by Stephanie Dunn
January 17, 2017
Network assets are always in a constant state of change, as systems traverse the network, and software is installed or updated. Changes can update critical devices or applications, allow for malicious devices or malware to connect to the network, or leave security gaps in devices that can easily be exploited. Knowing when a change was made to a device, software installed, or when a new system connected to the network can help reduce security risks, and achieve a more compliant state. This dashboard covers key concepts within the NIST 800-53 guide that supports monitoring hardware and software asset changes, and the status of existing security controls.
The National Institute of Standards and Technology (NIST) developed the NIST Special Publication (SP) 800-53 revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations” to provide federal information systems and organizations with security controls and processes to protect against a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors. By integrating these controls, organizations will be able to achieve a more consistent level of security and flexibility that can be customized for use with specific industries, standards, and business requirements, and complement other established information security standards. Data presented within this dashboard aligns with NIST 800-53 controls that support change management policies, monitoring asset inventory, and maintaining control over software installations. This dashboard aligns with the following controls:
- Configuration Change Control (CM-3)
- Least Functionality (CM-7)
- Information Systems Component Inventory (CM-8)
- User-Installed Software (CM-11)
This dashboard provides an overview of system counts, newly detected MAC addresses, installed software, configuration issues and other changes throughout the network. Having an accurate and up-to-date count of existing assets on the network will assist analysts in preventing unauthorized devices from connecting to the network. Monitoring asset changes will also help security teams to identify blind spots that may have been previously overlooked.
Organizations will be able to keep track of operating systems and software deployments. This information will enable organizations to gain control over software licenses, and reduce unnecessary costs. Information on software installations will highlight unauthorized and unsupported software running on network assets. Audit checks will monitor the status of existing security controls on network assets, and whether the security policies in place are effective. Data will also highlight software or devices with default security configurations that are placing the organization at risk. Monitoring changes across infrastructure devices, user accounts, and software will help to identify and prevent unauthorized modifications that could negatively impact critical systems.
This dashboard is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The dashboard requirements are:
- Tenable.sc 5.4.2
- Nessus 8.4.0
- LCE 6.0.0
- NNM 5.9.0
Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect the organization. Tenable's Tenable.sc Continuous View (CV) is continuously updated with information about advanced threats, zero-day vulnerabilities, and new regulatory compliance data. Active scanning periodically examines systems to determine vulnerabilities and compliance concerns. Agent scanning enables scanning and detection of vulnerabilities on transient and isolated devices. Passive listening collects data to continuously monitor traffic and collect information on asset changes. Host data and data from other security products is analyzed to monitor the network for changes on infrastructure devices, user accounts, and software installations. Tenable.sc CV provides an organization with the most comprehensive view of the network and the intelligence needed to secure and protect assets within the network.
The following components are included within this dashboard:
- Network Mapping - System Counts: This component presents the counts of systems detected on the network in various categories. The total number of systems is displayed, along with the counts of actively scanned systems detected by Nessus, passively detected systems discovered by NNM, and systems from which LCE obtained logs. For these, percentages of the total system count are displayed. The percentage bar color reflects coverage and will be red for a low percentage of total systems, yellow for a medium percentage, and green for a high percentage. In addition, counts of external-facing systems, systems that clients connect to (servers), admin systems, wireless access points, and web servers are also displayed. For each of these, percentages of the total system count are displayed with black bars. Finally, the count of exploitable systems on the network is displayed, along with a percentage bar displayed in red. Using this matrix, organizations will be able to gain a more complete picture of existing assets and high-valued systems on the network.
- Discovery Scan - Hosts Per Asset List: The 'Hosts Per Asset List' table component lists the live host counts distributed across Tenable.sc 4 assets. In the screen shot, example network locations with their labels have been uploaded into Tenable.sc 4 and represent physical locations. A retail store could upload their store locations and corresponding network CIDRs.
- Configuration Management - Top Subnets with New MAC Addresses: This component presents a summary of newly detected MAC addresses per subnet over the last 72 hours. Event data will highlight new MAC addresses from mobile devices, wireless devices, and other devices. Using this information, security teams can drill down and change the filter to “Raw Syslog Events”, which will provide information on the IP and MAC address of the network asset. Security teams can use the information provided to effectively manage current inventory assets, and monitor the network for unauthorized devices.
- Configuration Management - Detected Software: This matrix presents indicators that detect operating systems, browsers, unsupported, and other software installations on systems within a network. Indicators will turn purple when a match is found, and display a list of detected software. Analysts will find this information useful in tracking software licenses, and identify hosts running unauthorized or malicious software. Additionally, the data provided within this component can be used to monitor systems running unsupported software, which can contain vulnerabilities and place critical systems at risk. Filters within this component can be modified to include additional or specific software per organizational requirements.
- Compliance Summary - Secure Configuration Compliance Checks: This component presents the results of compliance audits to verify the secure configuration of systems, including least functionality, disabling unnecessary services, and inventory and change control settings. Each row includes the system count, whether scans were performed in the last seven days, and the percentage of checks that passed, failed, or require manual verification. Passed checks are displayed in green, failed checks are in red, and checks that require manual verification are in orange. The count of hosts with failed checks is also given.
- Compliance Summary - Top Subnets with Compliance Concerns: This table presents the top Class C subnets with the most compliance concerns. High severity indicates compliance failures, and medium severity indicates compliance advisories or checks that must be performed manually. The table is ordered so the subnet with the most compliance concerns is at the top. This information will help an analyst to identify which subnet needs the most attention in terms of compliance.
- CSF - Top Detected Changes (Last 72 Hours): This table displays the top change events detected on the network in the last 72 hours. The table is sorted so that the changes detected most often are at the top. This table can be used by an analyst to investigate recent network changes and determine if they are appropriate and authorized.