Menu

Frequently Asked Questions

General

What is ACAS?

In 2012, the Defense Information Systems Agency (DISA) awarded the Assured Compliance Assessment Solution (ACAS) to HP Enterprise Services. The award provided a mechanism to enable the assessment of U.S. Department of Defense (DoD) enterprise networks and connected IT systems against DoD standards, as well as to identify any known system vulnerabilities. To achieve this goal, HP partnered with Tenable Network Security, a leader in Continuous Network Monitoring (CNM), advanced analytics, and vulnerability scanning and management to provide their solutions and tools to support the mission.

Download the solution brief

What can ACAS do?

The ACAS solution provides the required automated network vulnerability scanning, configuration assessment, application vulnerability scanning, device configuration assessment, and network discovery. ACAS generates the required network visibility via reports and data and is SCAP 1.2 compliant. The ACAS tool is a follow-on capability to the Secure Configuration Compliance Validation Initiative (SCCVI) tool commonly referred to by the primary tool, "Retina."

Who must use ACAS?

ACAS is mandated for DoD use by various US Cyber Command orders, including USCYBERCOM TASKORD 13-0670, 'Implementation of Assured Compliance Assessment Solution (ACAS) for the Enterprise.' DISA OPORD 14-037 is an important reference for DISA systems. The intent is to improve the "capability of DoD to quickly and accurately assess the security posture of DoD enterprise networks." The ACAS capability aligns with DoD Enterprise Secure Configuration Management and continuous monitoring initiatives.

What Products are included in ACAS?
Product ACAS Provided
Nessus Professional No
Nessus Manager No
Tenable.io No
Nessus Agents No
Nessus (Scanners controlled by SecurityCenter) Yes
1GB Passive Vulnerability Scanner (PVS) Yes
10GB Passive Vulnerability Scanner (PVS) No
Log Correlation Engine (LCE) No
SecurityCenter Yes
SecurityCenter Continuous View No
Can I use/am I allowed to use software not provided by ACAS?

Yes! You may elect to purchase software not included in the ACAS contract. There are many ACAS users who have elected to purchase additional components, such as Log Correlation Engine (LCE) to complement their ACAS deployments. Contact support for more information.

Each organization/command has different rules regarding the use of software within their environments. Check with your Approving Officer (AO) and/or Director of Information Management (DOIM) for rules regarding the use of new software.

What if I buy a piece of software and ACAS starts providing it?

No problem! If you buy a component not provided by ACAS, and the ACAS office provides it later, turn off your subscription and convert the licenses over to the ACAS licenses. All software sold by Tenable is sold using the subscription model. Simply put, you can cancel your subscription at any time. Further, the licensing model provides minimal startup costs and easy-to-project pricing for all users.

Licensing

Is ACAS only for Non-Secure Internet Protocol (NIPR)?

No, ACAS can be used on any DoD combat mission system regardless of classification. Note: the DISA ACAS Helpdesk only provides support up to the Secret Level (SIPR). For more information on supporting classified networks contact support.

I am a contractor. Can my company use ACAS licensing?

No, your company must buy licensing directly from Tenable. Software included in the ACAS program is available to DoD and DISA enterprise systems at no cost. The software must be used on DoD-owned mission systems and NOT contractor-owned systems.

Examples for valid licensing use:
  • The United States Air Force (USAF) hires contractor "X" to manage the IT infrastructure for its "Y" project. The infrastructure is part of the USAF.MIL network.
  • The U.S. Navy has sailors conduct SCAP compliance scans on computers aboard the CVN-75, the Harry S. Truman.
Examples for invalid licensing use:
  • The United States Army hired contractor "X" to develop a new battle tank. Contractor "X" may not use ACAS licenses on corporate-owned networks to develop the battle tank.
  • Contractor "X" builds a cloud infrastructure where DoD entities can purchase hosting capacity.

Support

How long is ACAS software supported?

All ACAS software is supported for 24 months from date of public release. Due to the Certification & Accreditation (C&A) process, software released to the ACAS community may be released several months after public release. The following chart illustrates the support schedule for major ACAS builds.

Product Version End of Support
SecurityCenter 4.7.x April 30, 2016
SecurityCenter 4.8.x No earlier than December 2016
SecurityCenter 5.x No sooner than 18 months from end-of-sale date
Nessus 5.x September 3, 2015
Nessus 6.1.x No longer supported*
Nessus 6.2.x No longer supported*
Nessus 6.3.x No longer supported*
Nessus 6.4.x No sooner than 18 months from end-of-sale date
Nessus 6.5.x No sooner than 18 months from end-of-sale date
Nessus 6.6.x No sooner than 18 months from end-of-sale date

* Nessus 6.3.x and all prior Nessus 6.x.x builds are no longer supported because they contain the Heartbleed vulnerable versions of Openssl. The Heartbleed issue was resolve in version 6.4.x.

