only scanning targets with the plugins appropriate to those targets. By using targeted scans with credentials, the organisation can collect a full view of missing patches and configuration issues.

The best method of separating application vulnerabilities from operating systems vulnerabilities is to use the Common Platform Enumeration (CPE) strings in the vulnerability text. CPEs are a structured naming scheme for information technology systems, software, and packages. Regular expressions can be used to separate those vulnerabilities with application CPE strings from those with OS CPE strings.

The ASD Top 4 Mitigation Strategies dashboard contains components that support the patch applications mitigation strategy:

• Application Top Remediations - This table provides the top remediations for vulnerable applications on the network. For each remediation, the risk reduction for the network if the remediation were to be implemented is shown, along with the number of hosts affected. Each list is sorted so that the highest risk reduction is at the top of the list. Implementing the remediations will decrease the overall vulnerability of the network.

• Active OS and Application Vulnerability Counts - This matrix displays counts of actively detected vulnerabilities by severity and by whether the vulnerability applies to an application, the operating system, or both. There are also some vulnerabilities where a CPE is not present in the vulnerability text. The last row provides a total count of vulnerabilities. Each severity level is represented by a colour: yellow cells indicate medium severity vulnerabilities, orange cells indicate high severity, and red cells indicate critical severity.

• Passive OS and Application Vulnerability Counts - This matrix displays counts of passively detected vulnerabilities by severity and by whether the vulnerability applies to an application, the operating system, or both. There are also some vulnerabilities where a CPE is not present in the vulnerability text. The last row provides a total count of vulnerabilities. Each severity level is represented by a colour: yellow cells indicate medium severity vulnerabilities, orange cells indicate high severity, and red cells indicate critical severity.



Enterprise Applications Vulnerability Summary This component displays various enterprise application technologies, presenting the number of systems on which the technology was located and the number of vulnerabilities found.


software, indicator

Vulnerability Top Ten Dashboard This dashboard displays multiple top 10 lists related to network vulnerabilities. Read more here.


remediation, vulnerabilities

9

Critical and Exploitable Vulnerabilities Report This report provides a summary of critical severity vulnerabilities. The report has an executive summary chapter showing tables and trend graphs highlighting the status of critical severity vulnerabilities. The two following chapters provide the delta between critical severity vulnerabilities that are exploitable versus not exploitable. Read more here.

Executive exploit, malware

Exploitable by Malware Report This report provides a detailed view into the exploitability of the network. The following chapters show which vulnerabilities are exploitable by malware, and then compares the exploitability to attack frameworks. Read more here.


Mitigation Strategy #3 – Patch Operating System Vulnerabilities “Patch operating system vulnerabilities. Patch or mitigate systems exposed to ‘extreme risk’ vulnerabilities within two days. Use the latest operating system version that meets your organisation’s business requirements, since newer operating systems typically incorporate additional security technologies including anti-exploitation capabilities.”

Similar to mitigation strategy #2, this mitigation strategy focuses on patching. The same approach using CPEs is used to identify operating system vulnerabilities. There are some vulnerabilities that are classified as both application and operating system, such as Java vulnerabilities. The ASD Top 4 Mitigation Strategies dashboard contains components that support the patch operating system vulnerabilities mitigation strategy:

• OS & Application Top Remediations - This table provides the top remediations for vulnerabilities that are classified as both application and operating system. For each remediation, the risk reduction for the network if the remediation were to be implemented is shown, along with the number of hosts affected. Each list is sorted so that the highest risk reduction is at the top of the list. Implementing the remediations will decrease the overall vulnerability of the network.

• OS Top Remediations - This table provides the top remediations for vulnerable operating systems on the network. For each remediation, the risk reduction for the network if the remediation were to be implemented is shown, along with the number of hosts affected. Each list is sorted so that the highest risk reduction is at the top of the list. Implementing the remediations will decrease the overall vulnerability of the network.

• Active OS and Application Vulnerability Counts - This matrix displays counts of actively detected vulnerabilities by severity and by whether the vulnerability applies to an application, the operating system, or both. There are also some vulnerabilities where a CPE is not present in the vulnerability text. The last row provides a total count of vulnerabilities. Each severity level is represented by a colour: yellow cells indicate medium severity vulnerabilities, orange cells indicate high severity, and red cells indicate critical severity.

• Passive OS and Application Vulnerability Counts - This matrix displays counts of passively detected vulnerabilities by severity and by whether the vulnerability applies to an application, the operating system, or both. There are also some vulnerabilities where a CPE is not present in the vulnerability text. The last row provides a total count of vulnerabilities. Each severity level is represented by a colour: yellow cells indicate medium severity vulnerabilities, orange cells indicate high severity, and red cells indicate critical severity.

10



Operating System Vulnerability Report This report enumerates known operating system vulnerabilities, such as Microsoft, Apple, and various Linux distributions. Read more here.


os

Remediation Instructions Report by Host This report provides detailed instructions on how to resolve vulnerabilities on the top 20 most vulnerable systems tracked within SecurityCenter. The report is organized by the plugin type (Active, Passive, and Compliance). Read more here.

Compliance & Configuration Assessment

remediation

Windows Remediation Report This report summarizes remediation actions across a series of Windows hosts. Rather than just counting the number of vulnerabilities, applications are listed that need to be upgraded or patched. It also highlights systems missing one or more Microsoft patches. This not only is much easier for an IT administrator to consume, it provides a measure of how much “work” is required to secure a network, as well as the amount of risk reduced when certain patch efforts are taken. Read more here.

Executive remediation, windows

Linux/Unix Remediation Report This report summarizes remediation actions across a series of Linux and Unix hosts. Rather than just counting the number of vulnerabilities, applications are listed which need to be upgraded or patched. It also highlights systems missing one or more patches. This not only is much easier for an IT administrator to consume, it provides a measure of how much “work” is required to secure a network, as well as the amount of risk reduced when certain patch efforts are taken. Read more here.

Executive remediation, linux, unix

Mitigation Strategy #4 – Restrict Administrative Privileges “Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account, and preferably a separate physical workstation, for activities that are non-administrative or risky such as reading email, web browsing and obtaining files via Internet services such as instant messaging. Such users should perform administrative activities using a workstation that implements at least the Top 4 mitigation strategies.”

