Transition from Frictionless Assessment to Agentless Assessment

Important: Tenable has announced the End of Life for Legacy Tenable Cloud Security. You can continue to access the application and receive support through September 30, 2024. Tenable recommends that you move to the current version of Cloud Security immediately. For more details, see the End of Life bulletin.

Agentless Assessment is a new, flexible, and easier-to-deploy approach to scanning cloud-based hosts. It compliments other scanning method, such as Tenable Nessus Agents or Tenable Nessus scanners, and replaces Frictionless Assessment. This document helps you in transitioning from Frictionless Assessment to Agentless Assessment.

The following are some of the benefits of Agentless Assessment when compared to Frictionless Assessment:

  • No need to manage or update an agent on an operating system or network.

  • No performance impact on workloads.

  • Beneficial for ephemeral workloads that do not stay up long enough to load an agent on.

  • Live results based on Tenable plugin library.

Follow these high-level steps to transition from Frictionless Assessment to Agentless Assessment:

  1. Plan the Transition.

  2. Remove and Cleanup Frictionless Assessment Artifacts.

  3. Ensure Agentless Assessment Prerequisites are met.

  4. Ensure Tenable Cloud Security Readiness.

  5. Review Agentless Assessment Results.

  6. Repeat the Process for Each Project.

  7. Delete Licensed Frictionless Assets from Tenable Vulnerability Management.

Step 1: Plan the Transition

Review the following resources before transitioning from Frictionless Assessment to Agentless Assessment:

Removing Frictionless Assessment and related cloud resources results in halting the scan. Be sure to plan these transition steps to ensure you are aligning to your scan window. Ensure that no security scans are performed during the transition.

Step 2: Remove and Cleanup Frictionless Assessment Artifacts

AWS

For each account and region that you deployed and configured Frictionless Assessment, remove the CloudFormation template to clean up the Amazon EC2 Simple Systems Manager (SSM) artifacts that were deployed. After this runs, verify that the following artifacts have been removed from AWS Systems Manager:

  • Tenable SSM Document

  • Tenable SSM Association

  • Tenable SSM Resource Data Sync

Azure

For each subscription and Azure region that you deployed Frictionless Assessment, remove the resource groups and any related resources to clean up Frictionless Assessment artifacts.

Tenable Vulnerability Management

Remove all the Frictionless Assessment cloud connectors for AWS and Azure from Tenable Vulnerability Management.

For more information, see Remove Frictionless Assessment.

Step 3: Agentless Assessment Prerequisites

Verify that you have enabled snapshots on relevant EC2 instances and virtual machines and have at least one snapshot per machine or volume you plan to scan:

For information about other requirements for Agentless Assessment, see the following:

Step 4: Ensure Tenable Cloud Security Readiness

Ensure that you have met all requirements and set up Agentless Assessment in Tenable Cloud Security.

Before you begin:

  • Log in to Tenable Cloud Security to confirm access.

  • Create relevant Tenable Cloud Security projects. For more information, see Create a Project.

  • Onboard all the required cloud accounts and assign these accounts to the projects. For more information, see Discover Cloud Accounts.

  • Ensure that you have created appropriate snapshots for the resources that you want to scan using Agentless Assessment. For more information, see Step 3: Agentless Assessment Prerequisites.

To perform an agentless assessment scan:

  1. For each project, create a new scan profile.

    Note: Do the following when creating the scan profile:
    • In Step 1, in the Cloud config assessment options section, select only the relevant IaaS compute resources (EC2 Instance and Azure Virtual Machines) for your scan.
    • In Step 2, click the Enable Vulnerability Scan toggle to enable vulnerability assessment.

  2. Edit the newly created scan profile and configure a scan schedule to at least once every 24 hours to replicate the Frictionless Assessment schedule.

  3. Start your scan.

Step 5: Review Agentless Assessment Results

Review the following results for Agentless Assessment:

  • Agentless Assessment provides vulnerability findings to the Tenable Cloud platform, populating all data sources.

  • Agentless Assessment populates vulnerability findings, including the Tenable Vulnerability Management Dashboard and Tenable Cloud Security Dashboard.

  • Tenable Vulnerability Management displays vulnerabilities under Explore > Findings. To filter on your Agentless Assessment results, add a filter for Scan Origin = Agentless Assessment. For more information, see Findings.

Step 6: Repeat the Process for Each Project

In Tenable Cloud Security, repeat all the steps listed above for each project. Here is a summary of the important steps to be performed when transitioning from Frictionless Assessment to Agentless Assessment:

  • Ensure that you have created appropriate snapshots for the resources that you want to scan using Agentless Assessment.

  • Enable Vulnerability Scans for each scan profile you created.

  • Perform an on-demand scan using that scan profile.

  • Once the scan is completed in Tenable Cloud Security, check the total instances from Home > Vulnerabilities.

  • When ready, enable scheduled scans for this scan profile.

Step 7: Delete Licensed Frictionless Assessment Assets from Tenable Vulnerability Management

Delete all licensed assets that use Frictionless Assessment from Tenable Vulnerability Management.

  1. In Tenable Vulnerability Management, click Explore > Assets.

    The Assets page appears.

  2. In the Filters section. add the filter Source = AWS FA and Azure FA and click Apply.

  3. In the assets table, select all the assets.

    The action bar appears at the bottom of the page.

  4. In the action bar, click the Delete button.

For more information, see Delete Assets.