Update :: ISO’s Selfscan Service
The UT ISO is taking Selfscan to the next level!
Selfscan, our self-service vulnerability scanning service, is undergoing a bit of a change. We're transitioning from a self-service scanning service to a full-fledged vulnerability management service to better align with our overall Vulnerability Management Program (https://security.utexas.edu/vmp).
Why The Change?
IT SUPPORT STAFF ARE REALLY BUSY AND COULD USE SOME HELP
Over the past year, only 50 unique IT support staff have logged into use\ Selfscan. When we do spot-checking, several high-risk vulnerabilities are detected by the tool but not acted upon by departments. The feedback we've been given is that this is due to the current tool’s (Nexpose) vulnerability checks having a large number of false positives, the fact that the interface is extremely difficult to work with and that there are too many duplicate vulnerabilities with inconsistent prioritization.
Based on this, we decided to replace Nexpose with a superior product - Tenable’s SecurityCenter (the creators of Nessus -- the standard in vulnerability assessment tools). SecurityCenter has the following benefits:
With SecurityCenter, we are able to do an "everything" scan every other day across all of the campus’ IP space. We've been doing this for several weeks with great success!
BETTER CHECKS WITH FEWER FALSE POSITIVES
We're able to detect a much larger variety of vulnerabilities with and without credentials (important given the distributed system management challenges that exist on campus).
EXCELLENT AUTOMATION POTENTIAL
Tenable has an excellent API that lets us automate every aspect of vulnerability scanning. In addition, we are able to easily dump data out of the tool and into the ISO’s managed Splunk service, which has more robust tools for doing analysis.
For devices that are connected to networks that the ISO cannot scan, or devices that are sensitive to network scanning or where passwords are harder to come by, Tenable has the option of deploying agents. Agents allow us to do credentialed scanning without credentials.
What is the change?
SCANS WILL BE AUTOMATED
Instead of relying on individual departments to create scans, the ISO will manage scanning activity centrally with a defined cadence. We are also able to add exclusions quickly across all of our tools, so if any of your devices are not tolerating the increased scanning, let us know. We'll be able to scan for "everything" once every two days, and will produce more targeted scans as needed on up to a 4 hour cadence.
YOUR DATA IS IN SPLUNK
Instead of using the extremely clunky Nexpose console for your reporting and dashboards, we've put your data in Splunk. We've built some dashboards here:
We'll be continually improving these over time, so if there is something that you'd like to see on this dashboard that doesn't currently exist, email email@example.com and let us know. In addition, if you are unable to see your events or don't have access, let us know and we'll help you out quickly.
If you have not yet used the ISO's managed Splunk service and you are part of the IT Support community, please see the following to get started:
Some things to consider...
NEXPOSE IS GOING AWAY SOON
The Nexpose license will expire on October 17th, 2019. Once that happens you will no longer be able to do scanning via that tool. However, your SecurityCenter scan data is already in Splunk.
We are not planning on giving TSCs access to the SecurityCenter console.
The permission overhead and provisioning challenges are pretty extreme given how complex the campus network environment is.
Given our planned scanning cadences, we believe the need for ad-hoc scanning outside of those cadences will be very minimal. If your department needs a faster scanning cadence for a particular vulnerability, we will work with you on a case by case basis. Email firstname.lastname@example.org if this is something you need.
We will also be working to provide you with a “remediation scan” option that can be triggered via Splunk. This would allow you to know more quickly that your change has addressed the issue -- if you need to know faster than the next daily sweep.
For now, we don't have an interface to accept credentials from users for doing scanning. So if you need a credential other than iso65's AD account or public key (https://security.utexas.edu/education-outreach/selfscan), please let us know.
You can use Stache (https://stache.utexas.edu) to share the credential with us. Make sure and assign the credential to the “iso-riskmgmt” Stache folder and label it as "TENABLE - YOUR_DEPTCODE_HERE".
If this doesn’t work for you, you can always use Nessus agents to get around the credentialing hassle. Reach out to us at email@example.com to get onboarded for agents if this is something you are interested in.