Every organization has needs that will be somewhat different from another related to their vulnerability management program. This can vary from the scanner used (cloud or on premise), the places where sensors are deployed, technology in your environment, and over needs of your vulnerability management program. This post covers the architural considerations of Tenable IO’s product platform.

By: Justin Fimlaid

Are you looking to build your vulnerability management program using Tenable’s products?  If so, this is a quick start guide to get orientated with the Tenable.IO suite.

What is Tenable IO?

Tenable IO is Tenable’s cloud scanner or SaaS platform.  Hosted in the cloud Tenable IO offers users many benefits such as scalability, global availability, and cloud asset management. It is comprised of multiple types of sensors and produce solutions which work together to assist organizations with measuring their cyber exposure.

When to use Tenable IO Sensors, Agents, Scanners?

Tenable IO supports multiple types of sensors from internal and cloud-based active scanners to passive sensors, agents, and third-party connectors. Users must to weigh the benefits and disadvantages of each type of sensor when setting up their environment. Active Nessus scanners are the core of Tenable IO data gathering. They have the capability to fully enumerative SSL and TLS ports and are the best sensors for gathering vulnerability information.

Tenable Internal Scanners

Internally placed scanners identify compliance and network vulnerabilities. However active ports scans can be invasive and has a potential to disrupt some devices, especially when credentials are not used. Using administrator level credentials in an active scan can greatly reduce this risk since credentials allow the scanner to perform many checks locally. A credential scan is the recommended best practice detecting many more vulnerabilities than an uncredentialed scan and utilizing less network bandwidth to test targets. If you are worried about adding another admin credential then you should look into the Cyberark Vault integration for Tenable to protect privileged accounts.  I’ll write about the Tenable and CyberArk integrations in a future post.

Tenable Passive Network Monitor

Passive Nessus network monitor sensors are the type of sensor best suited for an operational technology or OT environment and for other fragile devices. Using Nessus’ network monitor is also an excellent way to detect new assets on network. But since they only sense network traffic they do not gather as much information about assets as active scanners do.

Tenable Agents

Nessus agents are ideal for systems that cannot be reliably reached by the network such as laptops for a mobile workforce that only occasionally connect to the corporate network. Agents always perform local or credential checks with the system level account, which can detect more vulnerabilities than an uncredentialed network scan. This eliminates the need to use remote credentials for high quality scans such as on database servers or protected networks where inbound network traffic is very undesirable. Since the scan is local, it generally runs faster than an active scan. Agents are not the most effective solution for targets with minimal resources though since the agents are installed locally, agents also do not enumerate network level services (such as SSL/TLS).

Tenable IO Cloud Scanners

Cloud scanners are  the best sensors to use for detection and vulnerability assessment a public facing and cloud assets. Cloud scanners have multiple advantages. Since they’re hosted by Tenable there is no user maintenance, additionally they give users insight into what attacker can see from outside the network. Keep in mind that cloud scanners cannot scan internal assets. Tenable IO also supports third-party connectors for AWS and Qualys. These allow users to identify cloud assets easily and are API driven for automatic visibility some connectors require setup to work properly.

All sensors combined add data into Tenable IO multiple product solutions.  Tenable IO vulnerability management is a comprehensive solution  (Nessus Scanner, Tenable.IO Cloud Scanner, Nessus Network Monitor, Nessus Agent) that helps customers understand their cyber exposure. Additionally Tenable supports options for container security, PCI ASV, and Web Application Scanning. Tenable IO vulnerability management, features a streamlined and intuitive interface for managing assets and vulnerabilities. Tenable IO collects vulnerability and asset data from all sensors combines the data into multiple dashboards and reports.

If multiple sensors detect the same asset that data Is combined for a full picture of each asset and its activities. Customers also have the ability to re-cast or accept vulnerability risk so they can tailor it to their own unique environment and needs.

Tenable IO Web Application Scanning

Tenable IO web application scanning solution organizes all web application vulnerabilities on a single dashboard. It uses a specialized scanner that can detect some web vulnerabilities that a regular Nessus scan will miss. Specialized scan policy templates make web applications scans easy to configure. Tenable IO container security fits into users dev ops pipelines to make them aware of issues with their images.

PCI DSS Approved Scanning Vendor

Tenable IO is a certified global ASV or Approved Scanning Vendor solution for the Payment Card Industry Data Security Standard or PCI DSS. The PCI ASV  product solutions enables users to satisfy their external PCI reporting requirements. The PCI workbench offers an easy way to submit track and attestations.

Tenable Industrial Security

While it is not yet integrated with Tenable IO, Tenable’s Industrial Security solution offers great technological value for OT users. Industrial Security manages multiple Nessus network monitor passive sensors allowing for safe vulnerability detection in a fragile OT environment. Tenable has a partnership with Siemens to detect many types of industrial control system or ICS devices.