Privileged Access Management - in action with Nessus

Privileged Access Management with Nessus Pro Vulnerability Scanner

Protecting organisations from cyber attack requires a broad approach to ensure all attack vectors are addressed. Obviously at Osirium we believe that managing Privileged Access is important, but so is checking for vulnerabilities and malware. There's a slight irony in that these vulnerability/anti-malware tools need highest level of access to check every file, rule and memory location.

Since we have our systems locked down with Osirium generated very long and very strong life-cycle managed passwords, we need our vulnerability scanners to have access to these passwords.

Nessus Security Contribution

Scan definition and configuration is high level work. Scan execution on the other hand is simply a case of pushing the button. Evaluating the results of a scan is often trivial - it's all clear, nothing to worry about.

Where scans reveal issues these need to be escalated. The pattern we see here is found all over IT security projects, those that define and develop the capabilities are not the same as those that end up with operational resposibility. There's always the issue of who is best to deal with issues when they arise. This is why we end up with a team structure - but in security terms we need to build in the workflow practices that mean not every member of the team has 'domain admin' privileges to get their work done.

Professional Services Team at Osirium

At Osirium we have one special Osirium, it's our Dogfood system, the one we use to manage our own infrastructure. This Osirium tends to run the very latest released code, so it's exactly the same as our customers experience.

Tom's team approached the Nessus Integration problem in the same way that they would for any other customer; The simple issue is that Nessus needs Privileged Access to our external facing systems in order to deliver deep and meaningful scans. If a team had to do this they would need:

  • Know the Privileged Credentials.
  • or ... have Web SSO with an Identity In Role Out approach.
  • or ... have Osirium schedule the scans and email them the results.

Of course the first option wouldn't fly, so the team opted to implement the next two. The logic being:

  • Web SSO for configuration, scan definitions, upgrades and fault finding.
  • Privileged Task management for everything else (and a bit more).

API happiness

For Tom's team it's always a delight to come across a good API, It's a thing of joy to work with and the single largest contribution to overall to both solution reliabilty and longevity.

Example of API Contract

The team worked at the Python level calling the Nessus API for authentication, scan triggering and reporting. Since the video was made they've gone on to report analysis, this is where the Osirium suite can escalate any report containing issues.

It's a really useful achievement, not only is it a major contribution to Corporate Security at Osirium but it put our Professional Services Team right into the same mindset our customers have when facing the same cyber threats.

Privileged Task Automation - Scheduling

Tasks scheduled by Privileged Task Automation

It's interesting to note that the above profile contains no users it's a complete automonous operation that will continue as long as the Nessus device is present. We don't need to worry about the passwords getting stale, they'll be refreshed to be long and strong every week.

Nessus Report resulting from scheduled scan

Benefits to Osirium

In summary:

  • Regular Automatic Vulnerability Scans
  • Nessus does not keep Privileged Credentials
  • Fully audited Privileged SSO for the Team
  • Automated Report Delivery

All this work has been made available to our customers in the latest template bundle.