How do I contact support?

If you are using an ACAS license on a product obtained through the ACAS program office, you must utilize the DISA Helpdesk in Oklahoma City.

Email Address: disa.tinker.esd.mbx.okc-disa-peo-service-desk@mail.mil

Phone Numbers:

  • DSN 850-0032 , Press "1" for APPLICATIONS
  • Toll Free: 1-844-347-2457, Press "1" for APPLICATIONS

If you need support on software purchased from Tenable or a Tenable reseller, contact Tenable Support. The matrix below explains which products are supported by which group. Note: If you purchased SecurityCenter, PVS, or Nessus directly from Tenable, then you are eligible to contact Tenable support. For more information on support please contact support.

Product Supported By
Nessus Professional Tenable
Nessus Manager Tenable
Tenable.io Tenable
Nessus Agents Tenable
Nessus (Headless Scanners) DISA OKC Helpdesk
1gb Passive Vulnerability Scanner (PVS) DISA OKC Helpdesk
10gb Passive Vulnerability Scanner (PVS) Tenable
Log Correlation Engine (LCE) Tenable
SecurityCenter DISA OKC Helpdesk
SecurityCenter Continuous View Tenable

System Requirements

What does ACAS run on?

The ACAS suite provides three components of Tenable' Continuous View Suite: SecurityCenter, Nessus, and Passive Vulnerability Scanner (PVS). SecurityCenter is the centralized management platform for all Tenable solutions. Further, SecurityCenter MUST be run on Linux. Nessus and PVS have Linux and Windows versions, but Tenable recommends running all ACAS components on Linux.

What versions of Linux are supported?

Red Hat Enterprise Server 5 (64-bit), 6 (64-bit) and 7 (64-bit). CentOS 5 (64-bit), CentOS 6 (64-bit) and 7 (64-bit) are also officially supported.

What if I don't know Linux?

DISA provides a Kickstart CD that helps Linux novices deploy the ACAS suite. Check the DISA ACAS portal for the Kickstart offerings.

Can I use a free version of Linux?

Yes. CentOS is a free distribution of Linux that is compatible with ACAS software. Note: Check with your Approving Officer (AO) and/or Director of Information Management (DOIM) for information on eligibility or support.

Does ACAS Support SELinux?

Yes. SELinux policy configuration is supported in a "Permissive" mode.

Are there virtual appliances for ACAS?

Tenable does offer virtual appliances, but the ACAS program office has never accredited them within the ACAS program.

What are the hardware requirements for Nessus?

Nessus Hardware Requirements:

Scenario CPU/Memory* Disk Space**
Nessus scanning smaller networks CPU: 1 Dual-core 2GHz Intel CPU (dual-core Intel® for Mac OS X) Memory: 2 GB RAM (4 GB RAM recommended) 30 GB
Nessus scanning large networks including audit trails and PDF report generation CPU: 1 Dual-core 2GHz Intel CPU (2 dual-core recommended) Memory: 3 - 4 GB RAM (8 GB RAM recommended) 30 GB

* Factor 30% more CPU and memory for virtualized instances.

** The disk space requirement excludes OS partition. Disk space requirements will vary depending on usage and is based on the amount and length of time data is stored on the system.

What are the hardware requirements for Passive Vulnerability Scanner (PVS)?

Passive Vulnerability Scanner (PVS) Hardware Requirements:

Scenario CPU/Memory* Disk Space**
PVS monitoring up to 50,000 hosts CPU: 1 dual-core 2 GHz CPU
Memory: 4 GB RAM
30 GB
PVS monitoring in excess of 50,000 hosts CPU: 1 dual-core 3 GHz CPU
Memory: 8 GB RAM
30 GB

* Factor 30% more CPU and memory for virtualized instances.

** The disk space requirement excludes OS partition. Disk space requirements will vary depending on usage and is based on the amount and length of time data is stored on the system.

In addition to the above guidelines, please consider the following recommendations:

  • The ability to monitor a given number of hosts rests heavily on the bandwidth, memory, and processor power available to the system running PVS.
  • For optimal data collection, PVS needs to be connected to the network segment via a hub, spanned port, or network tap to have a full, continuous view of network traffic.
  • Processor requirements will increase with greater throughput and higher number of network interfaces. Memory requirements will increase for networks with more hosts. The requirements for both of these components are affected by configurable options, such as setting a long report lifetime and enabling some or all of the PVS optional services in the configuration file.
What are the hardware requirements for SecurityCenter (SC)?

