How-to Guide: Tenable.io™ for BeyondTrust Last Revised: April 03, 2018

Table of Contents Introduction

3

Integrations

4

Windows Integration

5

SSH Integration

10

API Configuration

17

API Keys Setup

18

Enable API Access

20

Additional Information

22

Elevation

23

Customized Report

24

About Tenable

25

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

Introduction This document describes how to configure Tenable.io for integration with the BeyondTrust PowerBroker Password Safe. Please email comments or suggestions to [email protected]. Security administrators know from experience that managing credentials and privileges for network vulnerability assessments can be cumbersome. By integrating the BeyondTrust PowerBroker Password Safe with Tenable’s solutions, customers now have even more choice and flexibility for reducing the credentials headache. Benefits of integrating Tenable.io with the BeyondTrust PowerBroker Password Safe include: l

l

l

l

Credentials stored in the BeyondTrust PowerBroker Password Safe do not need to be managed and updated directly within Tenable.io. Reduce the time and effort needed to document where credentials are stored within the entire organizational environment. Automatically enforce security policies within specific departments or for specific business unit requirements, which simplifies compliance. Reduce the risk of unsecured privileged accounts and credentials across the enterprise.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

Integrations The BeyondTrust Powerbroker Password Safe integration can be configured using either Windows or SSH. Click the corresponding link to view the configuration steps.

Windows Integration SSH Integration

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

Windows Integration Use the following steps to configure Windows credentialed network scans using BeyondTrust's Powerbroker Password Safe solution.

Steps 1. Log in to Tenable.io and click Scans and then + New Scan to configure Tenable.io for credentialed scans of Windows systems using the BeyondTrust PowerBroker Password Safe.

2. Select a Scan Template for the scan type required for your scan. For this example, the Advanced Network Scan template will be used.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

3. To configure a credentialed scan for Windows systems using BeyondTrust’s password management solution, enter a descriptive Name and enter the IP address(es) or hostname(s) of the scan Targets .

4. Once the Name and Targets are configured, click Credentials and then select Windows from

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

the left-hand menu.

5. Click the Authentication method drop-down and select BeyondTrust.

6. Configure each field for Windows authentication. Refer to the table below for a description of

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

each field. Once the Windows credentials are configured, click Save to finalize the changes.

The table below contains a description of each option:

Option

Description

Username

(Required) The username to log in to the host being scanned.

Domain

The domain associated with the username, if applicable.

BeyondTrust host

(Required) The BeyondTrust IP/DNS address.

BeyondTrust port

(Required) The port on which BeyondTrust listens.

BeyondTrust API key

(Required) The API key provided by BeyondTrust.

Checkout duration

(Required) Specifies how long to keep the credentials “checked out” in BeyondTrust.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

Note: BeyondTrust can change the password once it has checked back in. Therefore, the duration should be at least as long as a typical scan takes. Subsequent scans will fail if the password is still checked out when the next scan starts.

Use SSL

When enabled, Tenable.io uses SSL through IIS for secure communications. You must configure SSL through IIS in BeyondTrust before enabling this option.

Verify SSL certificate

When enabled, Tenable.io validates the SSL certificate. You must configure SSL through IIS in BeyondTrust before enabling this option.

7. Once the options to reach the BeyondTrust Powerbroker Password Safe are set, click Save. 8. To verify the integration is working, click the Launch button to initiate an on-demand scan.

9. Once the scan has completed, select the completed scan and look for the corresponding message - Microsoft Windows SMB Log In Possible: 10394. This validates that authentication was successful.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

SSH Integration Use the following steps to configure SSH credentialed network scans using BeyondTrust's Powerbroker Password Safe solution.

Steps 1. Log in to Tenable.io and click Scans and then + New Scan to configure Tenable.io for credentialed scans of Windows systems using the BeyondTrust PowerBroker Password Safe.

2. Select a Scan Template for the scan type required for your scan. For this example, the Advanced Network Scan template will be used.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

3. To configure a credentialed scan for Windows systems using BeyondTrust’s password management solution, enter a descriptive Name and enter the IP address(es) or hostname(s) of the scan Targets .

