by Cody Dumont
January 13, 2015
Managing workstation vulnerabilities is often so time intensive that infrastructure vulnerabilities may be overlooked. Tenable’s SecurityCenter Continuous View (CV) provides the ability to track vulnerabilities and logs from VMware solutions. This report provides a summary and detailed view of the current threats to virtual infrastructure. When analyzing threats to the virtual infrastructure, the security professional should include active, passive, and event-based detection methods. Additionally, Nessus provides the ability to perform configuration audits by using the API in vCenter or by directly querying the hypervisors.
The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the SecurityCenter Feed under the category Threat Detection & Vulnerability Assessments. The report requirements are:
- SecurityCenter 4.8.1
- Nessus 6.1.1
- PVS 4.0.3
- LCE 4.4.1
The analysis of the virtual infrastructure begins with configuring the hypervisors and vCenter to send log data to Tenable’s Log Correlation Engine (LCE) for event normalization and vulnerability analysis. LCE currently supports over 20 normalized events. The normalized events are grouped by event type. The VMware normalized events are part of the application, login, detected-change, and login-failure event types. These events detect such things as admin logins, VM movements (such as VMotion), defragmentation, and power changes.
After log data is collected, the detection of hypervisors and virtual machines is possible by combining event-based detections with passive and active detection methods. The event-based detections use signatures in the logs to identify the servers running hypervisor software. Using active and passive detection, both hypervisors and virtual machines can be identified.
Once the hypervisors are properly identified, they can be scanned and their configurations audited using Nessus. When performing active scans of the hypervisors, SecurityCenter CV uses the API in vCenter or the ESXi API to analyze the configuration and detect vulnerabilities. The VMSA number identifies vulnerabilities found. VMware publishes VMware Security Advisories (VMSAs) to document remediations for security vulnerabilities identified in VMware products.
SecurityCenter CV supports tight integration and API extensibility with virtualization systems, SIEMs, malware defenses, patch management tools, BYOD, and firewalls. LCE has the ability to scale to meet the future demand of monitoring virtualized systems, cloud services, and the proliferation of devices. Tenable’s Passive Vulnerability Scanner (PVS) provides deep packet inspection to continuously discover and track users, applications, cloud infrastructure, trust relationships, and vulnerabilities. When combined, all of these features provide a more complete view into threat detection and vulnerability management.
Chapters
Executive Summary - This chapter provides an executive summary view of VMware related threats. There are serval components showing vulnerability trending, current vulnerabilities by VMSA, and events related to VMware hypervisors.
VMware Detection Details - This chapter provides a list of hosts identified as VMware vCenter/vShere servers and a list of the virtual hosts running on each system.
Vulnerability and Event Summary - This chapter provides bar charts and tables summarizing the vulnerabilities identified by Nessus and PVS, along with a summary of normalized events identified by LCE and reported to SecurityCenter.
Vulnerability Details - The chapter provides a detailed summary of all vulnerabilities.