SecurityCenter Hardware Requirements:

Number of Hosts Managed by SecurityCenter CPU* Memory* Disk Space for Vulnerability Trending**
2,500 active IPs 2 dual-core 2 Ghz or great CPUs 4 GB RAM 90 days: 225 GB
180 days: 450 TB
10,000 active IPs 4 dual-core 3 Ghz CPUs 16 GB RAM 90 days: 900 GB
180 days: 1.8 TB
25,000 active IPs 8 dual-core 3 Ghz CPUs 32 GB RAM 90 days: 2.25 TB
180 days: 4.5 TB
100,000 active IPs 8+ quad-core 3Ghz CPUs 128 GB RAM 90 days: 9 TB
180 days: 18 TB

* Factor 30% more CPU and memory for virtualized instances. CPUs must be Enterprise CPUs (IE: Xeon Processors) not desktop grade or virtual CPUs.
** The disk space requirement excludes OS partition. Disk space requirements will vary depending on usage and is based on the amount and length of time data is stored on the system.

In addition to the above guidelines, please consider the following suggestions:

  • If the Nessus scanner is deployed on the same system as SecurityCenter, there will be less CPU and memory available during scans, causing slower performance. Use multi-core and/or multiple CPU servers to alleviate this. Placing the scanner on a secondary machine will alleviate performance bottlenecks.
  • If one or more PVS are in use, use multi-core and/or multiple CPU servers to increase performance.
  • Use the aggregate of the individual software product resource requirements to determine total hardware system requirements.
  • If Nessus or PVS is deployed on the same server as SecurityCenter, consider configuring the server with multiple network cards and IP addresses.
  • Tenable recommends either 10K, 15K rpm SAS, or solid state drives in a RAID 0/10 configuration for max write/query performance.

Plugins

How often are plugins updated?

Tenable has a full-time threat intelligence team that develops new plugins and updates existing plugins on a daily basis. Since attackers don't have a 9-5 job, Tenable works around the clock to provide plugins to respond to ever-evolving threats.

Who manages the plugin feeds for ACAS?

Twice daily the HP/DISA team downloads, reviews, and publishes Tenable's latest plugins to the DISA ACAS patch repository. Since moving the files to SIPR is a manual process, the SIPR plugins have a slight delay compared to unclassified networks.

Can you create custom plugins?

Yes. You can create custom plugins and .audit files. Tenable offers documentation and classes on how to write custom plugins. Contact support for more information.

What is the difference between a plugin versus ".Audit" file?

Nessus plugins are used to detect vulnerabilities (IE: missing patches), whereas audits are used to determine that servers are configured correctly or are "compliant" with a particular standard. The advantage of using Nessus to perform vulnerability scans and compliance audits is that all of this data can be obtained at one time. Knowing how a server is configured, how it is patched, and what vulnerabilities are present can help determine measures to mitigate risk. At a higher level, if this information is aggregated for an entire network or asset class (as with Tenable's SecurityCenter), security and risk can be analyzed globally. This enables auditors and network managers to spot trends in non-compliant systems and adjust controls to fix these on a larger scale.

Are there additional .Audit files not provided by ACAS?

Yes. The ACAS program office limits the distribution of .Audit files to minimize confusion to users as there are over 550 .audit files maintained by Tenable. The full list of Nessus .Audit files can be found here.

How can I request additional .Audit files not posted on the DISA ACAS Portal?

Email the DISA Helpdesk or contact support.

Are there any other sources of plugins?

Yes, there is a team that supports a large scale ACAS deployment for a well-known government agency that develops custom plugins and content for the entire ACAS suite. The content is often available at no charge, government to government. Contact support to be placed in touch with this team.

SCAP

What is SCAP?

The Security Content Automation Protocol (SCAP) is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

SCAP benchmark audit files assign a severity code to each system security weakness to indicate the risk level associated with the security weakness and the urgency with which the corrective action must be completed.

This collection presents the analyst with vulnerability information within the environment. Data is prioritized based on the number of SCAP severity vulnerability concerns; on networks that have SCAP vulnerability results; when audits have been performed; through an IP summary; and with a "failing items" SCAP vulnerability summary.

Is ACAS SCAP certified?

Yes. SecurityCenter 5.x received its SCAP 1.2 certification in August 2015.

How do I use SCAP?

Much like you download plugins and .audit files to run Nessus scans, you must also download SCAP content if you want to conduct SCAP scans. Currently, SCAP does not scan for all STIG/SRG vulnerabilities, but certain SCAP-compliant checks are functioning at this time. The latest SCAP benchmark files can be found here.

