Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CCC 1: Maintain an Inventory of Software and Hardware

by Cody Dumont
June 22, 2015

As defined in the Tenable Critical Cyber Controls, the first of 5 controls is “maintain an inventory of software and hardware”.  Discovery of all assets is a critical first step in setting up continuous network monitoring.  This Assurance Report Card (ARC) will help to identify authorized or unauthorized systems and track scan coverage.

As the gaps in the IT landscape are changing, the ability to locate assets in need of protection is changing.  The CISO of an organization needs to be able to easily identify hardware and software assets at a glance in order to effectively communicate with the board of directors and the operations teams.  The CISO must have the ability to easily understand the risks associated with mobile devices and be able to see if an unacceptable number of devices are not properly classified.  When discussing the risk associated with computer assets, the CISO should be able to easily see the detection coverage and validate if devices are authorized on the network.

This Assurance Report Card (ARC) provides the CISO and the operations team with a high-level view of assets within the organization.  The ARC uses Tenable.sc’s dynamic assets to identify hosts on the network that have been detected and properly classified.  A separate policy statement identifies those hosts that have not been properly classified, while another policy statement identifies hosts properly configured in DNS, indicating the systems are authorized to be present.  There are also policy statements detecting application inventory and usage of authorized cloud services.

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The ARC can be easily located in the feed by selecting category Executive and then selecting tags asset and inventory. The ARC requirements are:

  • Tenable.sc 5.0
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

This ARC uses all aspects of continuous network monitoring, including scanning, sniffing, and log correlation.  Using each of these technologies allows Tenable to provide a unique combination of detection, reporting, and pattern recognition utilizing industry-recognized algorithms and models.  Tenable.sc Continuous View (CV) integrates with many technologies such as patch management, mobile device management, malware defenses, network infrastructure, cloud services, and other log analysis platforms to provide a holistic approach to risk analysis, starting with asset discovery.

ARC Policy Statements:

Less than 20% of systems are unclassified assets: This policy discovers any systems without a normalized classification. (This system classification is for asset inventory only and does not reflect any potential security classification.) The system classifications are Windows Hosts, Linux Hosts, Firewalls, Routers, Switches, VPN devices, and Mobile devices. If less than 20% of systems are not classified, this policy will show Compliant in green.

Greater than 75% of systems identified by passive asset classification have also been evaluated by active device scanning: To ensure the network is covered and all devices are identified, this policy shows Compliant in green when more than 75% of systems passively identified by NNM have also been actively scanned by Nessus for further device evaluation.

Greater than 70% of systems are registered in DNS: This policy tracks systems that have been scanned or sniffed, but don’t have a FQDN created. Devices not discovered in DNS could often be rogue devices and should be tracked down immediately to identify their true purpose. This policy statement displays Compliant in green if more that 70% of systems are covered in DNS.

Greater than 70% of systems have had software Inventoried within last 90 days: This policy monitors the software enumeration informational vulnerabilities and determines if the software is inventoried.  This policy statement displays Compliant in green when more than 70% of systems have been scanned with an appropriate software enumeration plugin.  The software enumeration is supported on Windows, Linux, and Solaris.

All mobile devices assets are found to have no serious vulnerabilities: This policy provides a summary of mobile devices detected using active and passive means. The assets used first detect systems that have been scanned actively or passively, and then matches against many of the common mobile operating systems. This asset will show Compliant if any mobile devices are present and do not have medium, high, or critical severities.

Systems are using only authorized cloud services (Salesforce, Netsuite, Webex): The policy identifies all users of authorized cloud services by first detecting systems using the cloud service identified by active and passive methods.  Next, several plugins are searched to match for authorized cloud services. The authorized services are identified as Salesforce, Netsuite, and Webex.  While there are certainly more cloud services that may be authorized, each organization should determine that based on their own needs.  To add more authorized cloud services, add the appropriate plugins to the "Hosts using cloud services" asset list. This policy will show Compliant in green when any host is communicating only with authorized cloud services.

Greater than 25% of systems are sending logs for analysis: The policy tracks which systems are sending logs to LCE for analysis and normalization.  The policy detects all systems that are detected using active and passive methods, then looks for plugin Process Statistics (800024).  When systems are correctly configured to send syslogs to LCE, the process statistics will be collected and analyzed by LCE.  The policy will show as Compliant in green when greater than 25% of systems are sending logs to LCE.

Systems detected using event correlation: This policy uses three event plugins to track systems discovered using event correlation.  The policy uses an asset to identify in the compliant filter.  The asset uses three event type plugins, Host Discovered (800000), Login Statistics (800019), Login Failure Statistics (800020).  The CISO can gain an understanding of the number of systems detected by collecting logs from other systems.  The policy will show as Compliant when any host is discovered by event correlation

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training