This mitigation strategy requires a detailed knowledge of group memberships, specifically groups granting administrative privileges. Using several of the plugins that track membership in groups across system platforms, SC CV can assist the organisation in determining accounts that are members of groups granting administrative privileges. The organisation can then modify or disable accounts appropriately. The ASD Top 4 Mitigation Strategies dashboard contains a component that supports the “restrict administrative privileges” mitigation strategy:

• Group Membership Indicators - This matrix highlights Nessus plugins that extract group membership information. A purple cell indicates that results were obtained by that plugin. Listed below are descriptions for some of the cells from this component:

- LDAP Admin Group - Uses plugin 58038, LDAP “Domain Admins” Group Membership Enumeration, to enumerate the list of members of the “Domain Admins” group in the LDAP Directory.

11

- OS X Admin Group – Uses plugin 60019, Mac OS X Admin Group User List, to extract the member list of the “Admin” and “Wheel” groups. Members of these groups have administrative access to the system.

- Windows Domain Administrators - Uses plugin 10908, Microsoft Windows “Domain Administrators” Group User List, to extract the member list of the “Domain Administrators” group. Members of this group have complete access to the Windows Domain.

- Windows Administrators - Uses plugin 10902, Microsoft Windows “Administrators” Group User List, to extract the member list of the “Administrators” group. Members of this group have complete access to the system.

- Windows Server Operators - Uses plugin 10903, Microsoft Windows “Server Operators” Group User List, to extract the member list of the “Server Operators” group. Members of this group can perform most common administrative tasks.

Additional SC CV resources that can provide information applicable to this mitigation strategy, including resources that use the user account tracking features in LCE and can assist the organisation in monitoring the actions of a user:


Windows Daily Command and User Summary Report This report produces daily summaries of commands and users for the past seven days. It also reports on installed software. Read more here.

Monitoring windows, user

Group Management Events Report This report provides a detailed analysis of the group membership across many platforms. The supported platforms are Windows, OS X, and LDAP. Read more here.

Monitoring analysis, user account

Daily Host Alerts Report: Users Accessing Hosts This report presents a list of all hosts and the users that have accessed them, as identified by the Daily_Host_Alert LCE event. Read more here.

Discovery & Detection discovery, user

12

Additional Mitigation Strategies Once organisations have successfully deployed the Top 4 mitigation strategies, they should begin to focus on the remaining 31. Organisations can select and implement additional mitigation strategies in the order that most effectively reduces risk for their environment. This section provides a detailed overview of how SC CV can assist with implementing these remaining 31 strategies.

Unlike the ASD Top 4 Mitigation Strategies dashboard for the Top 4 strategies, a single dashboard covering the remaining strategies was not created. Instead, this guide notes dashboards, components, and reports that support each of the remaining strategies.

Mitigation Strategy #5 – User Application Configuration Hardening “User application configuration hardening, disabling: running Internet-based Java code, untrusted Microsoft Office macros, and unneeded/undesired web browser and PDF viewer features.”

This mitigation strategy focuses on hardening applications commonly used to interact with content on the Internet. Disabling execution of mobile code such as Java, ActiveX, and Flash within these applications can greatly reduce risk.

The Monitoring Client-Side Attack Surface dashboard provides a number of components that assist in monitoring the access points into clients that potential attackers might exploit. Of particular interest for this mitigation strategy is the “Java, ActiveX and Flash Events” component, which presents warning indicators for LCE normalized events related to those mobile code types, such as Flash Player requests, executable Java requests, and dangerous ActiveX control detections. This information assists in determining if these mobile code types have been disabled.



Monitoring Client-Side Attack Surface Dashboard This dashboard monitors the client-side attack surface in an organisation. Read more here.

Monitoring activex, flash, java

Enterprise Applications Vulnerability Summary This component displays various enterprise application technologies, presenting the number of systems on which the technology was located and the number of vulnerabilities found.


software, indicator

Mitigation Strategy #6 – Automated Dynamic Analysis “Perform automated dynamic analysis of email and web content run in a sandbox to detect suspicious behaviour including network traffic, new or modified files, or other configuration changes.”

One aspect of this mitigation strategy might be to monitor web and email traffic to identity malicious or unauthorized activity. With SC CV, Nessus, PVS, and LCE work together to collect and correlate log data from many sources, providing a centralized view of any potentially suspicious activity.

The Detect Suspicious Activity dashboard provides a number of components that highlight potentially unauthorized, suspicious, or malicious activity. Of particular interest for this mitigation strategy is the “Inappropriate, Sensitive, Questionable Content” component, which presents warning indicators for suspicious web and email content/activity. Each indicator is based on one or more LCE normalized events; some of these events are described below.

13

• PVS-Malicious_Website - The Passive Vulnerability Scanner detected a website hosting malicious content.

• Snort-Inappropriate_Content_Was_Detected - A Snort sensor detected an event classified as “Inappropriate Content was Detected”.

• MailScanner-IP_Based_Phishing - This MailScanner application detected and disarmed an email that contained a phishing attempt with content coming from a specific IP address.

• Apache-Invalid_Content_Length - This Apache web server processed a request with an invalid content length.

• Apache-Content_PHP_Request - This Apache web server has detected a system browsing the network via HTTP with a web request for dynamic content generated by a PHP program.

• Apache-Attempt_To_Serve_Directory - This Apache web server rejected a request to serve a directory.

• Web-Content_PHP_Request - This web server has detected a system browsing the network via HTTP with a web request for dynamic content generated by a PHP program.



Detect Suspicious Activity Dashboard With SecurityCenter Continuous View, Nessus, the Passive Vulnerability Scanner (PVS), and the Log Correlation Engine (LCE) work together to collect and correlate log data from many sources, providing a centralized view of network activity. This dashboard provides a number of components that highlight potentially unauthorized, suspicious, or malicious activity. Read more here.


anomalies

PVS Detections Report - Vulnerabilities and Attacks This report presents vulnerabilities and attacks passively detected by the Passive Vulnerability Scanner (PVS). Read more here.

Monitoring detection, malicious

Web Activity Report This report presents web activity detected in the last 72 hours, with some 7-day trending. This report can be used to monitor web accesses and look for suspicious or potentially unauthorized activity. Read more here.

Monitoring web

Data Leakage Monitoring Dashboard The Passive Vulnerability Scanner analyses data in motion and identifies sensitive data, such as credit card information, as well as general types of documentation sharing. This dashboard creates multiple tables to show observed shared data. Read more here.

Monitoring dlp

File Modification Monitoring Dashboard This dashboard tracks file and directory modifications on hosts. Read more here.

Monitoring file

NetFlow Monitor Dashboard This dashboard displays information about traffic on the network. Read more here.

