51 Security

Learning, Sharing, Creating

Vulnerability Scan

Tenable Vulnerability Management – Tenable.IO Tips and Tricks with Best Practices

Bynetsec

Jul 7, 2023

Tenable Vulnerability Management® (formerly known as Tenable.io) allows security and audit teams to share multiple Tenable NessusTenable Nessus Agent, and Tenable Nessus Network Monitor scanners, scan schedules, scan policies, and scan results among an unlimited set of users or groups.

Tenable One is an Exposure Management Platform to help organizations gain visibility across the modern attack surface, focus efforts to prevent likely attacks and accurately communicate cyber risk to support optimal business performance.

The platform combines the broadest vulnerability coverage spanning IT assets, cloud resources, containers, web apps, and identity systems, builds on the speed and breadth of vulnerability coverage from Tenable Research, and adds comprehensive analytics to prioritize actions and communicate cyber risk. Tenable One allows organizations to:

  •     Gain comprehensive visibility across the modern attack surface
  •     Anticipate threats and prioritize efforts to prevent attacks
  •     Communicate cyber risk to make better decisions

Tenable Vulnerability Management exists as a standalone product, or can be purchased as part of the Tenable One Exposure Management platform.

Diagram

Best Practice: Run Credentialed Scans

How to Create Managed Credentials in Tenable.io

Setting up Managed Credentials allows you to use a single set of credentials on multiple scans.

 

  1. Choose the type of credentials you want to create (Window, SSH, etc.).
  2. Choose your authentication method, enter your credentials, and select the appropriate permissions for the group/user(s) for access.
  3. Click Create to complete the setup.
A animated GIF file on creating managed credentials.

Create a Managed Credential. (Note: this will open in a new window.)

How to Apply Managed Credentials to a Scan

Adding credentials to a scan template is easy. Let’s get started with a basic scan.

 

  1. Under Vulnerability Management, click Create Scan.
  2. Choose the Basic Network Scan Template.
  3. Fill out basic scan setup details (Name, Targets, etc).
  4. In the left panel, click Credentials to open the menu to add managed credentials.
  5. Assign Managed Credentials (and/or scan-specific credentials, which are not reusable by other scans).

 

To get started with this configuration, create a basic scan to apply your managed credentials. (Note: the basic scan link will open in a new window.)

An animated GIF file on adding credentials to a scan.

Automatically Delete Stale Assets With Asset Age Out

Automatically Delete Stale Assets With Asset Age Out

  • Asset Age Out is an optional configuration used to permanently delete licensed assets on your container, on a specific network.
  • It is recommended to enable Asset Age Out on all networks you configure to better manage licenses and data retention.

Use case: An organization has a corporate policy to retain security data for no longer than 6-months. Asset Age Out would be enabled for all networks, set to 180 days.

Setting Up Asset Age Out

  • Click the Asset Age Out toggle to permanently delete assets in your network after a specific number of days. All asset records and associated vulnerabilities are deleted and cannot be recovered. The deleted assets no longer count towards your license.
  • In the text box below, enter the number of days that Tenable.io should wait before permanently deleting assets that have not been seen on a scan. The minimum value is 14 and the maximum value is 365.

 

Best practice: Unless your organization has policies to retain data for a specific period of time, Tenable recommends deleting newly added networks after 180 days or less.

Use Cloud Agents to Gain Vulnerability Insights on Remote Assets

Use Cloud Agents to Gain Vulnerability Insights on Remote Assets

Nessus Agents help provide visibility on assets in a mobile workforce or in environments and networks where implementing a Nessus Scanner is not possible.

Nessus Agents are highly beneficial for remote / mobile workers, providing vulnerability insights on assets that are not located in an environment controlled by the IT or IS team. If an organization employs a remote sales force, for example, the assets assigned to those team members may rarely, if ever, be in a physical location under the administration of a company’s IT or IS staff. These situations require a different solution to ensure proper asset coverage is achieved.

BENEFITS OF CREDENTIALED SCANNING:

  • Provides coverage to mobile assets.
  • Can be built-in to the company “golden image.”
  • Automatic updates to agent software.
  • Automatic updates to agent plugins.
  • Require only an Internet connection.

Since agents do not perform remote checks or compliance scans, please ensure that implementing agents is the most appropriate path for your organization.

Deploy Agents in Your Environment

To deploy Nessus Agents in your environment:

 

  1. Navigate to https://www.tenable.com/downloads/nessus-agents.
  2. Download the appropriate agent package / installation for your environment.
  3. Install the Nessus Agent manually or via your existing software deployment solution.

 

Note that your Tenable.io linking key will be required to link agents to your Tenable.io container.

Agent Deployment Guide:
  • https://docs.tenable.com/other/nessusagent/Nessus_Agent_Large_Scale_Deployment_Guide.pdf

How to Use Exclusion Lists to Avoid Duplication

How to Use Exclusion Lists to Avoid Duplication

An exclusions list designates specific assets that you do not want your vulnerability management solution to scan.

 

Exclusion lists can be particularly useful to help maintain good scan hygiene and performance. If you run non-credentialed scans, for example, you may not collect enough data to uniquely identify a firewall or Layer 3 switch when multiple interfaces are scanned. An exclusion list can remove duplicate IP addresses in situations like this assessment.


