Automating Security Frameworks Welcome. My name is Ted Gary. I am a Sr. Product Marketing Manager at Tenable. In the next ten minutes, we will look at how Tenable can help you automate technical controls in the leading security frameworks.

Security Frameworks are Pervasive In Q4 of last year, Tenable and the Center for Internet Security jointly sponsored a survey to quantify adoption of security frameworks. We found that 80% of organizations have or are implementing a security framework, and many of them are using more than one.   How many of you work for an organization that is adopting one of these frameworks?

Technical and organizational issues impede security framework implementation We also found that framework implementation has significant challenges. I grouped the challenges into two categories; organizational challenges and technical challenges. Obviously, the two categories are related. The organizational challenges need to be resolved prior to addressing the technical challenges. The challenges shown in light blue are organizational challenges; things like lack of trained staff, lack of budget and lack of management support. The challenges shown in dark blue are technical challenges. They include lack of tools to automate controls and lack of tools to audit controls. Organizations who have the tools lack of integration among tools, and lack of reporting.   Tenable addresses all of these challenges.

Tenable Supports the Leading Frameworks Tenable SecurityCenter CV, which I will refer to as CV, automates and audits the majority of the technical controls found in all of the leading frameworks. It also includes many pre-built integrations, and its reporting spans detailed technical reports and dashboards up to high-level summary report cards.   Let’s see how CV captures the data it needs. Cybersecurity Framework 800-171

Comprehensive Data Sensors Enable Automation INTELLIGENT CONNECTORS AGENT SCANNING PASSIVE LISTENING ACTIVE SCANNING SCCV HOST DATA INTEGRATED PLATFORM Web Networks Endpoint Mobile Virtual Cloud Users Devices Your extended environment probably includes many of the things listed along the bottom of this slide. And each of them poses risk. Therefore, your controls need to apply across all of them. SecurityCenter CV includes five sensors. Active Scanning - Active scanning examines the devices on the network to analyze their running processes, services, configuration settings, and vulnerabilities. However, active scanning may miss laptops and cloud instances that are not connected during a scan. Agent Scanning –Agent scanning makes it possible to scan these transient devices. Once installed, agents analyze the devices much as an active scan would. Results are uploaded when the device reconnects to the network. Intelligent Connectors - Intelligent connectors leverage your existing investments to build a comprehensive fabric of information. CV integrates with a wide range of third-party systems, including Active Directory, configuration management databases, patch management systems, mobile device management systems, cloud platforms, and threat intelligence feeds. Passive Listening - With increasing mobile and transient devices, it is important to continuously monitor traffic to identify devices, applications and communications on your network. Host Data - Tenable enables hosts to play an active part in their own security. They report on activity and changes to their state and security posture. Data collected by these sensors is stored centrally for analysis and reporting. SecurityCenter CV includes hundreds of report templates and dashboard templates. Let’s look at a dashboard.

Detailed Status Highlights Weaknesses SecurityCenter CV dashboards display near real-time status. This dashboard shows an overview of the CIS foundational cyber hygiene controls. These five foundational controls are a prioritized list of fundamental security controls. They are central to all security frameworks and are a great starting point for adopting the CIS Critical Security Controls, the NIST Cybersecurity Framework and ISO 27001/27002.   Let’s quickly zoom in on the five critical controls.

Device Inventory The first control is an inventory of authorized and unauthorized devices. This make sense because you must know about devices on your network if you want to manage and secure them. The CIS specifically says that you should use both active and passive identification technologies to identify assets. You can see that CV uses active detection based on active scans and agents. It uses passive network monitoring, and it collects information from other sources, such as DHCP, to identify devices.

Software Inventory The second control is an inventory of authorized and unauthorized software. CV can identify the software installed on your systems and software that is active on your network. It can compare this software to a list of authorized software, and can also identify unsupported software and software that is missing patches.

Secure Configurations The third control is secure configurations for computing devices. CV audits your configurations against your own standards or against published standards such as CIS Benchmarks and DISA STIGs.

Vulnerability Assessment & Remediation The fourth control is continuous vulnerability assessment and remediation. Tenable is very well known for vulnerability management. However, some people aren’t aware of our passive vulnerability scanner, which can identify high level vulnerabilities for devices as soon as they connect to the network and can trigger an immediate active scan based on vulnerability severity.

Controlled Administrative Privileges The fifth control is controlled use of administrative privileges. CV gives you visibility of privileged account activity such as new users, privilege changes, and administrative events.   Dashboards are great for the technical team. However, they include too much detail for most business stakeholders. Business stakeholders require a much higher level of abstraction.

High-Level Status Informs the Business Assurance Report Cards or ARCs use a pass/fail format to provide that higher level of abstraction. In this example, I have created basic ARCs using the 5 foundational cyber hygiene controls for three different business systems; CRM, Financial Reporting, and SCM. Like school report cards, the overall grade is based on multiple tests. If you pass all of the tests, you get an overall passing grade. Let’s zoom in to see the underlying tests for the CRM system.

High-Level Status Informs the Business The second test failed. Passing the test required that no unsupported software could be installed on any host.   Of course, you can edit ARCs to report on what is important to your organization. You can also create your own ARCs from scratch.

Comprehensive reporting Tenable addresses the technical challenges Control automation Control auditing Tool integration Comprehensive reporting Just to recap, we took a very quick look at how SecurityCenter CV addresses the technical challenges reported in our survey.

Next Steps Get a Demo Talk with Us Want to learn more? Head on over to our SecurityCenter Continuous View demo station, located… One of our SEs would be happy to give you a personalized demo of how CV addresses the leading security frameworks. If you have additional questions or comments for me, don’t leave. I’m available for the next 20 minutes and am happy to chat.