Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Blog da Tenable

Inscrever-se

Tenable.io: To control or not to control, that is the question

Tenable.io:: To control or not to control, that is the question

For large deployments of Tenable, where Tenable.io is shared across geographical or business boundaries, you can leverage role-based access control (RBAC) to logically segment scan data or, where required, restrict access to its scan data. In this blog, we’ll explain the configuration required to implement RBAC successfully.

When Tenable.io is used by multiple users to build your vulnerability management program, there are two schools of thought.

Option 1: Let all users see every vulnerability, while allowing them to narrow their focus on a subset of assets using custom dashboards in conjunction with Tenable.io tag filters.

Option 2: Align closer to a zero trust model by leveraging role-based access control (RBAC) within Tenable.io to logically segment and restrict visibility to a subset of assets and/or resources. 

The first option is very simple to achieve so we won’t focus on it in this article. Instead we will focus on the second option and the configuration of RBAC best practices. All actions outlined below will need to be configured using a Tenable.io administrator account.

Full Tenable.io RBAC segmentation is controlled in multiple locations in the Tenable.io interface. These locations include segmentation based on the sensor network, user access control permissions and scan policy permissions. In each section we will outline why and how to implement these features.

Tenable.io: To control or not to control, that is the question -- image #1

We will use the following scenario to explain how to configure Tenable.io with RBAC. We will assume four regions/business units. Each region will manage their own scans, but will have no access to any other regions’ results or their associated scanners. Full administrators will have access across all regions for central reporting, visibility and configuration. Full access will be authorized to an API user to enable integration with third-party solutions.

Tenable.io: To control or not to control, that is the question -- image #2

Before configuring RBAC, we need to build the foundation it will be applied to. This includes network segmentation and tagging.

Sensor network segmentation

When leveraging a single Tenable.io container across multiple regions/divisions, a key issue you can face is overlapping IP addressing. To disambiguate between assets that have the same IP addresses across environments, use sensor networks in Tenable.io.

Tenable.io sensor networks allow you to segment regions/divisions for each environment, and assign scanners and/or scanner groups to each network. When an asset is scanned, the associated network is added to the asset's details. You can filter assets by network or create dynamic tags based on a defined network. A scanner or scanner group can only belong to one network at a time.

In this scenario, we will be creating four sensor networks – one for each region – then we will deploy Nessus Scanners into each region/organization. 

Tenable.io: To control or not to control, that is the question -- image #3

Do this by following these steps:

     Menu > Settings > Sensors > Network > Add Network

In each region/organization you can then deploy one or more Nessus Scanners and/or Nessus Agents to their relevant sites. Scanners should always be deployed as close as is practical to the targets you want to scan. Once a Nessus Scanner is bound to a sensor network, any asset discovered or scanned by that scanner will be bound to that sensor network.

To ensure only the appropriate regions’ staff can see and schedule scans on their Nessus Scanner(s) it is important that the scanner permissions be updated to meet this requirement. You also need to make sure the correct role is assigned against the user, a topic we cover later.

As administrator, select the Nessus Scanner from the “Linked Scanner” page, go to the “Permissions” tab and ensure “Default” is set to “No Access” and assign the appropriate access required.

Tenable.io: To control or not to control, that is the question -- image #4

For a scanner deployed in Region One we would recommend: 

     Default=No Access, R1Users=Can Use, Administrators=Can Manage. 

Applying automatic tags based on sensor network

To leverage RBAC, filter dashboards and so on, we leverage tags within Tenable.io. Tags can be automatically assigned based on the sensor network.

In this scenario I have created a tag category called “Region” and then a value for each of the regions. The regional tags will be automatically applied based on the sensor network that the asset belongs to. Tags could be used to group targets associated with different business units, locations, remediation teams, and so on.

Por exemplo:

     Tag Category “Region” with Values “One, Two, Three, and Four”

Tenable.io: To control or not to control, that is the question -- image #5

You can configure tag rules to automatically apply the relevant tags. For example, tag “Region:One” is to be applied to any asset where the sensor network is equal to “R1”.