Where can I get more information on SCAP?

Contact support.

Classified Networks

Can ACAS be used on classified networks?

Yes! ACAS can be used on any DoD Combat Mission System regardless of classification.

What is a DoD Combat Mission System?

A DoD Combat Mission System is a system that supports the warfighter (i.e. a .mil network). An example of a non-combat mission system would be Morale Welfare and Recreation (MWR).

Can I get support for classified deployments?

Yes. For inquiries on support on higher classified environments, please contact support.

Is there a guide for updating ACAS products in air-gapped networks?

Yes. Contact support for assistance.

Reporting

What is Continuous Monitoring Risk Scoring (CMRS)?

The CMRS site receives vulnerability inputs from other sources and displays them. ACAS and Host Based Security System (HBSS) feed CMRS, which displays vulnerabilities and totals by the accountable agency. This means the accrediting agency and accountable system owner will see all vulnerabilities associated with their system in CMRS.

Where can I find out more information on CMRS?

Contact support for assistance.

Can SecurityCenter report directly into Xacta ® ?
Yes. There is a middleware tool that enables easy integration between SecurityCenter and Xacta ®. Contact support for more information.

SecurityCenter

What is SecurityCenter Continuous View?

SecurityCenter Continuous View (SCCV) combines Nessus, SecurityCenter, Passive Vulnerability Scanner (PVS), and Log Correlation Engine (LCE), deployed together to provide Tenable's answer to Continuous Data Monitoring (CDM). Log Correlation Engine (LCE) would have to be purchased by ACAS users in order to gain Continuous Data Monitoring capabilities. For more information on SCCV, click here.

What's new in SecurityCenter 5?

The three biggest changes in SecurityCenter 5 are the change from 4gb repositories, UI migration to HTML 5 from Adobe Flash, and the introduction of Assurance Report Cards (ARCs). For more information, download the SecurityCenter 5 Datasheet here.

What browsers should I use for SecurityCenter?

SecurityCenter 5 requires the use of HTML 5 compatible browsers. Internet Explorer 9 (and below) are known to have issues with HTML 5 so Tenable recommends Mozilla Firefox or Google Chrome for use with SecurityCenter 5.

Is SecurityCenter CAC-enabled?

Yes, as are all SecurityCenter Continuous View (SCCV) products: Nessus, Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE). Additionally, SecurityCenter now supports Proximity Card Authentication.

Following are some questions we anticipate that you may have when upgrading from SecurityCenter 4.x to the latest version of SecurityCenter.

What’s new in SecurityCenter 5? Where can I learn about additional features available in new versions of the SecurityCenter 5 product family?

SecurityCenter 5 is a next-generation, comprehensive vulnerability analytics solution that provides complete visibility into the security posture for complex, distributed IT infrastructure. SecurityCenter consolidates and evaluates all vulnerability data from across the entire IT infrastructure, illustrates vulnerability trends over time, and assess risk with actionable context for effective remediation prioritization.

SecurityCenter 5 includes the following new features and enhancements:

  • Assurance Report Cards (ARCs) that you can use to measure effectiveness of your security program, based on business objectives, including pre-defined ARCs focused on monitoring the top five security objective Critical Cyber Controls (CCC) that have the greatest impact to ensuring security posture.
  • Advanced analytics that provide contextual insight and actionable information to prioritize security issues.
  • Improved searching and trending of scan and event data to speed up analysis, as well as many other additional enhancements.
  • Support for Nessus Agents means you can collect and analyze data from previously inaccessible systems. Without agents, transient systems like laptops, which were often disconnected from the network when traditional scans were run, simply did not get scanned. Additionally, scanning remote systems over limited bandwidth connections and scanning across complex, segmented networks was often not easy or feasible.

The “What's New in SecurityCenter” page on the Tenable website provides several resources you can use to learn more about all of the new features and capabilities in the SecurityCenter 5 product family. This page includes:

  • The latest SecurityCenter datasheet
  • Whitepapers and webinar recordings that explain how Assurance Report Cards (ARCs), available in SecurityCenter 5, can measure the effectiveness of a security program based on business objectives
  • Additional information about advanced analytics capabilities in SecurityCenter 5
  • A comprehensive list of all of the new features now available in SecurityCenter 5
How do I know what version of SecurityCenter I’m using?
  1. To view which version of SecurityCenter you are using, perform the following steps:
  2. Log in to SecurityCenter.
  3. In the upper-right corner, under your login ID, click the down arrow, and then click About.
  4. The dialog box displays the version of SecurityCenter currently running.
Can I upgrade directly to SecurityCenter 5.2 from a version earlier than 4.8.1?