Monitoring netflow

14

Mitigation Strategy #7 – Operating System Generic Exploit Mitigation “Apply operating system generic exploit mitigation technologies e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). Security-Enhanced Linux (SELinux) and grsecurity are examples of exploit mitigation mechanisms for Linux operating systems.”

This mitigation strategy focuses on applying generic exploit mitigation techniques to harden systems. SC CV can assist in this area both by providing components that check for specific mitigations (such as the “Data Execution Prevention (DEP) is Disabled” component) and by performing compliance checks using audit files.

Listed below are some of the audit files that contain checks for the generic exploit mitigation techniques mentioned in this strategy, ASLR, DEP, and SELinux:

• ASLR

- DISA_STIG_RHEL_6_v1r2.audit - DISA_STIG_Server_2012_DC_v1r3.audit

• DEP

- CIS_MS_Windows_8_Level_1_v1.0.0.audit - DISA_STIG_MS_Office_Access_2010.audit

• SELinux

- NSA_RH_5_hardening_tips.audit - PCI_2.0_Redhat.audit



Monitoring Client-Side Attack Surface - Data Execution Prevention (DEP) is Disabled This component displays hosts that have Data Execution Prevention (DEP) security features disabled.

Monitoring dep

Internet Explorer Vulnerabilities Dashboard The latest zero-day Internet Explorer vulnerabilities leave organizations open to new attacks using remote execution exploits. How vulnerable is your organization? With this dashboard, SecurityCenter customers can better analyse risk and create remediation strategies. Read more here.

Discovery & Detection browser

Internet Explorer Zero Day Report The latest zero-day Internet Explorer vulnerabilities leave organizations open to new attacks using remote execution exploits. How vulnerable is your organization? With this report, SecurityCenter customers can better analyse risk and create remediation strategies. Read more here.

Discovery & Detection detection, vulnerability

15

Mitigation Strategy #8 – Host-based Intrusion Detection/Prevention System “Implement a Host-based Intrusion Detection/Prevention System (HIDS/HIPS) to identify anomalous behaviour during program execution e.g. process injection, keystroke logging, driver loading and call hooking. Suspicious behaviour also includes software attempting to persist after the workstation or server is rebooted, for example by modifying or adding registry settings and files such as computer services.”

This mitigation strategy requires the use of an HIDS/HIPS. This software is often part of an endpoint security product. The Tenable LCE Client also has the ability to do some of this monitoring. With the LCE Client enabled, or if the endpoint security product is forwarding its logs to LCE, the potential intrusion events will be recorded under event type “intrusion”.

All logs from HIDS, HIPS, other network security products, applications, and operating systems should be sent via syslog to LCE. LCE can parse and correlate these logs, generating events that indicate attacks, scans and probes, and denial of service. LCE can correlate intrusion logs with known botnet IP addresses, and can correlate current network vulnerabilities with intrusion attacks. This log correlation ability of LCE can greatly enhance an organisation’s ability to detect malicious activity.



Directional Event Trends Dashboard This dashboard makes use of the LCE’s directionality filter to create five-day trend graphs of all inbound, outbound, and internal events. Read more here.

Monitoring inbound, internal, outbound

Event Indicator Alert Dashboard The “Indicator” LCE event type monitors a select list of normalized events and then analyses the events for chains of activity that indicate potential abuse, evidence of compromise, or determined attacks. Read more here.


intrusion, malicious

Threatlist Activity Dashboard This dashboard charts systems and trends of threatlist and botnet activity for the past week. Read more here.


botnet, events

Mitigation Strategy #9 – Disable Local Administrator Accounts “Disable local administrator accounts to prevent cyber adversaries from easily propagating throughout an organisation’s network using compromised local administrator credentials that are shared by several workstations.”

As with mitigation strategy #4, SC CV can assist the organisation in determining accounts that are members of groups granting administrative privileges. The organisation can then modify or disable accounts appropriately.

The Account Status Indicators Dashboard enables monitoring of all the password and account policy settings. Of particular interest for this mitigation strategy is the “Local Group Enumeration” component, which makes use of several plugins to monitor group membership. These plugins are:

• Plugin 10860, SMB Use Host SID to Enumerate Local Users - Using the host security identifier (SID), it is possible to enumerate local users on the remote Windows system. Note that this plugin requires a start and end user identifier (UID) range. The UID range is by default 1000 to 1200. By setting a greater range, Nessus will be able to better ascertain and enumerate the user accounts.

• Plugin 10902, Microsoft Windows ‘Administrators’ Group User List - Using the supplied credentials, it is possible to extract the member list of the ‘Administrators’ group. Members of this group have complete access to the remote system.

16

• Plugin 10911, Microsoft Windows Local Users Information Automatically disabled accounts - Using the supplied credentials, it is possible to list local user accounts that have been automatically disabled. These accounts may have been disabled for security reasons or due to brute-force attack attempts.

• Plugin 10913, Microsoft Windows Local Users Information Disabled accounts - Using the supplied credentials, it is possible to list local user accounts that have been disabled.

• Plugin 10916, Microsoft Windows Local Users Information Passwords never expire - Using the supplied credentials, it is possible to list local users that are enabled and whose passwords never expire.

• Plugin 71246, Enumerate Local Group Memberships - Connects to a host via SMB to retrieve a list of local Groups and their Members.



Account Status Indicators Dashboard Managing user accounts, group memberships, and passwords can be a difficult task. Using SC CV, security analysts can audit password policies, monitor the membership of groups, and other account related settings. Read more here.

Monitoring administrator, enumeration

Account Weakness Dashboard This dashboard presents vulnerabilities related to accounts and credentials. Read more here.


accounts

Account Weakness Report This report presents vulnerabilities related to accounts and credentials. These vulnerabilities include default accounts, blank passwords, bypassing of authentication, insecure and non-compliant account settings, and more. Read more here.


account

Council on CyberSecurity - Critical Security Controls Dashboard This dashboard assists organizations by implementing controls to quickly identify, and reduce the potential exploitation of application vulnerabilities. Read more here.

Security Industry Trends sans

Mitigation Strategies #12 and #13 – Software-Based Application Firewall “Implement a software-based application firewall,” blocking incoming network traffic that is malicious or otherwise unauthorised, blocking outgoing network traffic that is not generated by a whitelisted application, and denying network traffic by default.

These mitigation strategies require that a software-based firewall be enabled on a host computer. The network traffic rule sets enforced by these firewalls can be difficult to collect and audit. SC CV uses audit checks and plugins to enumerate the firewall rules.