Tenable.io: To control or not to control, that is the question -- image #6

This logic would be applied to each sensor network region (R1, R2, R3, R4.) Any asset discovered or scanned using a Nessus Scanner or a Nessus Agent would then automatically have the relevant tag assigned. (Note: The tag is applied to Nessus Agents after their next scheduled scan is processed – not when they are first linked to Tenable.io.)

RBAC configuration

RBAC is implemented as a combination of roles and permissions.

Roles:

Tenable RBAC is configured in multiple locations. RBAC will be heavily bound to the tagging model defined above. 

The recommendations in this section will cover settings for:

  • Settings > Access Control > Roles
  • Settings > Access Control > Permissions
  • Settings > Access Control > Groups
  • Settings > Sensors > Cloud Scanners > Permissions
  • Settings > Sensors > Linked Scanners > Permissions
  • Scans > Manage Scan Templates > {template} > User Permissions

In Tenable.io, roles allow you to manage privileges for major functions and control which resources users can access. When you create users, you must assign them roles that broadly determine the actions they can perform.

For this example, we want regions/business units to create their own scans so we will leverage the “Standard” role. If you want to lock that down further so only defined scan templates can be used, then “Scan Operator” is the better fit.

The recommended settings are based on the following persona matrix within a large organization:

Administrators Have full administrator privileges over the Tenable.io platform
Organizational Users Can view all results for every region/business unit but have no admin rights
Regional Administrators Can manage their regions' scanners and scan policies, and see all related results
Regional Users Can view all results for their region/business units but have no admin rights

API Users

Can query data from all regions/business units

Tenable.io built-in Roles :

Role Descrição
Administrator Administrators have the same privileges as the Scan Manager user, and can also manage users, groups, system target groups and access groups. Additionally, administrators can view scans created by all users.
Scan Manager

Scan Manager users have the same privileges as the Standard user, and can also manage agents, exclusions and scanners.

Nota: Users with the Scan Manager role can see all scanners, not just the ones they have been given rights to see. 

Standard Standard users can create scans, templates and user target groups.

Scan Operator

Scan Operator users can create and run scans based on templates which the company has authorized.

Básico Basic users can only view scan results and manage their user profile.
Disabled Disabled user accounts cannot be used to log into Tenable.io.

Tenable RBAC is implemented as a combination of Roles and Permissions. To restrict visibility of assets and results, we will create four User Groups (R1Users, R2Users, R3Users and R4Users). Once the Role and Group(s) are defined you can create a Permission set for the users. 

Tenable.io: To control or not to control, that is the question -- image #7

In our scenario we will restrict the assets based on the tags we configured earlier.
Here’s an example: 

     “R1User” permissions are assigned to the ‘R1Users Group’

     Added Permissions: Can View, Can Scan, Can Use

     Assigned Objects: Region:One

Tenable.io: To control or not to control, that is the question -- image #8

Lastly we will create the user profiles and add them to their relevant User Group.
For example User “R1User” is created and added to the “R1Users” Group

Tenable.io: To control or not to control, that is the question -- image #24

(Note: For existing customers who are using access groups for their access management, Tenable.io is replacing access groups with permissions.)

It is important to remove the “All Assets” permission set, and remove any reference to “All Users” from any of the permission sets. This ensures that only administrators have visibility into all assets and that users will only be able to see their tags and relevant assets.

Based on the Persona Matrix, the following would be recommended:

Role RBAC Category Recommended Setting
Administrator Role Administrator
Permissions

All tags: Can View, Can Scan, Can Use, Can Edit

Nota: Admin rights are implied (no specific policy required)

Enterprise Users

Role

Básico

Permissions All tags: Can View, Can Use
Organizational Admins Role Scan Manager
Permissions Region{x} Tag(s): Can View, Can Scan, Can Use
Nota: This can be locked down further by using the Scan Operator role, which restricts access to only using approved scan templates.
Organizational Users Role Básico
Permissions Region{x} Tag(s): Can View, Can Use
Enterprise API Account Role Administrator
Permissions All tags: Can View, Can Use

Nota: Even though the account is a full Administrator, you do need to specifically allow rights to access data via the API.