BENEFITS OF AN EXCLUSIONS LIST:

  • Prevent duplication of assets with multiple NICs.
  • Exclude resources from scans that may affect performance, operations, or availability.
  • Configure a scan to target only a specific area of your network.
  • Restrict the scanning of specific hosts based on a selected schedule.

Since exclusions can create a visibility gap, you may want to consider additional mitigations or assessment methods for assets you exclude from network scanning.

Create an Exclusions List in Tenable.io

It is easy to create an exclusion list. Follow these steps to create one.

 

Navigate to Settings > Exclusions or click here to get started in a new browser tab.

 

  1. Click the ⊕ Create Exclusion button. The Create an Exclusion page appears.
  2. Add targets and/or networks to exclude.
  3. Click Save to save the exclusions list for use in your scan configurations.

Documentation link: Exclusion Settings.

 

Note: Exclusions apply to all Nessus scanners.

 

Use Case: Resolving Multiple NICs

Tenable does not recommend scanning through firewalls. Scanning through firewalls can cause IP address duplication and issues merging multiple network interface controllers (NICs) into a single asset. If you must perform a non-credentialed scan on multiple NICs, you may want to identify and exclude any duplicate IPs using an exclusions list.

STEPS TO USE EXCLUSIONS LISTS TO RESOLVE MULTIPLE NICS:

  1. Scan the assets with credentials to uniquely identify any cases where an asset has multiple NICs.
  2. Add any extra IPs that do not provide value to your exclusions list.
  3. Correct any reporting inaccuracies by deleting duplicate IP addresses through the UI or API.

Best Practice: Run Remediation Scans

Best Practice: Run Remediation Scans

The purpose of running a remediation scan is to provide validation on the successful resolution of critical vulnerabilities in your network.

 

A remediation scan is targeted to evaluate a specific plugin against a specific scan target or targets where a vulnerability was discovered in an earlier active scan.


BENEFITS OF REMEDIATION SCANS:

  • Targeted to specific vulnerabilities that previous scans identified on your network.
  • Validates remediation of the vulnerabilities identified in a previous scan.
  • Integrates easily into remediation testing cycles. Remediation scans are targeted scans to aid teams who are responsible for remediating only certain sets of vulnerabilities.

How to Launch a Remediation Scan in Tenable.io

Running a remediation scan requires the following user role and access group permissions:

a. Roles: Scan Operator, Standard, Scan Manager or Administrator

b. Access Group Permissions: Can Scan

Launch a remediation scan directly on the Vulnerability Details or the Asset Details pages using the Actions button on the top right of the page. This sets the scope of the scan to the plugin and specified asset(s).

Documentation links:

 

Note: Remediation scans on scan results can only be performed by using Tenable connected Nessus scanners.

Remediation Scan Tips

  • Tenable.io assigns a vulnerability state (new, active, fixed, resurfaced) to all vulnerabilities on your network. You can track and filter by vulnerability state to see the detection, resolution, and reappearance of vulnerabilities over time.

 

  • You can create an asset filter to view and report on assets where a vulnerability was recently mitigated.

 

  • In order to update the vulnerability state, the same Authentication level must be used. So it is important to identify if a plugin requires scan credentials and add credentials, if needed. Tenable.io does not automatically add credentials when creating a remediation scan. If scan credentials are missing or incorrect, the scanner will not have sufficient access to detect if the vulnerability is fixed and will not be able to assess and update the vulnerability state accordingly.

 

  • Tenable.io has a limit of 10k scans per container. When planning the remediation scan for a single plugin, Tenable advises targeting large groups of systems instead of creating multiple versions of the scan that only target a small number of systems.

 

  • Tenable recommends periodically deleting old remediation scans from the remediation scan folder to avoid reaching the 10k scan limit

Maximize Visibility on Vulnerability Mitigations

Tenable.io offers a Mitigation Summary dashboard to help you track vulnerabilities as they are fixed, get a summary of open vulnerabilities, and view current and mitigated vulnerabilities.

 

Follow the steps below to add this dashboard:

  1. Navigate to ‘Dashboards’ in the main navigation panel
  2. Click to add New Dashboard via the Template Library
  3. Search for ‘Mitigation Summary’
  4. Click on the tile and choose ‘Add’ to include on your Dashboard for viewing and customizing.

Scan Troubleshooting

Visit Scans to view scan status and access scan results. If there is an error, a ‘Warnings’ tab will appear in the ‘Scan Details’ view. Click on ‘View Error Info’ to view documentation with recommended troubleshooting steps to resolve errors.

Quick Links to Scan Error Resources:

Videos

By netsec

Related Post

Vulnerability Scan

Qualys Agent Scan Steps and Generate Agent Scanning Report – Continuous scanning in the cloud

Feb 28, 2024 netsec
Vulnerability Scan

Install SonarQube Docker to Help You Write Cleaner and Safer Code

Dec 6, 2023 Jon
Vulnerability Scan

Tenable Vulnerability Management – Tenable.IO – Basic Usage

Jul 26, 2023 netsec

Leave a Reply