The Firewall Status dashboard can assist in monitoring firewall activity and detecting risks and anomalies on the network. Of particular interest for this mitigation strategy is the “Firewall Rule Enumeration” component, which uses plugin 56310, Firewall Rule Enumeration, and audit checks to report on the status of software-based firewalls. Plugin 56310 uses WMI, NETSH, IPTABLES, and PFCTL commands to collect the list of firewall rules from remote hosts. Firewall rule sets for particular hosts can be investigated by clicking on the applicable indicator and viewing the detailed vulnerability list.

17

The top row of indicators in the Firewall Rule Enumeration component displays the results of audit checks of host-based firewall rules. The “Passed” indicator is highlighted green for passed results, the “Manual” indicator is highlighted orange for those results that need to be reviewed manually, and the “Failed” indicator is highlighted red if there are any failed results. More information can be obtained on the results by clicking on the specific indicator and viewing the detailed vulnerability list.

Several audit files evaluate firewall rules, for example:

• PCI_FreeBSD.audit

• PCI_2.0_Solaris10.audit

• CIS_OSX_10.6_v1.0.0_L1.audit

• CIS_MS_2008_Server_SSLF.audit.



Firewall Status Dashboard The Firewall Status dashboard monitors both hourly and daily firewall events, firewall changes, trending of firewall events, and firewall rule enumerations. Utilizing the firewall status dashboard, an IT security analyst can monitor firewall events on the network from a single location. Read more here.

Monitoring events, firewall,

Firewall Changes Dashboard This dashboard displays a 25-day trend analysis of firewall events. Read more here.

Monitoring firewall



botnet, events

Security Software Vulnerabilities Report This report enumerates known security software tools and resources, such as McAfee Antivirus, Microsoft Forefront, and Symantec PGP. The report displays information for enforcing and verifying IT management policies relating to assets, such as vulnerability, configuration, and remediation policies. Read more here.


intrusion, network services

Mitigation Strategy #14 – Non-Persistent Virtualised Sandboxed Trusted Operating Environment “Implement a non-persistent virtualised sandboxed trusted operating environment, hosted outside of your organisation’s internal network, for risky activities such as web browsing.”

For this mitigation strategy, SC CV can provide traffic monitoring using LCE and the NetFlow and Network Monitor agents. These agents monitor the network from different points and report traffic flow statistics. Using this approach, the organisation can monitor traffic traversing different points in the network. The NetFlow Monitor dashboard can assist with this monitoring.

The Network Monitor and NetFlow agents require some specialized setup. Details on this setup can be found in the Log Correlation Engine Best Practices document.

18




Monitoring netflow

NetFlow by Port This component displays the top 10 TCP ports with the highest session counts. This information can assist in understanding and monitoring the dataflows and services active on the network.

Monitoring netflow, services

Mitigation Strategy #15 – Centralised and Time-Synchronised Logging of Events “Perform centralised and time-synchronised logging of successful and failed computer events, with automated immediate real-time log analysis, storing logs for at least 18 months. Important logs include logs generated by security products, as well as Active Directory event logs and other logs associated with user authentication including VPN and other remote access connections.”

This mitigation strategy focuses on setting up good log collecting practices. The Synchronized Log Collection dashboard provides a number of components that assist in this area:

• Tenable LCE - This component displays event data related to Tenable’s Log Correlation Engine, including indicators that trigger if the LCE license is within 5 days of expiration, and if any modifications have occurred to the LCE.

• Network With NTP Compliance Checks - Time-synchronisation can be addressed by setting up an organisation-wide Network Time Protocol (NTP) source. This component reports on audit checks that verify the NTP settings on subnets.

• Log Sources with 24 Hour Event Count - This component identifies log sources and helps the organisation ensure that all systems that can send logs are sending them to LCE and/or allowing PVS to scan them.

• Dead LCE Clients Per Subnet - This component displays the count of hosts with “dead” (unreachable) LCE Clients per class C subnet.

• Subnets with Tenable LCE Clients Installed on Windows - This component displays the number of Windows hosts per subnet on which the LCE Client is installed. Systems without the LCE Client installed do not send their logs to LCE, so vulnerabilities on those systems might not be found.

• Subnets with Tenable LCE Clients Installed on *nix - This component displays the number of *nix hosts per subnet on which the LCE Client is installed. Systems without the LCE Client installed do not send their logs to LCE, so vulnerabilities on those systems might not be found.

19



Synchronized Log Collection Dashboard Log management is a problem that many organizations face on a regular basis. This dashboard provides a summary of log sources, and monitors audit checks for Network Time Protocol (NTP) settings. Read more here.

Discovery & Detection NTP, log

Event Indicator Alert Dashboard The new “Indicator” LCE event type monitors a select list of normalized events and then analyses the events for chains of activity that indicate potential abuse, evidence of compromise, or determined attacks. Read more here.


intrusion, malicious

Event Indicator Alert Report This report provides the event summaries of each system that has been identified to have more than one “indicator” event type. Read more here.


intrusion, malware

Authentication Anomalies and Password Guessing Dashboard This dashboard displays anomalies in login events and password guessing events over seven days. Read more here.

Monitoring analysis, events

Mitigation Strategy #16 – Centralised and Time-Synchronised Logging of Network Activity “Perform centralised and time-synchronised logging of allowed and blocked network activity, with automated immediate real-time log analysis, storing logs for at least 18 months. Important logs include DNS server, web proxy logs containing connection details including user-agent values, DHCP leases, firewall logs detailing traffic entering and leaving an organisation’s network, and metadata such as Network Flow data.”

One aspect of this mitigation strategy is maintaining logs for Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) events. Both of these protocols are used throughout virtually every environment and can be easily monitored by SC CV using LCE and PVS. The DHCP Monitoring dashboard provides information on DHCP sources, DHCP vulnerabilities, and DHCP-related events.

Implementing DNS monitoring requires some planning. The organisation must place PVS scanners to allow passive monitoring of the DNS servers and must configure the PVS scanners to send their log data to LCE via syslog, for further event correlation and retention purposes.


20


DHCP Monitoring Dashboard This dashboard provides a series of components that assist the analyst by providing indications for DHCP Sources, DHCP Vulnerabilities, and DHCP Events, and a series of indicators for over 30 DHCP-related events. Read more here.

Monitoring dhcp

DNS Dashboard This dashboard leverages Tenable’s Log Correlation Engine (LCE) and Passive Vulnerability Scanner (PVS) and is useful for forensic analysis, employee monitoring, and creating reports. Read more here.


dns

Event Trending By Type - DNS This component displays the logs from the event type DNS.

