My last post was about the structure of a new Tenable.io cloud platform . Now, let’s see what is actually new in Tenable.io Vulnerability Management application.
Tenable.io VM is obviously based onNessus Cloud, which in its turn had features similar to Nessus Manager briefly reviewed earlier . So, today I want to concentrate only on new features.
According to the public interface screenshots and Tenable.io datasheets, it will have some new dashboards and reports, free integration with PVS and Nessus deployed on-premise, and something very new in asset management.
Web interface of Tenable.io is located at https://cloud.tenable.com/nessus6.html
After you have set a new password you should accept a very long License Agreement. Well, I haven’t read it all, shame on me, but basically there should be and agreement to scan only your own servers.
Tutorials
At first login Tenable.io provide a small tutorial for newbies:
A very short tutorial. Like “give me a target, choose a name of the scan and I will launch a scan task for you”. Cute
Tenable also released interactive tips. It’s under question mark icon. Pretty cool feature.
For example, you want to figure out how to change password in Tenable.io, and clicked on “Change Password”.
It will guide you through the whole process:
Step by step, click by click:
End so on. It is one of the best interactive tutorials I ever seen.
Dashboards“Dashboards” is the main screen of Tenable.io VM.
To say truth, I don’t regularly use this kind of dashboards and reports. However, sometimes they can be very inspiring. You can make some tasks manually, see the results in dashboards, understand that it is useful and then figure out how to get the same data automatically via API and report processing and how to automate the response. Dashboards is definitely a good thing, even if you use them only as an example of product capabilities.
If you want to get data from dashboards tom make some automation you can use workbenches API requests (see it in Tenable.io API Documentation )
So, let’s have a close look on Tenable.io VM dashboards.
VulnerabilitiesClean “Dashboards -> Vulnerabilities” screen before any scan performed looks like this:
When there will be some scan data it will look like this (from Tenable.io datasheet ):
Diagrams and counters showing vulnerabilities by plugin:
Current Vulnerabilities (Critical, High, Medium, Low) “Vulnerabilities over time” graph Exploit Available Published Over 30 Days Ago Discovered Using Credentials Published Solution AvailableEverything is clickable, so you can get a list of vulnerabilities for every category.
Here is “Vulnerabilities By Asset” dashboard:
When you add some scan data it will look like this (from Tenable.io Introduction Video):
Diagrams and graphs on this dashboard:
Operating system (windows, Mac OS, linux, Other) Device type (Network, Mobile, Desktop/Server, Other) Authentication (Local, Remote) Last Scanned (7 … 90 days) “Assets over time” graphIn general, it shows how many systems we have some in the infrastructure and how this number changes over time. Pretty interesting information.
AssetsIf we go down in the right-hand menu, there will be a link to “Assets” dashboard. There will be quite empty until we scan something. Tenable.io introductory video shows us how it should look like when there will be some data. For example, this dashboard can show us scan history of some asset (Activity log):
Actually this transition from an IP-address to the Asset is very important. In fact, it makes possible to build adequate reports and dashboards. If we use IP-address as a host identifier and it will be changing periodically the results won’t be reliable.
How to deal with it? We need different id. For example, when I make my custom Windows VM reports from Nessus scan data I use special id associated with the device during the OS installation. This makes possible to make this kind of graphs ( synthetic data ):
Basically, Tenable make very things with Tenable.io asset model. They mostly rely on Nessus Agent IDs, and IDs that scanner writes on the host during authenticated scanning in Windows registry and Linux /etc/ directory. But they can also use other markers, like hostnames, fqdn, mac addresses, etc.
This makes it possible to use new vulnerabilities statuses: new, active, fixed and reappeared. Just as we do (see. graph above).
So, Tenable is moving in a very right direction. Approximately the same features to track the assets uses Qualys .
Of course in the real world you need a lot of flexibility to track changes in the infrastructure using VM scans. For example, OS reinstallation on a laptop. If we see in scan results, that some new host have the same mac-addresses as old one, and we haven’t seen an old one for a wile, it might be a good idea to mark all vulnerabilities of the old host as “fixed”. And it is the one of many cases. Will Tenable.io be flexible enough to support this type of logic? Well, it would be good.
Health and StatusNow this empty dashboard shows only one Active user now me.
But it can also show pretty interesting information about scanner usage:
Licensed Assets Active Agents Active Scanners Active UsersAnd for last month:
Scans per day graph Completed scans New Scans Scheduled scans On demand scansYou can evaluate how effectively you use the scanner and make sure everything is working properly. Unfortunately, this GUI elements are not clickable.
Other DashboardsAdditional dashboards can gives a good idea what else you can try do with Nessus.
Available dashboards:
Exploitable by Malware Outstanding Patch Tracking Prioritize Hosts Vulnerabilities by Common Ports Vulnerability Management Web Services Indicator ScansMain active scanner scanning functionality of Nessus.io VM (nasl plugins, port scanner and .audit scripts) is the same as in Nessus Manager, Nessus Professional and Nessus for SecurityCenter. And this is the really great thing, because it makes comparison of the tools much easier.
Scan templates now have new beautiful icons:
Target groups and Exclusions
In Tenable.io you can set what users will have permissions to scan different groups of hosts in “Target Groups”:
You can also prevent scanning of some hosts at all or for some period of time:
In “Exclusions” you can specify the hosts…
… and the time when the scanning should be prohibited:
Agents and Scanners
You can manage Nessus Agents in Tenable.io the same way you do it Nessus Manager .
For active scanning you can use remote Nessus scanners located in United States, Singapore and Germany:
You can also deploy Nessus scanners and Passive Vulnerability Scanners (PVS) in your own infrastructure. You just need to download the packages (no registration required) and enter the Linking Key during the installation.
Note that remote scanners in the trial version can scan only 10 hosts. For Nessus scanners deployed on premise, there is no such restriction.
Reports
In Tenable.io you can regularly generate advanced pdf-reports based on the scan results:
However, it’s impossible to send them automatically by email yet.
Available report templates:
CVE Analysis Report Credentialed Scan Failures Critical and Exploitable Vulnerabilities Report Elevated Privilege Failures Exploit Frameworks Exploitable by Malware Malicious Code Prevention Report Outstanding Patch Tracking Prioritize Hosts Unsupported OS Report Vulnerabilities by Common Ports Vulnerability Detail Report Vulnerability Management Web Services Indicator Windows Unsupported and Unauthorized Software Wireless Configuration ReportWizard for configuring the report:
Settings
And finally this is how Settings tab looks like:
I liked this way to set up exceptions for plugins in My Account.
You can change NASL plugin severity level here for some hosts or for all hosts:
In conclusion
In my opinion new features of Tenable Vulnerability Management service are all very useful and interesting. I hope that someday it will be possible to use such a solution on premise well. It will satisfy those customers who are, as well as me, against of storing scan data and scan accounts in the cloud. But, in any case, Tenable.io will be a very good option for perimeter scanning without authentication for any customer.
On the other hand, licensing by hosts for obvious reasons, makes the solution not as attractive asNessus Professional, which gives you an opportunity can scan almost everything that you can reach for about $2200 in a year.