Your SecurityCenter version must be 4.8.1 or newer to upgrade to 5.2. Upgrading from earlier versions is not possible without first upgrading to at least 4.8.1.

What is the recommended upgrade path to SecurityCenter 5.2 for versions older than 4.8.1?

For SecurityCenter installations running versions 4.2.x through 4.7.0, first upgrade to SecurityCenter 4.7.1, then upgrade to SecurityCenter 4.8.2, and then finally upgrade to SecurityCenter 5.2.

Will my existing SecurityCenter 4.8 API scripts work with SecurityCenter 5.2?

The SecurityCenter 5 API is different from earlier versions of the SecurityCenter API. Existing SecurityCenter 4.8.x API scripts must be rewritten to work with SecurityCenter 5.

What are some things I should do to prepare for upgrading SecurityCenter to 5.2 if I have SecurityCenter 4.8.1 or 4.8.2?

Perform the following steps:

  1. Familiarize yourself with SecurityCenter 5.2.
    1. Request a license and upgrade a copy of your production system on a separate test system before upgrading your production instance of SecurityCenter.
    2. Review information on the differences between SecurityCenter 4 and SecurityCenter 5.
    3. Review the SecurityCenter release notes (https://static.tenable.com/prod_docs/upgrade_security_center.html).
    4. Review SecurityCenter 5.2 documentation:
      • SecurityCenter 5.2 Guide
      • SecurityCenter 5 API (if using API scripts)
    5. Take advantage of the free training available on Ask-ACAS.info (https://ask-acas.info/training/on-demand)
  2. Review the current system specifications and configuration.
    1. Identify whether or not the system is using mount points for /opt/sc4 and make arrangements to change the mounts to /opt/sc (the SecurityCenter application directory is in /opt/sc starting in version 5.x).
    2. Identify any old or unused data and configuration items that can be pruned prior to upgrading using expiration settings or deletion. This can be accomplished by:
      1. Manually deleting individual Scan Results, Report Results, alerts, and other items that are no longer needed
      2. Adjusting various expiration settings, logged in as the admin user, under System > Configuration > Expiration, so that these are automatically deleted back to the defined number of days
    3. Double-check the current production system against documented system requirements for SecurityCenter 5.2 and adjust resources as needed.
    4. Review and upgrade managed Nessus and PVS scanners to minimum versions supported by SecurityCenter 5.2.
  3. Back up your current system.
    1. Back up the /opt/sc4 directory only after ensuring that there are no SecurityCenter processes running at the time the backup is performed. From the system command line, run the following commands as root:

                    
        [root@prodSC01 ~]# service SecurityCenter stop
        (stops the SecurityCenter daemons)
      
        Shutting down SecurityCenter services:                     [  OK  ]
      
        [root@ prodSC01 ~]# ps -fu tns
        (displays all running processes owned by the SecurityCenter “tns” user)
      
        UID        PID  PPID  C STIME TTY          TIME CMD
        tns       9421     1  0 19:42 ?        00:00:00 /opt/sc/support/bin/php /opt/sc/..
        tns       9424  9421  0 19:42 ?        00:00:03 /opt/sc/support/bin/php /opt/sc/..
        tns       9459  9424  5 19:44 ?        00:00:42 /opt/sc/support/bin/php /opt/sc/..
      
        [root@prodSC01 ~]# killall -u tns
        (Kills all running processes owned by the SecurityCenter “tns” user and returns to a prompt)
      
        [root@ prodSC01 ~]# killall httpd
        (Kills all running httpd processes and returns to a prompt)
        httpd: no process killed
      
        [root@ prodSC01 ~]# ps -fu tns
        (Displays all running processes owned by the SecurityCenter “tns” user; run this a second time to confirm all processes are killed. In this case, no processes are listed, so it is safe to proceed with the backup)
      
        UID        PID  PPID  C STIME TTY          TIME CMD
        [root@ prodSC01 ~]#
                    
                  

      Whatever backup method is used, it is critically important that SecurityCenter and all associated processes are completely stopped beforehand and that all files, the directory structure, file permissions and file ownership remain intact, without any modifications. If a recovery is to be performed later using the backup, the same version of SecurityCenter must be used in recovering the system.

      It is highly recommended to mount an external disk resource with sufficient space prior to performing the backup and direct the backup to this resource rather than creating a backup archive on the SecurityCenter server itself. If a backup needs to be created on the SecurityCenter server file system, ensure that whatever disks or volume it will be saved to have sufficient space prior to starting the backup. Depending on the backup method, the required amount of free space for a backup would generally be greater than the current size of the SecurityCenter directory (/opt/sc4).