Monitoring dns

PVS Network Trending This dashboard leverages PVS’s ability to detect network traffic in real-time. Some examples are SSH, SSL, VNC, and RDP. Read more here.

Monitoring discovery


Monitoring netflow

Mitigation Strategy #17 – Email Content filtering “Implement email content filtering, allowing only whitelisted attachments with a file type and file extension that are required for business functionality.”

This mitigation strategy requires the organisation to monitor and filter email attachments. While SC CV itself is not a content filter, it can collect and correlate event logs from email servers, spam gateways, and other content filters and passively monitor web traffic in order to provide a more in-depth picture of current network threats. The email servers and spam gateways should be configured to send log data to LCE and be passively monitored by PVS. The PVS scanners should also be configured to send real-time syslog data to LCE.

The Spam Monitoring dashboard can monitor trending, events, and vulnerabilities for spam security risks in the network.



Spam Monitoring This dashboard will monitor trending, events, and vulnerabilities for spam security risks in the network. Read more here.

Monitoring spam

Security Software Vulnerabilities Report This report enumerates known security software tools and resources, such as McAfee Antivirus, Microsoft Forefront, and Symantec PGP. The report displays information for enforcing and verifying IT management policies relating to assets, such as vulnerability, configuration, and remediation policies. Read more here.


intrusion, network services

21

Mitigation Strategy #18 – Web Content Filtering “Implement web content filtering of incoming and outgoing traffic, whitelisting allowed types of web content and using behavioural analysis, Internet-based reputation ratings, heuristics and signatures.”

This mitigation strategy requires the organisation to monitor and filter web traffic. While SC CV itself is not a content filter, it can collect and correlate event logs from content filters and passively monitor web traffic in order to provide a more in-depth picture of current network threats. There are several vender solutions with the ability to filter web content, and these systems should be configured to send log data to LCE and be passively monitored by PVS. The PVS scanners should also be configured to send real-time syslog data to LCE.

The Web Content Filter Monitoring dashboard provides a centralized view of web filter alert indicators, without the need to log into multiple devices to view data.



Web Content Filter Monitoring Dashboard Monitoring egress traffic is critical to preventing data loss, and the most common attack methods are client-side web attacks. The ability for LCE and PVS to monitor web traffic through logs and passive vulnerability detection can provide a much more in-depth view into web usage. Read more here.

Monitoring monitoring, web


Monitoring web

Web Services Indicator Dashboard This dashboard provides six indicator style components for web services. Each component is designed to provide a detailed focus on SSL, malicious URLs, external URLs, web service platforms, CGI vulnerabilities, and common web service TCP ports. Read more here.


malicious, indicator

Mitigation Strategies #19, #32, and #34 – Web Domain Blacklisting/Whitelisting “Implement web domain whitelisting for all domains, since this approach is more proactive and thorough than blacklisting a tiny percentage of malicious domains.” If not feasible, at least “implement gateway blacklisting to block access to known malicious domains and IP addresses.” In addition, “block attempts to access websites by their IP address instead of by their domain name.”

This mitigation strategy requires the organisation to monitor and filter web domain requests, via either whitelisting or blacklisting. While SC CV itself is not a domain filter, it can collect and correlate event logs from domain filters and passively monitor web traffic in order to provide a more in-depth picture of current network threats. Gateways, proxies, and other web domain filtering appliances should be configured to send log data to LCE and be passively monitored by PVS. The PVS scanners should also be configured to send real-time syslog data to LCE.

22

Note that if user workstations are configured to use proxies for web access, then for efficiency network traffic monitoring needs only to review the traffic between the proxies and the gateway.




Monitoring web

PVS Detections Report - Vulnerabilities and Attacks This report presents vulnerabilities and attacks passively detected by the Passive Vulnerability Scanner (PVS). Read more here.

Monitoring detection, malicious

PVS Detections Report - Traffic This report presents network traffic passively detected by the Passive Vulnerability Scanner (PVS). Read more here.

Monitoring backdoor, botnet

Mitigation Strategy #21 – Workstation and Server Configuration Management “Perform workstation and server configuration management based on a hardened Standard Operating Environment, disabling unneeded/undesired functionality e.g. IPv6, autorun and LanMan.”

This mitigation strategy focuses on configuration management with an emphasis on security. SC CV can assist organisations with this security-focused configuration management. Audit files can be used to ensure that workstations and servers are compliant with policies and standards. In addition, SC CV can monitor for system change events in real-time and automatically perform configuration audits on new or changed systems. By integrating Nessus scanners and real-time monitoring using PVS and LCE, the organisation can maintain hardened systems configurations as defined by policy across a vast organisation.



Unknown Process Dashboard This dashboard displays unknown processes, Microsoft Windows autoruns, grey area processes, and known installed software across a series of components. Read more here.


autorun

Compliance Summary Dashboard SecurityCenter and Nessus have the ability to check compliance with a variety of standards including HIPAA, NIST 800-53, PCI DSS, and DoDI 8500.2. This dashboard shows the security manager a summary of the current compliance status. Read more here.


compliance, pass/fail

Compliance dashboards and reports for specific standards (NIST 800-53, Cybersecurity Framework, PCI, HIPAA, etc.)


nist, pci, hippa

Mitigation Strategies #22 and #30 – Antivirus Software “Implement antivirus software using heuristics and automated Internet-based reputation ratings to check a program’s prevalence and its digital signature’s trustworthiness prior to execution. Specifically, this includes checking the prevalence of a questionable file among the Internet user base, and checking whether a digitally signed file uses a reputable vendor certificate that hasn’t expired or been revoked.” If not feasible, at least “use signature-based antivirus software that

23

primarily relies on up to date signatures to identify malware. Use gateway and desktop antivirus software from different vendors.”

This mitigation requires deploying antivirus to control malware activity on the network. While SC CV itself is not antivirus software, it can collect and correlate event logs from client antivirus software, from the antivirus security server, and from related network equipment in order to provide a more in-depth picture of current network threats. Combined with the ability of SC CV to perform active and passive vulnerability detection, this allows the organisation to begin to mitigate risks in a proactive manner.



Comprehensive Antivirus Report This report details issues with antivirus software including botnet and malware detections as well as vulnerable and out of date antivirus software. Read more here.


Antivirus

Antivirus Software Check Report This report template focuses on antivirus software that isn’t up-to-date or isn’t functioning properly. Read more here.