The API user should not have access to the Tenable.io UI. Ensure only API authentication is enabled on this account.

Additional Permission changes:

To ensure all users can only access authorized data you will need to find the permission entry listed against “All Assets” objects and remove the “All Users” group. For the permission set, only users or groups who are authorized to view all assets should be listed.

Additional Role configuration options:

Tenable.io Roles can be further customized to control access to other capabilities. These include the ability to:

  • manage recast/accept rules for a vulnerability
  • view recast/accept rules
  • view capabilities in Tenable.one
  • create Exposure Cards in Tenable.one
  • manage Tags in Tenable.one

Nota: The Tenable.io RBAC policies continue to be updated with further user controls.

Scan policy permissions

Outside of RBAC policies, a user/group can be given access to see scan results from within the scan policy permissions. To ensure that access to scan results is not exposed to unauthorized users, configure scan policies with the “Default:No Access” policy. If this is not in place and a scan policy is shared, then a restricted user can still click on the scan and see all the scan results. This is true for both vulnerability and web app scans.

Tenable.io: To control or not to control, that is the question -- image #10

How these RBAC controls will effect dashboards

When you log in with a restricted user, for example “R1User”:

  • Assets will be restricted to only those with the “Region:One” tag.
  • Vulnerabilities will be restricted to the assets with the “Region:One” tag.
  • When building dashboards or applying filters based on tags, you can only select the tags that have “Can Use” permissions on them.
  • Web application dashboards do not populate for restricted users. If they need to see scan results you can edit “Scan Permissions” to provide visibility.
  • In Lumin, the “Organizational CES” score and metrics are displayed. The “Business Context” section can then be configured with the tags the user has access to. “Business Context/Tag” can be used to focus any of the Lumin metrics onto the relevant regions/tags assets.
Full Admin User Example of restricted User "R1 User"
Tenable.io: To control or not to control, that is the question -- image #12 Tenable.io: To control or not to control, that is the question -- image #13
Tenable.io: To control or not to control, that is the question -- image #14 Tenable.io: To control or not to control, that is the question -- image #16
Tenable.io: To control or not to control, that is the question -- image #17 Tenable.io: To control or not to control, that is the question -- image #18

Available scanners

Tenable.io: To control or not to control, that is the question -- image #19

Available Scanners

Tenable.io: To control or not to control, that is the question -- image #19


Lumin (top view shows organizational metrics)

Tenable.io: To control or not to control, that is the question -- image #20

Tags can be leveraged to show regional metric breakdown

Tenable.io: To control or not to control, that is the question -- image #219

Conclusão

Tenable.io has a robust RBAC capability that can enable you to apply restrictions on everything from the targets and associated weaknesses that a user can see, to the ability to create/schedule scans and what Nessus Scanners are available to them.

Tenable.io RBAC heavily leverages tagging to logically define boundaries that restrictions can be placed around. Make sure to use the automation logic in Tenable.io tags as much as possible to easily maintain the tags assigned against each target asset.

You can find more information here:

Tenable.io key enhancements : RBAC

Tenable.io key enhancements : Tagging

Artigos relacionados

Você está vulnerável às últimas explorações?

Insira seu e-mail para receber os alertas de cyber exposure mais recentes em sua caixa de entrada.

tenable.io

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes.

A avaliação do Tenable.io Vulnerability Management também inclui o Tenable Lumin, o Tenable.io Web Application Scanning e o Tenable.cs Cloud Security.

tenable.io COMPRAR

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Compre hoje a sua assinatura anual.

65 ativos

Escolha sua opção de assinatura:

Compre já

Teste gratuitamente o Nessus Professional

GRÁTIS POR 7 DIAS

O Nessus® é o verificador de vulnerabilidades mais abrangente do mercado atualmente. O Nessus Professional ajudará a automatizar o processo de verificação de vulnerabilidades, economizar tempo nos seus ciclos de conformidade e permitirá que você envolva a sua equipe de TI.

Comprar o Nessus Professional

O Nessus® é o verificador de vulnerabilidades mais abrangente do mercado atualmente. O Nessus Professional ajudará a automatizar o processo de verificação de vulnerabilidades, economizar tempo nos seus ciclos de conformidade e permitirá que você envolva a sua equipe de TI.