4. Once the Name and Targets are configured, click Credentials and then select SSH from the

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

left-hand menu.

5. Click the Authentication method drop-down and select BeyondTrust.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

6. Configure each field for Windows authentication. Refer to the table below for a description of each field. Once the Windows credentials are configured, click Save to finalize the changes.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

The table below contains a description of each option:

Option

Description

Username

(Required)The username to log in to the host being scanned.

BeyondTrust host

(Required) The BeyondTrust IP/DNS address.

BeyondTrust port

(Required) The port on which BeyondTrust listens.

BeyondTrust API key

(Required) The API key provided by BeyondTrust.

Checkout duration

(Required) Specifies how long to keep the credentials “checked out” in BeyondTrust.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

Note: BeyondTrust can change the password once it has checked back in. The duration should be at least as long as a typical scan takes. Subsequent scans will fail if the password is still checked out when the next scan starts.

Use SSL

When enabled, Tenable.io uses SSL through IIS for secure communications. You must configure SSL through IIS in BeyondTrust before enabling this option.

Verify SSL certificate

When enabled, Tenable.io validates the SSL certificate. You must configure SSL through IIS in BeyondTrust before enabling this option.

Use private key

When enabled, Tenable.io uses private key-based authentication for SSH connections instead of password authentication. If it fails, the password will be requested.

Use privilege escalation

When enabled, BeyondTrust uses the configured privilege escalation command. If it returns something, it will use it for the scan.

7. Once the options to reach the BeyondTrust Powerbroker Password Safe are set, click Save. 8. To verify the integration is working, click the Launch button to initiate an on-demand scan.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

9. Once the scan has completed, select the completed scan and look for the corresponding message - OS Identification and Installed Software Enumeration over SSH: 97993. This validates that authentication was successful.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

API Configuration API Keys Setup Enable API Access

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

API Keys Setup Steps 1. Log in to BeyondInsight. 2. Click Configuration .

3. Click API Registration .

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

4. Configure the source addresses that are white listed requests. 5. Click Save. Once saved, the API Key is available for future requests.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

Enable API Access Each Managed Account that you use for scanning must have API Access enabled.

Steps 1. Log in to BeyondInsight. 2. Go to Managed Accounts .

3. Click Edit Account.

4. Click the Enable for API Access option.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

5. Click Save.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

Additional Information Elevation Customized Report About Tenable

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

Elevation Elevation is used in BeyondInsight to handle privilege escalation for SSH accounts when performing scans. This option is used because some rules won't allow server login using root. The Elevation can be enforced on BeyondInsight at system level or account level.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

Customized Report You can build a customized report in BeyondInsight to import hosts from a CSV to scan in Tenable.io. The customized report defines the information needed for Tenable.io uploads.

1. To build the report: 2. Log in to BeyondInsight . 3. Go to - Assets > Scan > Customize Report. 4. Select the Parameters . 5. Click Run Report. Note: This report can be run on any of your previous discovery scans, exported as an CSV, and uploaded as scan targets in Tenable.io.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

About Tenable Tenable transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization. Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss. With more than one million users and more than 20,000 enterprise customers worldwide, organizations trust Tenable for proven security innovation. Tenable's customers range from Fortune Global 500 companies, to the U.S. Department of Defense, to mid-sized and small businesses in all sectors, including finance, government, healthcare, higher education, retail, and energy. Transform security with Tenable, the creators of Tenable.io and leaders in continuous monitoring, by visiting ten-

able.com.

Copyright © 2018. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.