Monitoring Antivirus

Virus Trending This dashboard presents virus indication events detected by various products and shows trending. Read more here.


virus

Exploitable by Malware Report This report provides a detailed view into the exploitability of the network. The following chapters show which vulnerabilities are exploitable by malware, and then compares the exploitability to attack frameworks. Read more here.


Mitigation Strategy #23 – Deny Direct Internet Access from Workstations “Deny direct Internet access from workstations by using an IPv6-capable firewall to force traffic through a split DNS server, an email server, or an authenticated web proxy server.”

This mitigation requires using a firewall to deny direct Internet access from workstations. SC CV can collect and correlate firewall logs from a variety of appliances, routers, software, and operating system-based solutions in order to monitor how users access the Internet.

LCE normalizes firewall log events into several event types, for example:

• firewall – any denied network connection

• scanning – some firewall applications offer intrusion detection and prevention functions and report port scans

If the organisation is not logging firewall data to LCE, critical data could be missing from the threat analysis. For example, if the systems are required to use a proxy but are misconfigured, then firewall logs would show this. Unauthorised traffic recorded in the logs could indicate a misconfigured system, or an employee attempting to circumvent corporate policy. If SMTP traffic is detected from systems other than the email servers, this could indicate that a compromised host is attempting to send unauthorized email, since all outbound email should be routed through the local mail server. These events can be collected and correlated with other events to help indicate serious issues within the network.


24


Palo Alto FW Status Dashboard This dashboard displays the summary status of the Palo Alto firewall, and includes indicators for events, configuration audits, and NetFlow statistical graphs. Read more here.

Monitoring firewall

Fortinet Dashboard This dashboard is a series of components that provide basic analysis of FortiGate devices. Read more here.

Monitoring firewall

FireEye Events This dashboard displays a summary status of FireEye events, providing an overview of collected events using several techniques. This event data provides the analyst with many different methods to quickly respond to triggered alerts. Read more here.

Monitoring fireeye

Mitigation Strategy #24 – Server Application Configuration Hardening “Perform server application configuration hardening e.g. databases, web applications, customer relationship management, finance, human resources and other data storage systems.”

This mitigation strategy requires the hardening of server-based applications in order to further secure the operating environment. Server application security is critical to the security of any organisation and SC CV can provide a detailed view into the vulnerabilities of servers and server-based applications. There are many times when production servers cannot be actively scanned due to response time and down time concerns; however, logging and passive vulnerability detection will not impact server operations. This approach to vulnerability detection will not discover all vulnerabilities, but the method can provide very detailed information on the servers and the environment. After using the PVS to discover the applications and operating systems, the organisation can then perform targeted scans, which would have a much lower impact on server performance.



Database Summary Dashboard This dashboard enumerates known databases and resources, such as Microsoft SQL Server, MySQL, and Oracle. The dashboard displays information for enforcing and verifying IT management policies relating to assets, such as vulnerability, configuration, and remediation policies. Read more here.


Database

OWASP Top 10 Dashboard This dashboard provides SecurityCenter users the ability to monitor web application security by identifying the top 10 most critical web application security flaws as described in OWASP’s Top Ten awareness document. Read more here.

Security Industry Trends Owasp

Web Server Indicator Dashboard This dashboard has been developed to provide quick visual indications of web services, CGI vulnerabilities, FTP services, and database services. Read more here.

Monitoring Xss

25

Mitigation Strategy #25 – Enforce a Strong Passphrase Policy “Enforce a strong passphrase policy covering complexity, length, expiry, and avoiding both passphrase reuse and the use of a single dictionary word. This is especially important for service accounts and all other accounts with administrative privileges.”

This mitigation strategy requires enforcing a strong passphrase policy. SC CV can assist in this area in two ways. First, SC CV provides over 40 plugins dedicated to the collection of account information, for example:

• Plugin 10892 - Microsoft Windows Domain User Information

• Plugin 17651 - Microsoft Windows SMB : Obtains the Password Policy

• Plugin 72684 - Enumerate Local Users

Second, SC CV can perform compliance checks using audit files that check account and password configuration settings, for example:

• FSO_Win7_Analyze_only_v2.audit

• CIS_MS_2008_Server_SSLF_v1.2.0.audit

• Win7_EC_Desktop_v2.audit

The Account Status Indicators dashboard enables monitoring of all password and account policy settings.



Account Status Indicators Dashboard Managing user accounts, group memberships, and passwords can be a difficult task. Using SC CV, security analysts can audit password policies, monitor the membership of groups, and other account related settings. Read more here.

Monitoring administrator, enumeration

Account Weakness Dashboard This dashboard presents vulnerabilities related to accounts and credentials. Read more here.


accounts

Tracking Login Failures by User Dashboard This dashboard displays login failure events and anomalies for each user. Read more here.

Monitoring login

Mitigation Strategy #26 – Removable and Portable Media Control “Control removable and portable media as part of a Data Loss Prevention strategy, including storage, handling, whitelisting allowed USB devices, encryption and destruction.”

This mitigation focuses on controlling the use of removal media and the storage of sensitive information on local storage devices. SC CV can assist in this area by performing compliance checks using audit files to provide assurance that the organisation’s operational data classification policy and storage guidelines are being followed.

Tenable provides a series of audit files called Sensitive Content Audit Policies. These audit policies look for credit cards, Social Security numbers, and many other types of sensitive data. Other audit files contain audit checks for CD-ROM, USB, and other storage media.

26

Listed below are examples of audit files for sensitive content:

• Government Classified Documents - Searches documents for keywords indicating classification level, such as “TOP SECRET”, “NOFORN”, and “NATO CONFIDENTIAL”. This audit file can be manually modified to include other classification levels, such as “Protected”, “Sensitive”, and “Cabinet”. (Last updated November 30, 2007.)

• HIPAA EDI Claim Information - Searches a variety of file extensions that are used in medical insurance and claims Electronic Data Interchange documents. (Last updated November 30, 2007.)

• PCI Credit Card Number - Searches for valid Visa, AMEX, Discover, and MasterCard numbers. (Last updated May 2, 2012.)

Listed below are some examples of audit files with CD-ROM and USB checks.

• financial_microsoft_windows_os_audit_guideline_v2.audit

• USGCB_Win7_Desktops_v2_official.audit

• NSA_MacOSX_10_6_hardening_tips.audit

The Removable Media and Content Audits dashboard focuses on auditing the use of removable media and storage of sensitive documents on local storage devices.