Compre uma licença para vários anos e economize. Inclua o Suporte avançado para ter acesso ao suporte por telefone, pela comunidade e por bate-papo 24 horas por dia, 365 dias por ano.

Selecione sua licença

Compre uma licença para vários anos e economize.

Adicionar suporte e treinamento

Tenable.io

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes.

A avaliação do Tenable.io Vulnerability Management também inclui o Tenable Lumin, o Tenable.io Web Application Scanning e o Tenable.cs Cloud Security.

Tenable.io COMPRAR

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Compre hoje a sua assinatura anual.

65 ativos

Escolha sua opção de assinatura:

Compre já

Teste o Tenable.io Web Application Scanning

Tenha acesso completo à nossa oferta mais recente de verificação de aplicações Web desenvolvida para aplicações modernas como parte da plataforma do Tenable.io. Verifique com segurança por vulnerabilidades em todo o seu portfólio online com um alto grau de precisão sem grandes esforços manuais ou interrupção de aplicações Web críticas. Inscreva-se agora mesmo.

A avaliação do Tenable Web Application Scanning também inclui o Tenable.io Vulnerability Management, o Tenable Lumin e o Tenable.cs Cloud Security.

Comprar o Tenable.io Web Application Scanning

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Compre hoje a sua assinatura anual.

5 FQDNs

US$ 3.578,00

Compre já

Teste o Tenable.io Container Security

Tenha acesso completo à única oferta de segurança de contêiner integrada a uma plataforma de gerenciamento de vulnerabilidades. Monitore imagens de contêiner por vulnerabilidades, malware e violações de segurança. Unifique sistemas de integração contínua e implantação contínua (CI/CD) para dar suporte às práticas de DevOps, reforçar a segurança e ajudar na conformidade com as políticas da empresa.

Comprar o Tenable.io Container Security

O Tenable.io Container Security habilita com perfeição e segurança os processos de DevOps ao fornecer visibilidade da segurança das imagens de contêiner, incluindo vulnerabilidades, malware e violações de segurança através da integração com o processo de compilação.

Avalie o Tenable Lumin

Visualize e explore sua Cyber Exposure, monitore a redução do risco ao longo do tempo e faça uma análise comparativa com outras empresas do mesmo setor com o Tenable Lumin.

A avaliação do Tenable Lumin também inclui o Tenable.io Vulnerability Management, o Tenable.io Web Application Scanning e o Tenable.cs Cloud Security.

Compre o Tenable Lumin

Entre em contato com um representante de vendas para ver como o Lumin pode ajudar você a obter informações sobre toda a organização e gerenciar o risco cibernético.

Experimente o Tenable.cs

Aproveite o acesso completo para detectar e corrigir erros de configuração da infraestrutura da nuvem e ver vulnerabilidades no tempo de execução. Inscreva-se para uma avaliação gratuita agora mesmo.

A avaliação do Tenable.cs Cloud Security também inclui o Tenable.io Vulnerability Management, o Tenable Lumin e o Tenable.io Web Application Scanning.

Entre em contato com um representante de vendas para comprar o Tenable.cs

Entre em contato com um representante de vendas para saber mais sobre o Tenable.cs Cloud Security e veja como é fácil integrar suas contas na nuvem e obter visibilidade das configurações incorretas e vulnerabilidades da nuvem em questão de minutos.

Teste o Nessus Expert gratuitamente

GRÁTIS POR 7 DIAS

Desenvolvido para a superfície de ataque moderna, o Nessus Expert permite ver mais e proteger sua organização de vulnerabilidades, da TI à nuvem.

Já tem uma licença do Nessus Professional?
Atualize para o Nessus Expert gratuitamente por 7 dias.

Comprar o Nessus Expert

Desenvolvido para a superfície de ataque moderna, o Nessus Expert permite ver mais e proteger sua organização de vulnerabilidades, da TI à nuvem.

Selecione sua licença

Preço promocional prorrogado até 28 de fevereiro.
Compre uma licença para vários anos e economize mais.

Adicionar suporte e treinamento