How-to Guide: Tenable.io for BeyondTrust

Apr 3, 2018 - Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability ...
Download PDF
1MB Sizes 4 Downloads 135 Views
Report

Recommend Documents

How-to Guide: Tenable Nessus for BeyondTrust
Apr 3, 2018 - Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability ...
Linux + Windows HOWTO
computer and run a dedicated server and firewall under linux. In accordance with her Microsoft End User. License Agreement she will transfer Windows 95 to ...
Program Library HOWTO
May 15, 2010 - a DL library, and some use the term DLL to mean a library meeting either .... Shared libraries must be placed somewhere in the filesystem. ..... platforms; HP-UX uses the different shl_load() mechanism, and Windows platforms.
Fonebridge 2 Installation Howto - VoxShop
May 15, 2009 - FONEBridge2 has two Ethernet 100bT ports and 1, 2 or 4 trunk TDM ... FONEBridge2 is delivered with two preprogrammed IPs that can be ...
red5: howto create new applications
the mailing lists and have also reported a bug in red5 pertaining to jruby scripting(see http://jira.red5.org/browse/APPSERVER-230). I have learned alot about ...
Open BEAGLE Compilation HOWTO
Oct 10, 2005 - This document is on the compilation of the Open BEAGLE1 C++ framework for evolutionary computations. ..... #define BEAGLE_FULL_DEBUG.
program library howto pdf
Page 1 of 1. File: Program library howto pdf. Download now. Click here if your download doesn't start automatically. Page 1 of 1. program library howto pdf. program library howto pdf. Open. Extract. Open with. Sign In. Main menu. Displaying program l
CMDBuild and Shark Update - HowTo -
Nov 5, 2014 - 3. save possible loaded gis icons present in: ${tomcat_home_cmdbuild}/webapps/${cmdbuild_instance}/upload/images/gis. 4. delete the ...
CMDBuild and Shark Update - HowTo -
Nov 5, 2014 - Liquid Telecom. Progetto: CMDBuild and Shark Update - HowTo. Autore: Lisa Pedrazzi Tecnoteca srl. SOMMARIO. CMDBuild updating.
red5: howto create new applications
Every handler configuration file must contain at least three beans: CONTEXT. The context bean has the reserved name web.context and is used to map paths to scopes, lookup services and handlers. The ... streams. A sample implementation that can be use
helical/helix antenna 2.4 GHz HOWTO
Jun 28, 2008 - GHz which can be used for e.g. high speed packet radio (S5-PSK, 1.288 Mbit/s), ... result in easy possibilities for high speed wireless internet.
HowTo Build with Crystal Space and Blender
The first version of this tutorial used a number of tools - GtkRadiant, Blender, Gimp, ... This document is separated out into two sections: creating artwork for Crystal .... more efficiently use the image when applying it as a texture to a 3D mesh.
Linux Wireless LAN Howto 1 Introduction
Jul 25, 2007 - version, how to get it and the main features. If you hear about ... Because of the large number of drivers, it has been divided in four sections, the first cover .... protocol, with fancy stuff such as RTS/CTS, virtual carrier sense an
Bash Guide for Beginners
Feb 6, 2003 - Chapter 6:Awk: introduction to the awk programming language. •. Chapter 7: ...... specific conversion script for my html files to php. LIST="$(ls ...
Bash Guide for Beginners
Feb 6, 2003 - Understand naming conventions for devices, partitioning, ..... Even the first process, init, with process ID 1, is forked during the ..... Add the directory to the contents of the PATH variable: ...... michel ~/test> feed.sh apple camel
Branding Guide for Schools for Education
best practices around how to use our logos and brand elements to announce that your .... 10. One-color black. One-color reverse. One-color reverse. DO. • Use the ... Figure out which social media students, teachers, and parents spend their time on
Quick Guide for recurrentR - GitHub
(2010) to the researchers who are interesting in semi-parametric recurrent data analysis. They studied how to estimate the recurrence process and survival ...
Guide to Benefits.gov for Veterans
What is Benefits.gov? As the official benefits website of the U.S. government, Benefits.gov is dedicated to connecting citizens to available benefit programs. With.
Admission Guide for International Students
Admission Criteria p.11. V. Important Notes p.12. VI. Academic Programs for Bachelor's Degree p.16 ... Go to http://admission.kaist.ac.kr/international and fill out your online application form. ↓. Please make sure that the ... junior high, and hig