Removable Media and Content Audits Dashboard Data loss can occur through several methods; this dashboard focuses on tracking usage of USB devices, CD-ROMs, DVD-ROMs, and other removable media auditable events. Security analysts should also be concerned about the classification of data stored on local computers. In conjunction with scans using Nessus content audit files, systems containing classified data are easily identified. Read more here.


compliance, confidentiality

Event Trending By Type Dashboard The Log Correlation Engine includes many different event types. This dashboard provides a separate component for each event type, using a 7-day analysis trend line. Read more here.

Monitoring enforcement

Council on CyberSecurity - Critical Security Controls Dashboard This dashboard assists organizations by implementing controls to quickly identify and reduce the potential exploitation of application vulnerabilities. Read more here.

Security Industry Trends sans

27

Mitigation Strategy #27 – Restrict access to Server Message Block (SMB) and NetBIOS “Restrict access to Server Message Block (SMB) and NetBIOS services running on workstations and on servers where possible.”

This mitigation strategy requires restricting access to SMB and NetBIOS because these protocols are commonly used vectors for network attacks and network propagation. SC CV can be used to detect how these protocols are being used and their vulnerabilities. With active scanning, SMB shares on both Windows and *nix systems can be discovered.



Network File Access Trending Dashboard This dashboard shows the last five days of inbound, outbound, and internal file access activity across FTP, SMB, and HTTP protocols. Read more here.

Discovery & Detection network

Sensitive Data Active Dashboard This dashboard summarizes a variety of content checks to look for credit card, financial, personal, copyrighted, and other types of sensitive data. Read more here.


file

File Modification Monitoring Dashboard This dashboard tracks file and directory modifications on hosts. Read more here.

Monitoring file

Mitigation Strategy #31 – TLS Encryption between E-Mail Servers “Enabling TLS encryption on both the originating and accepting email servers helps to prevent legitimate emails being intercepted in transit and subsequently being used for social engineering.”

This mitigation strategy requires the implementation of Transport Layer Security (TLS) for email communications. TLS is the successor to SSL (Secure Sockets Layer). SC CV can detect TLS, Dynamic TLS (DTLS), and SSL communications using PVS. Using the LCE NetFlow and Network Monitors can provide additional data for analysis.

The TLS Communications dashboard identifies system vulnerabilities to TLS, DTLS, and SSL. Of particular interest for this mitigation strategy is the “TLS Indicators” component, which presents indications of vulnerabilities associated with various versions of TLS and DTLS. Using this indicator, an organisation can determine what types of secure communications are being used within the network, what risks are associated with these secure communication protocols, and what actions can be taken to reduce these security risks.



TLS Communications Dashboard This dashboard identifies system vulnerabilities to the TLS, DTLS, and SSL protocols. Read more here.

Monitoring tls

28

Mitigation Strategy #33 – Network-based Intrusion Detection/Prevention System “Implement a network-based Intrusion Detection/Prevention System (IDS/IPS) using signatures and heuristics to identify anomalies listed in mitigation strategy #16 ‘Centralised and time-synchronised logging of allowed and blocked network activity’.”

This mitigation strategy requires the use of a network-based IDS/IPS. LCE can receive logs forwarded from many Network Intrusion Detection Systems (NIDS)/ Network Intrusion Prevention Systems (NIPS), including Cisco IDS, which supports Security Device Event Exchange (SDEE) and Remote Data Exchange Protocol (RDEP). The preferred method of log forwarding is syslog; however, there are LCE Clients for other protocols.

LCE normalizes NIDS/NIPS log events into several event types:

• Application – status logs such as reloading signatures

• Intrusion – generic IDS events that indicate probes

• Error – if the IDS encounters an error message

• Scanning – port scans and network sweeps

• Virus – IDS events associated with virus propagation

LCE can detect intrusion scans (when one attacking IP address induces multiple different types of IDS events on one host) and sweeps (when one attacking IP address induces IDS events on three or more target IP addresses). LCE can detect both slow probes that last hours or days, as well as large scans such as hostile vulnerability scans of your network.

LCE also performs “never before seen” analysis of all normalized events including intrusion events. LCE generates an alert for any normalized event that has never been seen before on a given host. An IDS typically generates some false positive events, so the ability to automatically recognize when a new IDS alert has occurred is powerful because these events can then be immediately recognized as abnormal.



IDS Trend and Correlation Dashboard This dashboard displays IDS events based on their direction, their trends and their correlations per server. Read more here.


intrusion

Snort Events Dashboard This dashboard summarizes Snort IDS activity from LCE. Read more here.

Discovery & Detection snort



botnet, events

Threatlist Trending Dashboard This dashboard presents events and network connections that are associated with IP addresses on a known threatlist, and shows trending. Read more here.


botnet

29

The Next Steps Scanning Methodology There are two primary approaches to scanning using Nessus. The first option is to create a single policy that performs all of the required functions including host discovery, port scanning, and vulnerability detection. Such a policy would be convenient and easy to use for repeat scans. However, such a policy may not necessarily be efficient. If any adjustments need to be made to the policy, scanning of the network would have to be restarted from the beginning; otherwise, only the remaining systems would be scanned with the new policy. If time is not a factor and the scan policy does not change often, a single policy may be a viable option.

The second option is to create a policy for each phase, where separate policies are used for host discovery, port scanning, and vulnerability detection. Using one policy at a time to refine the target list allows for efficient scans and the ability to adjust the next policy based on previous results. For example, the host discovery policy might use a simple “ping” and no additional plugins or port scanners. The port scanning policy would then only be applied to hosts found during the discovery phase. This policy would look for services that are important or that are frequently found with vulnerabilities. By selecting a small list of ports, tens of thousands of hosts can be quickly scanned in a relatively short amount of time. The vulnerability detection policy would then look for vulnerabilities in the services previously found. The exact list of vulnerabilities will vary depending on the selected services, the nature of the services, and the time involved. For example, enabling all web server checks (i.e., server, CGI, CGI XSS) for web servers found on ports 80 and 443 by the previous policy would significantly increase the time required to perform the scan. Carefully selecting plugins to look for specific information, high-risk vulnerabilities, and “low hanging fruit” (vulnerabilities that are trivial to exploit) allows the firm to conduct a meaningful and helpful assessment despite a large number of systems and small time frames.

Scanning large networks will always be a balance between how much can be scanned versus the allocated time window. Scanning a large number of systems in a short period of time necessitates greatly cutting back on the scan time per system. For example, only scanning for interesting ports instead of all ports can dramatically decrease scanning time. If the target network is purely a Windows environment, removing services that are generally not found on that operating system (e.g., SSH) can save time and allow looking for additional Windows-specific services.