    2. Confirm the integrity of your backup by restoring it to a test system and/or running commands or performing functions using the backup software to confirm backup integrity.
  4. Upgrade SecurityCenter using the appropriate package for your platform/OS. If SecurityCenter is being upgraded immediately after performing a backup, all SecurityCenter processes should already be halted. Otherwise, prior to upgrading, confirm that there are no running scan jobs or other scheduled tasks, shut down SecurityCenter, and confirm there are no running SecurityCenter processes prior to proceeding with the upgrade. From the SecurityCenter server command line, run the following commands as root:

                
      [root@prodSC01 ~]# service SecurityCenter stop
      (stops the SecurityCenter daemons)
    
      Shutting down SecurityCenter services:                     [  OK  ]
    
      [root@prodSC01 ~]# ps -fu tns
      (displays all running processes owned by the SecurityCenter “tns” user)
    
      UID        PID  PPID  C STIME TTY          TIME CMD
      tns       9421     1  0 19:42 ?        00:00:00 /opt/sc/support/bin/php /opt/sc/..
      tns       9424  9421  0 19:42 ?        00:00:03 /opt/sc/support/bin/php /opt/sc/..
      tns       9459  9424  5 19:44 ?        00:00:42 /opt/sc/support/bin/php /opt/sc/..
    
      [root@prodSC01 ~]# killall -u tns
      (Kills all running processes owned by the SecurityCenter “tns” user and returns to a prompt)
    
      [root@prodSC01 ~]# killall httpd
      (Kills all running httpd processes and returns to a prompt)
    
      httpd: no process killed
    
      [root@ prodSC01 ~]# ps -fu tns
      (Displays all running processes owned by the SecurityCenter “tns” user; run this a second time to confirm all processes are killed. In this case, no processes are listed, so it is safe to proceed with the backup)
    
      UID        PID  PPID  C STIME TTY          TIME CMD
      [root@ prodSC01 ~]#
                
              

Nessus, Nessus Professional, Nessus Manager

What is Nessus Professional?

Nessus is the industry's most widely-deployed vulnerability scanner. Nessus features high-speed discovery, configuration auditing, target profiling, malware detection, sensitive data discovery, patch management integration, and vulnerability analysis. Nessus is the one-for-one replacement of the Retina scanner previously used by DOD. For more info on Nessus Professional, click here.

Is Nessus Professional part of ACAS?

No. Nessus Professional is NOT part of ACAS. Nessus Professional is an independent scanner used for auditing. The version of Nessus provided by ACAS is a special version of the scanner that is managed by SecurityCenter.

How can I audit an air-gapped network?

You need to install SecurityCenter with a Nessus scanner on the laptop and conduct your scans via SecurityCenter. Though not optimal, the licensing structure of ACAS does not allow for the use of Nessus Professional, which would facilitate scanning without an installation of SecurityCenter.

What can Nessus scan for?

Nessus provides:

  • Discovery: Accurate, high-speed asset discovery
  • Scanning: Vulnerability scanning (including IPv4/IPv6/hybrid networks)
  • Un-credentialed vulnerability discovery
  • Credentialed scanning for system hardening and missing patches
  • Coverage: Broad asset coverage and profiling
  • Network devices: firewalls/routers/switches (Juniper, Check Point, Cisco, Palo Alto Networks), printers, storage
  • Offline configuration auditing of network devices
  • Virtualization: VMware ESX, ESXi, vSphere, vCenter, Microsoft, Hyper-V, Citrix Xen Server
  • Operating systems: Windows, OS X, Linux, Solaris, FreeBSD, Cisco iOS, IBM iSeries
  • Databases: Oracle, SQL Server, MySQL, DB2, Informix/DRDA, PostgreSQL, MongoDB
  • Web applications: Web servers, web services, OWASP vulnerabilities
  • Cloud: Scans the configuration of cloud applications like Salesforce and cloud instances like AWS and Rackspace
  • Compliance: Helps meet government, regulatory and corporate requirements
  • Helps meet several PCI DSS requirements through configuration auditing, web application scanning
  • Threats: Botnet/malicious, process/anti-virus auditing
  • Detect viruses, malware, backdoors, hosts communicating with botnet-infected systems, known/unknown processes, web services linking to malicious content
  • Compliance auditing: FFIEC, FISMA, CyberScope, GLBA, HIPAA/ HITECH, NERC, PCI, SCAP, SOX -
  • Configuration auditing: CERT, CIS, COBIT/ITIL, DISA STIGs, FDCC, ISO, NIST, NSA
  • Control Systems Auditing: SCADA systems, embedded devices and ICS applications
  • Sensitive Content Auditing: PII (e.g. credit card numbers, SSNs)

For more information on Nessus, click here.

