NNM Detections Report - Devices and Services

Most organizations have security controls in place that focus on protecting the network perimeter, but do not adequately monitor what’s going on inside the network. Unfortunately, many fail to monitor devices that are being connected to the network, and what services are being used. Attackers will exploit vulnerabilities within devices and services to infiltrate the network. Information presented within this report provides a comprehensive look at devices and services in use, and highlights whether systems or security controls need to be hardened.

One of the most important things that any organization can do is to implement a defense-in-depth strategy. This strategy involves implementing a multi-layered approach to defend each layer within the organization by monitoring all possible network endpoints. Using this strategy, organizations will be able to focus on monitoring the internal network to identify and remediate security gaps before critical systems are affected. Additional strategies, including disabling all unnecessary services and blocking unauthorized devices from connecting to the network, can help to reduce the size of the overall attack surface. For those organizations that require the use of specific services, implementing security controls that restrict permissions and access provides best practice in ensuring least privileges. 

This report presents a high-level overview of devices and services in use on the network. Nessus Network Monitor (NNM) continuously listens to the network and monitors network gateways for active devices and services. Information is filtered using several plugin families that will monitor for portable devices, client/server applications, and other services and systems in use. Analysts will be able to easily monitor for systems accessing cloud services, accessing web applications, specific browser versions, and transfer protocols such as SSH and SMTP. Using the information provided within this report, analysts will obtain a real-time view of services and systems in use, and have the actionable intelligence needed to strengthen existing security controls.

This report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Discovery & Detection. The report requirements are:

• Tenable.sc 5.4.2
• NNM 5.2.0

Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect the organization. Passive listening collects data to continuously monitor traffic and collect information about services and network devices. With more supported technologies than other vendors, Tenable.sc Continuous View (CV) is able to analyze vulnerabilities and collected logs from a wide range of operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure devices. Tenable enables powerful, yet non-disruptive, continuous monitoring that will provide organizations with the information needed to monitor devices and services throughout the enterprise.

The following chapters are included within this report:

• Executive Summary: The Executive Summary chapter will highlight the top changes detected from systems and services on the network. Data is filtered using several plugin families that report on devices and systems such as mobile phones, client/server applications, and databases that are in use. An overview of the top ports being used by these services are also included within this chapter. Analysts will gain a complete look at existing services and systems in use, and determine whether the service in question is authorized or should be disabled.
• Systems and Devices: This chapter presents a summary of devices and services that have been detected on the network by NNM. NNM continuously listens to the network and monitors endpoints for active devices and services. Information is filtered using specific plugin families and keywords that will monitor for portable devices, client/server applications, and other services in use.
• Services Summary: This chapter presents an overview of passively detected services in use on the network. Information in this chapter will highlight activity from cloud services, databases, web applications, browsers, and web servers. Knowing what services are being used within the network can assist security teams in identifying and remediating potential entry points that can be used by attackers to infiltrate the network.
• Protocols Summary: The Protocols Summary presents an summary of detected protocols in use on the network. Elements in this chapter will highlight systems running services such as SSH, Telnet, Remote Desktop Protocol (RDP), SMTP, and more. Using this information provided within this chapter can be used by analysts to identify services that should be disabled, or tighten restrictions placed on accounts accessing these services. Knowing what services are being used on the network can assist security teams in identifying and remediating potential entry points that can be used by attackers to infiltrate the network.