Host Discovery

The first step in many security practice guidelines is to identify all the systems on the network. There are several methods to identify hosts, such as port scans, monitoring logs and passively monitoring TCP communications. This report provides an easy method of tracking host counts and detection methods.

Tenable.sc uses active scanning and agent scanning to interactively communicate with targets on the network. Both active scanning and agent scanning use the Tenable Nessus vulnerability scanner to craft packets and send said packets to remote hosts. One type of message that can be sent is a Packet Internet Gopher (PING), which uses Internet Control Message Protocol (ICMP) to send an “Echo Request” to a host. The remote host sends an “Echo Reply” for each request received. The content of the echo reply varies based on OS implementation, but the exact same payload must be returned to the host that sent the echo request. The process uses Plugin ID 10180 (Ping the remote host) to discover hosts on the network. Another method of host detection uses Plugin ID 19506 (Nessus Scan Information), which contains a summary of the scan parameters, time to complete scan and other useful information. In many cases both plugins 10180 and 19506 will be present, but in some cases 10180 may not be present due to environmental variables. To accurately detect systems discovered using active plugins, ensure both 10180 and 19506 are selected.

Tenable's Tenable.sc Continuous View (Tenable.sc CV) utilizes active scan data collected from Nessus, but data can also be collected using host data from the Tenable Log Correlation Engine (LCE) or passive listening. Tenable LCE host data is gathered by LCE’s ability to monitor different data sources such as NetFlow, firewall logs, host logs and other log types of TCP communications. For each TCP communication event discovered that is not related to a TASL event, the IP address from the event is recorded with plugin 800000 (Host Discovered). The discovered IP addresses must be part of the Internal Host setting and any logs must indicate that a connection is established. Passive listening uses the Tenable Nessus Network Monitor (NNM) to detect new devices using plugin 12 (Host TTL Discovered). NNM identifies hosts if they are part of the monitored range configured within NNM and if the IP address is found in either the source or destination field within the IP packet.

Tenable.sc designates several plugins that do not count against licensing. This report brings together all the aforementioned plugins in a way that allows administrators to easily understand and budget for licensing requirements. By allowing customers the opportunity to scan their entire network without impacting their license count, customers can gain a more complete view of their network and scan the most critical systems.

This report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards and assets. The report can be easily located in the Tenable.sc Feed under the category Discovery & Detection. The report requirements are:

• Tenable.sc 4.8.2
• Nessus 8.4.0
• LCE 6.0.0
• NNM 5.9.0

Using the active scanning, agent scanning, passive listening and host data sensors, Tenable.sc can provide a more comprehensive view of devices accessing the network. By practicing continuous monitoring, organizations can more effectively assess risk and identify authorized and unauthorized systems on their network. As hosts connect to the network, the race begins to identify all the vulnerabilities and assess how each system will affect the network. Only Tenable can automatically analyze information from active scanning, intelligent connectors, agent scanning, passive listening and host data. Active scanning periodically examines hosts to determine the level of risk posed to the organization. Intelligent connectors leverage other security investments in the environment to integrate security data in order to improve context and analysis. Agent scanning provides the ability to rapidly assess hosts without the need for credentials and to detect hosts that were offline during active scans. Passive listening provides real-time monitoring to collect information about hosts connected to the network and how the hosts are communicating. Host data uses logs, file system activity and configuration changes to actively monitor host activities and events in order to identify malicious activity and anomalous behavior.

Chapter

Executive Summary: The chapter provides IT leaders with an overview of discovery from Tenable.sc. The elements display data collected using active, passive and event-based methods. By providing an overview of detection methods, managers can determine the licensing requirements over time and can help to plan budgets accordingly. 

Host Details: This chapter provides the host details for all hosts discovered on the network. The chapter contains an iterator that provides ports summaries and other related information managers and engineers can use to have a detailed understanding of their network.