What is Nessus Manager?

Nessus Manager enables the sharing of resources, including Nessus scanners, scan schedules, policies, and scan results among multiple users or groups. Users can engage and share resources and responsibilities with their co-workers; system owners, internal auditors, risk and compliance personnel, IT administrators, network admins and security analysts. These collaborative features reduce the time and cost of security scanning and compliance auditing by streamlining scanning, malware, and misconfiguration discovery and remediation. Additionally, Nessus Manager serves as a proxy sever to SecurityCenter when scanning mobile devices (iPhone, Android, etc) and when scanning using Nessus Agents. For more information on Nessus Manager, click here.

Is Nessus Manager available as part of ACAS?

No. Nessus Manager and Nessus Agents are only available if purchased. For more information about them, contact sales.

What is Tenable.io?

Tenable.io is Tenable's hosted, cloud-based vulnerability management solution brings clarity to your security and compliance posture. Built on the leading Nessus technology from Tenable, this cloud-based platform delivers a fresh, asset-based approach that accurately tracks your resources while offering specialized applications for container security and web application scanning. To maximize visibility and insight, Tenable.io effectively prioritizes your vulnerabilities while seamlessly integrating into your environment. For more information on Tenable.io, click here.

Is Tenable.io available as part of ACAS?

No. Tenable.io is only available if purchased from Tenable.

Passive Vulnerability Scanner (PVS)

What is PVS?

PVS is a passive vulnerability scanner. Do you know what happens between the last time an active vulnerability scan is completed and the next time a scan is completed? New hosts, new ports, new services, and new vulnerabilities can arrive on your networks faster than you may be allowed to scan for them. PVS can find out what is happening on your network without scheduling and waiting for an active scan. As PVS monitors your network, it also watches for potential application compromises, trust relationships, and open or browsed network protocols. For more info on PVS, click here.

Is PVS an Intrusion Detection System (IDS)?

No. PVS is deployed in the same manner in a strategic location to see enough traffic to be effective, but PVS provides different results. An IDS is looking for known attacks as they occur. PVS is looking at the same traffic for real-time asset discovery and vulnerability detection, not attacks. PVS provides an in-depth vision of your network, the activity on your network, the assets attaching to your network, and the various technical and business vulnerabilities these activities and assets create.

Where do I deploy PVS in my network?

Typically, PVS is installed off a span port at the head end of the network so that all traffic entering and leaving is seen by PVS. PVS can also be inside the network where it will see traffic within it and all trust relationships taking place.

Can PVS scan sensitive devices such as SCADA?

Yes, PVS monitors network traffic for potential problems and detects otherwise un-scannable devices and highly-sensitive systems such as SCADA or medical devices. This passive scanning is invaluable to the security of these sensitive devices and networks as it offers coverage not available through active scanning technology alone. PVS has SCADA plugins to determine SCADA-related vulnerabilities.

Can PVS sniff an entire network/or specific IP range(s)?

PVS can be configured to sniff an entire network or just a particular server in which you are interested. For example, if you have a web server that you need to monitor 24/7, you can configure PVS to listen to all incoming and outgoing traffic to this server.

How much data throughput can PVS effectively handle?

PVS can handle up to 1 Gbps full packet capturing, but is still effective at rates beyond that. Though not available via ACAS, Tenable offers a 10 Gbps version of PVS. For more information about the 10 Gbps version, contact sales.

Can PVS sniff for classified information, social security numbers, and PII data?

Yes. PVS looks for text like 'amex', 'visa', 'top secret', etc., and pulls out those numbers and logs them in real-time.

Can PVS detect new users on a network?

Yes. PVS can detect new user SIDs going across the network.

Can PVS detect rogue hosts on the network?

Yes, PVS can detect rogue hosts on the network and trigger custom workflows.

Can PVS be used to eliminate the need for discovery scans?

Yes, PVS can be used to eliminate the need for discovery scans by triggering credentialed scans when detecting hosts connecting to the network.

Can PVS listen to encrypted data?

PVS can detect that the traffic is encrypted, but it won't be able to natively decrypt and detect the vulnerabilities within that traffic. It will be able to tell where it is coming and going. If you utilize SSL Taps, you do have the potential to review SSL encrypted data using PVS.

Log Correlation Engine

What is Log Correlation Engine (LCE)?

