by Josef Weiss
October 9, 2014
Organizations often express difficulty in identifying devices on the network or software installed on systems. This collection displays triggered detections within the environment, using active, passive and event based detection methods.
When the organization stays up-to-date on the state of the environment, they are able to maintain a successful security program. As information about new vulnerabilities are discovered and released into the general public domain, Tenable’s research staff designs plugins to detect them. This dashboard collection utilizes both active and passive detection plugins, filtered by plugin family to present data to the analyst. Not all detection plugins are indications of severe vulnerabilities. Many plugins are informational-based, thus provide indicators and tables of triggered detections within the environment.
Examples of the informational indicators are:
- VMWare Virtual Machines
- Telnet Servers
- VNC Software
- Dropbox Software
- iCloud, and many more.
By reviewing this collection, analysts can maintain an awareness of the systems and software detected within the environment. The collection includes trend components that display active and passive detections over the previous 25-day reporting period. The graph typically alerts high with activity spikes for active detections on days that Nessus scanning has occurred, which alerts the analyst when active scanning is taking place. There are two indicator components for Active and Passive detection by plugin family and a table that displays the top 50 most prevalent detections. A severity table is provided to quickly allow the analyst to determine the physical counts of detections by severity and if any of the detections are exploitable.
SecurityCenter CV scales to meet future demand of monitoring virtualized systems, cloud services, and the proliferation of devices. Nessus is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. PVS provides deep packet inspection to enable discovery and assessment of operating systems, network devices, hypervisors, databases, tablets, phones, web servers, cloud applications, and critical infrastructure. Combined, SecurityCenter CV’s continuous network monitoring is able to detect systems, applications, software, and events across the enterprise.
The following components are part of this collection:
- Detections over time - This component displays a trend of detections over the last 25 days Filtering is accomplished through plugin name and plugin family for both passive and active detections. The chart provides a trend for data points, which are collected every 24 hours over the past 25 days. Spikes in trend activity for active detections usually depict active Nessus scanning on the network. This allows the analyst to quickly determine if and when Nessus scanning is occurring.
- Active Detection by Family - This matrix component triggers on active detection plugins. Active plugins are plugins used by Nessus during network scanning. The matrix cells provide an indicator filtered by detection plugins along with the active plugin family. When no alert is present, the indication remains off (or uncolored); if an alert is present, the indication changes to a purple. The analyst may click on the indicator to retrieve a vulnerability list that includes the Plugin ID, Plugin Name, Family, Severity, IP Address, NetBIOS, DNS and MAC address that matches the query.
- Passive Detection by Family - This matrix component triggers on passive detection plugins. Passive plugins are plugins used by Passive Vulnerability Scanner (PVS) during passive network scanning. The matrix cells provide an indicator filtered by detection plugins along with the passive plugin family. When no alert is present, the indication remains off (or uncolored); if an alert is present, the indication changes to a purple. The analyst may click on the indicator to retrieve a vulnerability list that includes the Plugin ID, Plugin Name, Family, Severity, IP Address, NetBIOS, DNS and MAC address that matches the query.
- Detections by Severity - This component displays detections by count, severity, and exploitability. The severity table quickly assists the analyst to determine the counts of detections by severity and exploitability. This table allows for immediate drill-down into the respective severity and exploitability sections for an expanded view. The additional details are provided via a vulnerability summary, filtered on the detection plugins and severity. The exploitability column adds an exploitability filter.
- Top 50 Most Prevalent Detections - This table component displays a list of the Top 50 most prevalent detections, using the vulnerability summary tool, sorted by total. The most common detections are listed at the top of the table and are sorted in descending order. The plugin ID, name, family and severity rating are also displayed for the analyst.
The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Monitoring.
The dashboard requirements are:
- SecurityCenter 4.8.1
- Nessus 5.2.7
- PVS 4.0.2