Note: This blog entry was originally posted in April, 2007 and was updated on May 28, 2009
The Security Center can be used to manage multiple Nessus scanners and Passive Vulnerability Scanners for continuous monitoring of sensitive data at rest and data in motion. This blog entry discusses various deployment scenarios that can be used to effectively perform data leakage detection.
Active and Passive Detection Methods
In March, 2007, Tenable released the ability for Nessus ProfessionalFeed and Security Center users to scan Windows hosts for sensitive data such as credit cards, employee information and even things like source code. This technology works as part of the regular vulnerability or configuration auditing scans.
Previously, Tenable also released policy libraries for the Passive Vulnerability Scanner (PVS) to identify servers and users transmitting sensitive data in motion. The PVS can not only identify hosted Adobe, PowerPoint, Word and Excel files as Nessus can, it can look into the traffic in email, chat and web browsing to look for specific types of data such as social security numbers and credit cards.
When managed by the Security Center, the combination of active and passive data leakage monitoring is an effective method to discover where sensitive data is and when it leaves the networks. Below is a screen shot of an America Express credit card number being hosted on a web server:
|
Why Find Sensitive Data?
When sensitive data is identified through the Security Center, several courses of action can be taken:
- A list of all systems with sensitive data can be obtained by IP address, MAC address, DNS name or Windows name. This list is available as a spreadsheet or can be created as a PDF report.
- A list of all corporate assets with sensitive data can similarly be created, allowing users to see if any systems unauthorized to hold data actually have any.
- The Security Center's ability to combine qualities of vulnerability detection with asset identification also allows it to find hosts with sensitive data that are unmanaged or have vulnerabilities.
- If necessary, different types of sensitive data records can be classified into different asset groups. For example, all systems holding credit card data could be placed into a PCI asset list while all records holding patient health data could be placed into a HIPAA list.
- If the Security Center is able to detect a system compromise, the incident response process can immediately take into account if this was or was not a server or system with sensitive data.
All of these capabilities allow an organization to combine information about system vulnerabilities, system configurations and systems holding sensitive data to identify and manage potential compliance, security and data leakage issues.
Creating Dynamic Asset Lists based on Sensitive Content
Information about sensitive data found by Nessus or the PVS can be used to create a Security Center dynamic asset list. This data can be combined with other attributes such as IP address, system usage, open ports, domain name, system asset information and so on to create unique asset lists.
For example, in the screen shot below, we've scanned the network for documents containing the word "Tenable" in them.
|
If we wanted to write a dynamic asset rule for all systems that had this data on it, we'd target ID #60186 and also had the content of "[FAILED]". This second step is required because if a systems did not have any .doc files that had the word "Tenable" in it, it would also have an active ID #60186 but would have the content "[PASSED] in it.
For More Information
Information on purchasing the Security Center ($15,750 for 500 servers), Passive Vulnerability Scanner ($9995 for any network) or the ProfessionalFeed ($1200/year per Nessus scanner for end users) is available here.
Readers who are interested in compliance can request a copy of Tenable's "Real Time Compliance Monitoring" paper, as well as any of our application notes on PCI, or HIPAA compliance monitoring.