Active scanning is, for the most part, a snapshot-in-time view of vulnerabilities that exist in an organisation’s environment. In a typical organisation, scans may occur on a quarterly or monthly basis. However, a scan will only tell what happened in that moment, not what happened in the intervening days between scans. For example, if a new system is added to the network on the day after a quarterly scan, it could be another 90 days before anyone is aware of any missing patches, vulnerabilities, or malware on the system. By scanning more frequently (and introducing real-time passive scanning), organisations will have more accurate metrics showing how long a detected vulnerability was present and when it was mitigated.

If large scans must be run periodically to determine not only the vulnerabilities present, but to also verify that patches are being applied, SecurityCenter Continuous View can manage multiple Nessus scanners and correlate all the data into a comprehensive report. Using SecurityCenter Continuous View to manage scans and data can provide the firm not only with a single place to house the data, but also advanced reporting and historical trending.

Continuous Network Monitoring Most organisations that perform periodic scanning using either of the two methodologies described above do so to achieve an ongoing state of compliance based on the frequency of their compliance reporting requirements. Once achieved, they should strongly consider moving beyond periodic scans to continuous network monitoring with SecurityCenter Continuous View. This allows organisations to secure their environment, monitor their network health in real-time, and instantaneously manage any risks, threats or variances that emerge.

Tenable SecurityCenter CV is a critical component of security programs, as it is the only solution that provides comprehensive continuous monitoring across traditional, virtual, mobile, and cloud IT environments. By uniquely bringing together vulnerability scanning, network sniffing, and event log correlation under a single integrated solution, SecurityCenter CV covers 100% of all your IT assets 100% of the time through its library of over 1,000 security intelligence apps to turn data into actionable security information.

30

Tenable SecurityCenter CV is able to:

• Perform Automated Discovery Utilizing its network monitoring capability in conjunction with scanning and log collection, SecurityCenter CV discovers all physical, virtual, and mobile devices across your environment as soon as they join the network.

• Comprehensive Vulnerability Assessment SecurityCenter CV enables superior visibility into risks across the enterprise by using a combination of active and passive assessments. With over 60,000 assessments, SecurityCenter CV has over three times more checks than its nearest competitor, ensuring every risk in the firm is visible.

• Reporting and Analytics Security analysts using SecurityCenter CV for security operations are able to get analytics relevant to their area of responsibility through SecurityCenter CV’s user-based modelling and reporting, allowing them to zero in on risks in their specific domains.

• Taking Instantaneous Remediation Action With SecurityCenter CV mitigating threats, reducing their impact becomes easy as all the relevant information is at the right security analyst’s fingertips. Incident responders are also able to use SecurityCenter CV’s asset grouping function to collaborate with each other to solve security problems.

Asset Lists Asset lists are lists of systems on the network that all meet a certain set of conditions, such as an asset list of all Windows machines, or all machines in a specified IP address range. There are different types of assets that can be created, such as static, dynamic, combination, LDAP query, and watchlist. The most powerful assets are dynamic, which take advantage of the flexible grouping of condition statements to obtain lists of systems on the network that meet those conditions. For example, Nessus or PVS results can be parsed to build a dynamic list of IP addresses that have port 80 open. Rules are very sophisticated and can take into account addressing, open ports, and specific or discovered vulnerabilities.

Asset lists can be used to expedite the creation of policies, dashboards, and reports. Tenable automatically delivers many pre-built asset lists in the SecurityCenter app feed via a searchable catalogue. Custom assets can also be created to suit specific organisational needs.

Combination asset lists, or asset lists of asset lists, make it easy to handle very large networks as well as organize assets based on business function, geography, or any system property. This allows organizations to organize, analyse, and manage groups of assets based on technical or functional groupings. Combination asset lists are dynamically updated so that any changes to the network and device topology are immediately reflected in the management framework. Being able to organize assets dramatically improves security analysis.

For more information on asset lists, see the SecurityCenter User Guide on the Tenable Support Portal.

Analysis and Reporting SecurityCenter Continuous View allows pivoting from one data set to another during forensic analysis while keeping the relevant context and scope of the analysis. For example, a security analyst can go from analysing the exploits on a compromised device to examining the network communications of that device with a single click. This provides extremely intuitive analysis by giving the security analyst an educated guess about what to inspect next. While in the HTML5 UI, pivoting can be done between vulnerability data and threat data without losing context.

SecurityCenter Continuous View provides flexible reporting options in a wide variety of standard formats. Tenable automatically delivers updated dashboards, dashboard components, and report templates in the SecurityCenter app feed via a searchable catalogue, providing easy access to components without the need to manually download them. New analytics are automatically delivered as they are developed by Tenable researchers. Custom dashboards and reports can be easily created, and reports can even be automatically created from dashboards.

Security analysts using SecurityCenter Continuous View can now manage their areas of responsibility through user-based modelling. Administrators can define who owns and manages specific assets, and summarize the security status of those

31

assets by areas of ownership. SecurityCenter Continuous View also groups by owner reports and dashboards that show the organisation’s security posture, allowing security analysts to focus on their incidents and analyses, helping them to work more efficiently and greatly improving the time to respond to incidents.

For more detailed information on creating and managing users and groups, and creating customized dashboards and reports, see the SecurityCenter User Guide on the Tenable Support Portal.

Summary The Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions contains a list of 35 strategies to mitigate targeted cyber intrusions, ranked in order of overall effectiveness. Tenable SecurityCenter Continuous View can assist an organisation in implementing these mitigation strategies by discovering vulnerabilities and tracking remediation progress, monitoring the network to determine if the mitigation strategy is working correctly, and measuring compliance to standards and organisational policies. This guide has provided many examples of how SecurityCenter Continuous View can support and enhance an organisation’s implementation of the ASD mitigation strategies.

32

About Tenable Network Security Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Our family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable is relied upon by more than 20,000 organizations, including the entire U.S. Department of Defense and many of the world’s largest companies and governments. For more information, please visit www.tenable.com.

Copyright © 2014. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.

GLOBAL HEADQUARTERS

Tenable Network Security 7021 Columbia Gateway Drive Suite 500 Columbia, MD 21046 410.872.0555 www.tenable.com

SecurityCenter Continuous View and the Australian Signals...

Documents

Transcript of SecurityCenter Continuous View and the Australian Signals...