Stand alone threat/compliance scanner?

Cyberscum

We (security section) are in the process of developing a standalone scanner for remote areas.

I have played with a free version of Nessus but has anyone used this vulnerability scanner as their primary scanner?

We are looking at all of the conventional scans for patches, zero says, misconfigs etc…But we are also trying to get a hold on data compliance info like HIPPA/PII/I think even SOX etc…

The organization we are dealing with is very dynamic so we would need a scanner that could possibly accomplish as much of this as possible.


Any thoughts?

the_Grinch

I think you'll have a tough time with the compliance portion of the tool as far as a free/open source goes. OpenVAS could do the patches and such, but don't believe it has a compliance part.

Cyberscum

^
Nessus has the entire package all in thier security center. It would allow for complaince and vulnerability managment with a central complaince center called security center. They have passive scanner now called PVS which is pretty damn cool, but expensive. I use Retina so Nessus is new to me.

I dont mind forking out the 3k for the nessus scanner if it does its job...You have any exp with Nessus?

the_Grinch

I have used their community edition and got a lot of false positives. As far as their paid product, I have no experience with it sorry.

[Deleted User]

I've used Nessus quite a bit including SecurityCenter. I do think that Nessus is a great product. I know what PVS is but I haven't used it, the features of PVS however, are intriguing. I prefer Nessus to Retina but admittedly don't have as much experience with Retina. I've heard the opposite from individuals better versed in Retina. You see this sort of thing daily though I'm sure, people build their own biases and want to dislike a product for no other reason than it isn't familiar to them.

colemic

Never really used Nessus, but I've used retina in the past and found it to be pretty effective. That was in Afghanistan, and it was sometimes a pain getting the updates, but we managed.

Cyberscum

@ COL/XMA
I dont mind Retina, its prett good but the contract is running out and we need to renew with another complaince scanner. I have heard mixed feelings with Nessus, one odd issue is that we had a 2008r2 server scanned with both and each came back with different results ha ha.

I think we might just try Nessus, seems like a more flexable scanner and it comes with alot of support.

docrice

In regards to scanners for vulnerability management and compliance, the names you'll hear most often in the industry are Tenable (Nessus), Qualys, and Rapid7. No scanner solution is perfect, and any vendor can produce false positives. It's ultimately up to the analyst/engineer/report-reading-dude who must validate the findings. Due diligence and all that, yadda yadda. One thing to consider when doing the assessments - whenever possible, perform authenticated scanning. Non-authenticated scans can increase false positives and also possibly false negatives, leading to a false sense of security.

Cyberscum

@Doc
Thanks for the info.

Tenable seems like a reputable company and they offer a product called ACAS that has some other bells and whistles, but does offer the Nessus engine and a trial of the PVS product. We tried multiple scanners on the R2 server with everything from open source to paid and trial services. All of them came back with about 70 percent of the same vulnerabilities, but that’s where it ended. Some found zero days, some found false positives, some even missed cat 1’s found in the others??? And this is all with using the setup service manuals for each and with admin priv’s.

I am starting to not trust these things much anymore. They seem to get about 70-80 percent of the things needed to secure a box or net segment, but miss the mark on a lot of important things. I guess they do their job for the price.

veritas_libertas

As Docrice said, it's up to the analyst to verify. Vulnerabilities are more than just patch levels, and it doesn't surprise me to hear that different scanners produce different results. Have you tried Nessus with an authenticated scan? I would imagine that will help lower the false-positives.

Cyberscum

^
Yes, seems like the false neg's are are the real concern with the auth scan we did. It may be becasue the scanners bank is limited for the free version compared to the paid version.

Lamini

Perhaps there are some ACAS specialists in these forums? I've asked and have not had luck in hearing of standalones of ACAS. Theres always Retina, though getting phased out, if not phased out in several organizations already

Cyberscum

The prob is everyone is familiar with one or the other. I know and love Ret, but I want to try Ness out for the contract renewal. I have not talked to anyone that has used both and could offer some good info on the pros/cons.

LeifAlire

I have used this product, very full featured with a lot of options and report output.
Network Security Scanner | Vulnerability Scanner & Scanning

Cyberscum

LeifAlire wrote: »

I have used this product, very full featured with a lot of options and report output.
Network Security Scanner | Vulnerability Scanner & Scanning

Me too

rx8blu1973

Sorry to bump this thread, but actually just joined for exam results in another forum and ran across this. I've used Retina before, and am now in the process of building a remote Nessus scanner as well. Currently I'm installing RHEL 6.6 on a laptop, hardening the system, and then installing Nessus...The reason for this is to be able to scan a remote system that has an embedded CentOS operating system (is that redundant?), because it failed previous scans miserably and was yanked from the network, and there is no way to put it back on without a successful scan. I'm documenting everything, and will be glad to share my trials and tribulations...

instant000

As prior posters mentioned, false positives and false negatives could be found in any tool.

According to these two links, the DoD uses Nessus as their primary scanner:

U.S. Department of Defense | Tenable Network Security

DISA - ACAS

You can use a laptop as a standalone scanner. I've seen it done.

You still would need some method of updating your plugins, right?

Try this link:
http://static.tenable.com/documentation/nessus_6.1_installation_guide.pdf

Look for the section: "Nessus without Internet Access" .. it basically allows you to generate a "challenge code" which is then used by a system with Internet to download the updates. Then, you apparently pull the updates in via CLI. (Disclaimer: I have not tested this feature.)

Hope this helps.