ACME Customer Case Study

A customer, ACME, was using a single Tenable Security Center instance that managed 40 scanners to perform network vulnerability assessments of approximately 1,200 stores on a monthly basis.

ACME wished to update their existing operational model to leverage Tenable Agents to collect assessment results from approximately 70,000 assets. ACME implemented a hybrid approach using the Tenable Vulnerability Management platform to manage agent scanning operations and import agent scan results into Tenable Security Center for unified analytics and reporting of both network and agent assessment results.

The intent of this case study is to highlight key configuration considerations that were implemented when ACME moved forward with deploying Tenable Agents.

Objectives

The primary goal defined by ACME to measure the success of the Tenable Agent project was their ability to leverage agents across their store infrastructure to collect in-depth asset data, while reducing the current network latency experienced by remote network scans.

Scanning coverage:

  • To implement local host scanning using agents on assets across stores to provide more detailed vulnerability assessment results than the current unauthenticated network active scan to stores from headquarter datacenters.
  • To use agent scans to reduce the impact to ACME's network and allow for more frequent scans.

Solution

A Tenable Vulnerability Management and Tenable Security Center hybrid deployment was used in their enterprise environment. Tenable Vulnerability Management was required for agent scan operations, and the existing Tenable Security Center infrastructure was used for advanced analytics and reporting. By leveraging Tenable Vulnerability Management for agent scan operations, ACME could automatically scale for large numbers of agents and assets, without the need for on-prem software and hardware.

ACME leveraged their existing Tenable Security Center infrastructure to achieve their vulnerability management program goals by importing agent scan data from Tenable Vulnerability Management into Tenable Security Center for unified reporting and analytics. This solution split the environment into two tiers, Reporting (Tenable Security Center) and Operational (Tenable Vulnerability Management), so that ACME could optimize reporting experiences for its end users, while not impacting the data acquisition capabilities of the platform.

Tenable Agent Operational Tier (Tenable Vulnerability Management)

The primary purpose for the Operational Tier (Tenable Vulnerability Management) was to perform agent management and agent scan operations.

Functions performed

The following processes and uses take place in the Operational Tier (Tenable Vulnerability Management).

  • Deployed agents are linked to Tenable Vulnerability Management.
  • Agents are organized in agent groups. Agents can be assigned to agent groups during the installation process.
  • Agent scans are established to obtain assessment results from agents via agent groups.
  • Agents automatically have plugin and version updates applied by Tenable Vulnerability Management.
  • Customers can “opt out” of having agent version updates automatically applied.

Considerations

  • Agents were deployed using ACME's internal software distribution processes (in this case, SCCM).
  • Agent groups included no more than 20,000 agents per group (10,000 is recommended). Limiting the number of agents in each agent group ensures that Tenable Security Center can import scan results successfully. This limitation only applies when Tenable Security Center is part of the deployment.
  • Agent scans were restricted to a single agent group each.
  • Agent group membership was established by functional zones (by location, role, etc.) for organizational purposes.
  • ACME monitored for agent deployment issues (failed installations, linking failures, etc.) out of band (logging client, scripts, etc.).
  • Agents only performed local vulnerability assessments and did not perform network-based assessment (for example, SSL or CGI network-based assessments).
  • Network and firewalls were configured to allow agents to communicate with https://cloud.tenable.com.

Tier design

Design assumptions included:

  • ACME leverages internal processes and tooling to deploy the Tenable Agent software.
  • ACME establishes 50-70 agent groups.
  • ACME configures 50-70 agent scans.

Reporting Tier (Tenable Security Center)

The primary purpose of the reporting tier was to allow for centralized analytics and reporting of data collected from the Tenable Agent operational tier (Tenable Vulnerability Management). Dashboards, analytics, reports, and Assurance Report Cards are leveraged on this tier.

Functions performed

The following processes and uses take place in the Reporting Tier (Tenable Security Center).

  • Tenable Vulnerability Management was added to Tenable Security Center as an “agent capable” scanner.
  • Agent scans in Tenable Security Center were configured to retrieve agent scan results from Tenable Vulnerability Management.
  • Analytics, dashboards, reports, and Assurance Report Cards in Tenable Security Center were leveraged for all assessment types (Agent and Network Scanning).

Considerations

  • Tenable recommended that ACME configure Tenable Security Center to retrieve agent scan results from Tenable Vulnerability Management the same day Tenable Vulnerability Management collects assessment results from agents. This configuration ensures that Tenable Security Center captures proper detection dates.
  • Tenable Security Center required additional data repositories to support the agent results. Tenable recommended that ACME establish two new repositories in Tenable Security Center for agent results, because repositories can only handle upwards of 50,000 assets each.
  • Tenable Security Center 5.7 introduced an agent-specific repository that leverages the agent UUID to better track uniqueness when results are imported into Tenable Security Center.
  • ACME needed to perform a full analysis on their current Tenable Security Center hardware configuration to determine if additional CPU/RAM/HDD was required for the additional data resulting from importing agent scan results.

Tier design

Design assumptions included:

  • ACME will establish two (2) repositories to store agent scan results.
  • ACME will establish 50-70 agent scans to retrieve agent scan results from Tenable Vulnerability Management.
  • ACME will balance each agent scan retrieval evenly across the two (2) new repositories.
  • ACME will evaluate current infrastructure to determine if additional CPU/RAM/HDD is required.