How Pairing Splunk and Nessus Generates Security Metrics
A Quick Nessus Breakdown
Have you heard of Tenable’s Nessus? Here’s a quick breakdown: Nessus is the world’s most popular vulnerability scanning solution offered by Tenable. Nessus enables the ability to connect to a multitude of servers, complete a vulnerability scan, and generate an executive report.
Nessus helps the security pros on the front lines quickly and easily identify and fix vulnerabilities, including software flaws, missing patches, malware, and misconfigurations across a variety of operating systems, devices, and applications.
How Splunk and Nessus Work Together
First off, you’re going to want to check out Splunkbase (the Splunk app store). If you’re not familiar with it, it offers over 2,000 apps, most of which are free. It allows you to download and install apps that’ll sit on top of your Splunk deployment, and many times, they come with prebuilt dashboards, reports, and alerts.
It’s important to recognize that there are two different types of apps: regular Splunk apps, and add-ons. The apps, typically named [Vendor] App for Splunk or Splunk App for [Vendor], will have prebuilt dashboards, reports, and alerts all done for you. When you download the Tenable App for Splunk, you’ll already have out of the box dashboards, reports, and alerts, that have been built to give you an increased visibility into your environment and overall security posture. The next step is to onboard the data, which will make all of these dashboards start to populate.
To onboard any type of data, you’ll want to go back to the app store and check for an add-on app (sometimes called TA’s). These add-on apps have been built to assist you in onboarding data into Splunk from a vendor. For example, if we want to onboard data from a Windows or Linux operating system, the add-ons for them will come with a prebuilt list of different data sources that you can index, such as system logs, security logs, application logs, host monitoring, network monitoring, performance monitoring, and more. You simply go through the list and enable anything that you want.
For the case of onboarding your Nessus vulnerability scans, Splunk will onboard the data by reaching out to Nessus’ API. Grab the Splunk Add-on for Tenable in the app store and install into your Splunk instance. After this is installed, you will see an easy to use interface to input your Nesses API credentials. Type them in, click save, and you are done. Splunk will start reaching out to the Nessus API and onboarding your vulnerability scans to now search, analyze, visualize, report, and alert all from one place.
Using Tenable’s Security Center and not Nessus? No problem, the same add-on allows you to input configurations to onboard your vulnerability log data from Security Center as well.
Now that we have the data being indexed into Splunk, click back into the Tenable App for Splunk and check out all the prebuilt dashboards, now being populated with your data.
Why Use Splunk and Nessus?
Pairing Splunk and Nessus will not only give you better visibility into the vulnerabilities within your environment, but will also give you better visibility into your environment as a whole, giving security analyst or leadership operational intelligence with real-time insights.
By analyzing dashboards particularly focused on your vulnerability logs, you’ll be able to see metrics such as the total percentage of vulnerable systems within your environment, the average count of vulnerability per system, which system has the highest count or severity of vulnerabilities, and more. Because Splunk stores a copy of the raw data and can analyze the data over time, we can also look at trends and determine whether vulnerabilities in particular systems or across your network have increased.
Vulnerability scans on their own are only going to get you so much information. By putting that data into Splunk, that information becomes usable, searchable, and easy to explore. If you had the need to determine vulnerabilities on particular hosts, you can easily look at the coinciding report or review your dashboard. You can even take it a step further and execute on analysis of disparate data. If you notice an attack or breach has happened, you can analyze that data along with your vulnerability scan logs to see if there was any correlation.
If you’d like some points on using Splunk and Nessus together, August Schell is here to help you. Get in touch with an August Schell Splunk engineer, or call us to speak to someone today at (301)-838-9470.