Log Correlation Engine is designed to aggregate, normalize, correlate, and analyze event log data from raw network traffic, intrusion detection data, system and application logs, and user activity within your infrastructure. For more information on LCE, click here.

Why do I need LCE?

LCE enables you to:

  • Normalize, correlate, and analyze user and network activity from log data generated by any device or application across the enterprise in a central CAC enabled portal
  • Store, compress, and perform full-text search on any log generated by thousands of network devices and applications.
  • Demonstrate compliance with internal policies and regulatory requirements by maintaining an auditable infrastructure.
  • Monitor files and directories for unauthorized changes and deletions.
  • Detect malware and malicious system processes running in your environment.
  • Aid in incident response by saving searched data in a compressed format along with a checksum so the data can be used as forensic evidence.
  • Capture user access logs and behavior for insider threat profiling to determine exactly where your employees surf on the Internet, what systems they access, and what programs they run.
  • Logs not matching existing rules are categorized 'not-matched' and stored for further analysis providing insight on activities that previously would be overlooked.
  • Full text search makes attack analysis and mitigation faster and more effective, yielding enhanced operations productivity.
  • Monitor local and remote Windows systems for USB devices, CD-ROM, and DVD activity.
  • Automatically detect deviations from baseline activity for any log source including firewall spikes, changes in web application error rates, and denial of service attacks.
  • Provide executive reports and metrics to continually assess your security and compliance posture.
If I have Splunk, why would I want to use LCE?

Out of the box, Splunk does not provide active correlation of vulnerability data. Using LCE, you have the ability to instantly provide out of the box correlation of data over a multitude of data sources to provide analysis for compliance and vulnerability data that will enable you to search for indicators of compromise. Additionally, LCE has a Splunk connector. Once data is correlated, it can be sent to Splunk for analysis and alerting. This can help reduce license cost while improving the quality of data going into Splunk.

Does LCE Support Windows Log Management?

Yes. Using a lightweight agent install on a Windows host, LCE enables you to securely retrieve windows, system, and application log data.

Does LCE have an agent?

Yes. LCE has agents for Windows and Unix/Linux host operating systems.

Is there an agent for Routers, Switches, Firewalls, etc.?

No. To pull data from devices such as routers and switches, LCE supports receiving SYSLOG data.

What does the LCE Agent do?

LCE agents provide log data retrieval, compression, and encryption. Additionally, they provide File Integrity Monitoring (FIM).

How does LCE do File Integrity Monitoring?

LCE hashes files, folders, and directories that you select. It monitors these for changes and creates an event which can be used to trigger a workflow when a change is detected. For example, when monitoring changes on your /ETC/HOSTS folder, LCE could provide you with an indicator of compromise, as these files shouldn't change much. If they do, it is often an indicator of compromise.

Is there an easy way to calculate how much log data I will generate?

Yes. A Log Calculator is available upon request. Contact support to request it.

Can I set log retention guidelines?

Yes. LCE will enable you to set log retention guidelines.

Is LCE data protected?

Yes. Once log data is collected, it is signed/hashed and stored. This helps ensure forensic authenticity of log data in the event it is needed as part of any investigation.

Is there a high availability version of LCE?

Yes. There is an Active/Active version of LCE often used for high value targets where no log data can be lost. Contact sales for more information.

Does LCE compress log data?

Yes. LCE provides compression of log data both in transit and when stored.

Does LCE encrypt log data?

Yes. LCE encrypts data in transit between LCE and the source host if the agent is used.

How do I get LCE?

You can get more information on LCE by emailing sales.

Is LCE CAC-enabled?

Yes, as are all SecurityCenter Continuous View (SCCV) products: Nessus, Passive Vulnerability Scanner (PVS), and Log Correlation Engine (LCE). Additionally, SecurityCenter now supports Proximity Card Authentication.

Training

How is ACAS Training handled?

The ACAS program office provides training classes to all ACAS users. Some of these classes are virtual and others are in-person. Information on these classes can be found here.

Additionally, Tenable has opened up its training catalogue to ACAS users. Visit the ASK-ACAS.INFO training section for details on how you can gain access to the Tenable training material.

What does the ASK-ACAS.INFO training provide?

Training material is provided to Tenable's commercial customers as part of their support package. Tenable has agreed to open this material up to ACAS users despite the fact they are not directly supported by Tenable. The initial offering will be for non-ACAS specific content. Tenable is diligently working to provide ACAS-specific content that will help ensure users have a wide range of training options while waiting to attend a DISA-provided class.

Ask a question, get information, start a discussion

Join the community