Overview
Tenable
This solution uses Tenable Nessus to take a deeper look at the solution stack by using targeted scans and predefined templates to flag known vulnerabilities in the systems that may be exploited. We used the following scans during testing:
Basic Network ScanThis scan has all of Tenable.io's current plugins enabled. This scan provides a quick and easy way to scan assets for all vulnerabilities. You cannot disable individual plugins in a Basic Network Scan.
PCI Quarterly External ScanDesigned specifically in accordance with the specifications set forth by the PCI Security Standards Council. This scan provides an 'outside-in' perspective of the environment and therefore will not perform local checks, only remote checks. There is little customization possible with this scan — users are limited to adjusting the scan's performance settings to allow for proper analysis in accordance with the network's capabilities.
Policy Compliance Auditing using DISA audit filesAllows you to perform compliance audits of numerous platforms including (but not limited to) databases, Cisco, Unix, and Windows configurations as well as sensitive data discovery based on regex contained in audit files. Audit files are XML-based text files that contain the specific configuration, file permission, and access control tests to be performed.
Test and Performance analysis methodology
Tenable testing process and monitoringWe tested each of piece of the solution stack with the following methodology:
- Each piece of the solution stack was scanned three times using the above-mentioned scans to ensure data correlation. This was used to create a baseline of the solution stack before any STIGs have been applied.
- Once the baseline was created and captured, all the STIGs were then applied to the solution stack. Then the solution stack was scanned three times again to ensure data correlation.
- Once both test cases had completed, the results were compared against each other to show the difference in the solution stack between PRE and POST STIG application.
To understand the scan results, consider the PCI Quarterly External Scan rows in the following table. That scan covers the Microsoft Windows, VMware, and Linux operating systems. Take the numbers in the Pre-STIG/Baseline threats column and add them all together, which comes to 144 total threats before hardening. Then take the numbers in the Post-STIG/Baseline threats column and add them all together to get 123 total threats after hardening. The difference between the results (21) is the reduction in threat instances.
Scan template | Software environment (operating system, hypervisor, VDI connection broker) | Pre-STIG/Baseline threats | Post-STIG/Baselines threats | Reduction in threat instances |
Basic Network Scan | Microsoft Windows | Severity Critical 1 Severity High 8 Severity Medium 10 Severity Low 2 | Severity Critical 0 Severity High 4 Severity Medium 4 Severity Low 1 | 12 |
Basic Network Scan | VMware | Severity Critical 0 Severity High 0 Severity Medium 21 Severity Low 0 | Severity Critical 0 Severity High 0 Severity Medium 21 Severity Low 0 | 0 |
PCI Quarterly External Scan | Microsoft Windows | Severity Critical 3 Severity High 16 Severity Medium 15 Severity Low 2 | Severity Critical 1 Severity High 16 Severity Medium 12 Severity Low 2 | 5 |
PCI Quarterly External Scan | VMware | Severity Critical 0 Severity High 16 Severity Medium 82 Severity Low 0 | Severity Critical 0 Severity High 10 Severity Medium 72 Severity Low 0 | 16 |
PCI Quarterly External Scan | Linux | Severity Critical 0 Severity High 4 Severity Medium 5 Severity Low 1 | Severity Critical 0 Severity High 4 Severity Medium 5 Severity Low 1 | 0 |
Policy Compliance Auditing using DISA audit | Windows | Severity Critical 0 Severity High 265 Severity Medium 43 Severity Low 0 | Severity Critical 0 Severity High 104 Severity Medium 39 Severity Low 0 | 165 |
Policy Compliance Auditing using DISA audit | VMware | Severity Critical 0 Severity High 52 Severity Medium 284 Severity Low 0 | Severity Critical 0 Severity High 30 Severity Medium 284 Severity Low 0 | 22 |