Initech Customer Case Study

A customer, Initech, was using a tiered Tenable Security Center deployment across a large federated environment consisting of 30+ sub-organizations, 40,000 users, 60,000 devices, and 150,000+ active IPs. They performed weekly network vulnerability assessments with over 75 scanners at sites located around the United States.

Initech had a reporting requirement to perform more frequent assessments of their systems and to be able to remotely gather data from user laptops when they were off-site. Initech deployed over 50,000 Tenable Agents to accomplish this task, using a hybrid model with both Tenable Nessus Manager and Tenable Vulnerability Management, feeding data back into Tenable Security Center for analytics and reporting.

The intent of this case study is to highlight key configuration considerations that were implemented when Initech moved forward with deploying Tenable Agents.

Objectives

The primary goals defined by Initech to measure the success of the Tenable Agent project were to gather data more frequently, assess remote systems, and reduce the burden posed by managing credentials across a large disparate enterprise.

Solution

A Tenable Nessus Manager and Tenable Vulnerability Management hybrid deployment was used for agents in their enterprise environment. Tenable Vulnerability Management was required for user workstation Tenable Agent scan operations, and Tenable Nessus Manager was used for servers and other permanent on-premise infrastructure.

  • Initech used the scaling ability, uptime guarantee, and cloud flexibility of Tenable Vulnerability Management to meet the dynamic requirements of a constantly changing workstation environment.
  • Initech used Tenable Nessus Manager, an on-premise solution, to provide more user control over the scan data for more sensitive systems, such as server infrastructure.

Initech leveraged their existing Tenable Security Center infrastructure to achieve their vulnerability management program goals by importing agent scan data from Tenable Nessus Manager and Tenable Vulnerability Management into Tenable Security Center for unified reporting and analytics.

Agent Deployment (Tenable Nessus Manager and Tenable Vulnerability Management)

The primary purpose for Tenable Nessus Manager was to perform agent management and agent scan operations for on-premise infrastructure (10,000 systems), while Tenable Vulnerability Management was used for agent management and scan operations of user workstations (40,000 systems).

Functions performed

  • Deployed agents are linked to Tenable Nessus Manager or Tenable Vulnerability Management depending on system type.
  • Agents are organized in agent groups. Agents can be assigned to agent groups during the installation process.
  • Agent scans are established to obtain assessment results from agents via agent groups.
  • Agents automatically have plugin and version updates applied by Tenable Nessus Manager or Tenable Vulnerability Management.

Considerations

  • Agents were deployed using Initech's internal software distribution processes (in this case, a large variety of platforms including Altiris, SCCM, Tivoli, Casper, and others).
  • Agent groups included no more than 2,000 agents per group (1,000 is recommended). Limiting the number of agents in each agent group ensures that Tenable Security Center is able to successfully import scan results. This limitation only applies when Tenable Security Center is part of the deployment.
  • Agent scans were restricted to a single agent group each.
  • Agent scan policies were more thorough and verbose than the network scans due to the increased efficiency of agent scan distribution.
  • On-Premise/Server agent scan windows were restricted to custom time frames selected by each sub-org to meet individual organizational requirements.
  • User workstation scan windows were set to ~24 hours and repeated daily to ensure full coverage regardless of when a system was turned on.
  • Agent group membership was established by organization and in some cases, operational tier or other functional requirements.
  • Initech monitored for agent deployment issues (failed installations, linking failures, etc.) out of band (logging client, scripts, etc.).
  • Agents only performed local vulnerability assessments and did not perform network-based assessment (for example, SSL or CGI network based assessments).
  • Network and firewalls were configured to allow infrastructure agents to communicate with the on-premise Tenable Nessus Manager via a custom port, and user workstations to communicate with https://cloud.tenable.com.

Tier design

Design assumptions included:

  • Initech will leverage internal processes and tooling to deploy the agent software.
  • Initech will establish 30-50 agent groups in both Tenable Nessus Manager and Tenable Vulnerability Management.
  • Initech will configure 30-50 agent scans in both Tenable Nessus Manager and Tenable Vulnerability Management.
  • Initech will configure and provision a Tenable Nessus Manager that can handle 10,000 agents connecting to it.

Reporting and Network Scanning (Tenable Security Center)

The primary purpose of the reporting tier was to allow for centralized analytics and reporting of data collected from the Tenable Agents and existing network scans. Dashboards, analytics, reports, and Assurance Report Cards are leveraged on this tier.

Functions performed

The following processes and uses take place in Tenable Security Center.

  • Tenable Nessus Manager and Tenable Vulnerability Management were added to Tenable Security Center as an “agent capable” scanners.
  • Agent scans in Tenable Security Center were configured to retrieve agent scan results from Tenable Nessus Manager and Tenable Vulnerability Management.
  • Agent data was placed in new repositories according to existing data models.
  • Analytics, dashboards, reports, and Assurance Report Cards in Tenable Security Center were leveraged for all assessment types (Agent and Network Scanning).

Considerations

  • Tenable Security Center required additional data repositories to support the agent results. Tenable recommended that Initech establish multiple new repositories in Tenable Security Center for agent results, because combining agent and network assessment results in the same repository can cause reporting challenges.
  • Initech needed to perform a full analysis on their current Tenable Security Center hardware configuration to determine if additional CPU/RAM/HD was required for the additional data resulting from importing agent scan results.
  • Initech needed to evaluate their existing network scan structures/policies to ensure limited data overlap once agent assessments were implemented and data imported into Tenable Security Center.

Tier design

Design assumptions included:

  • Initech will establish multiple repositories to store agent scan results.
  • Initech will establish 60-100 agent jobs to retrieve agent scan results from Tenable Vulnerability Management and Tenable Nessus Manager.
  • Initech will evaluate current infrastructure to determine if additional CPU/RAM/HDD is required.
  • Initech will evaluate existing scan structures/policies to limit data overlap.