HOW-TO GUIDE Tenable for Google Cloud Platform Introduction This document describes how to deploy Tenable SecurityCenter Continuous View™ (Security Center CV™) for integration with Google Cloud Platform. Please email any comments and suggestions to support@tenable.com. Organizations have been faced with the challenges of maintaining the security of traditional, on-premises datacenters for years. As many organizations begin to transition key infrastructure to cloud services, such as Google Cloud Platform, the challenges for IT departments continually increase. Knowing what systems and applications are running in your environment, and who and what devices are trying to gain access, only becomes more complex in a hybrid environment. Moving infrastructure and workload to Google Cloud Platform enables business agility, lowers costs, and increases innovation, but it also introduces a new layer of security complexity. To reduce the attack surface and prevent compromise in a hybrid environment, organizations must be able to confidently answer these key questions: Are logs being collected for all of my assets, including those from cloud environments like Google Cloud Platform? Have there been any brute force login attempts or unauthorized web application scans? How many virtual machines are running in the cloud environment and when are new hosts created? So, how do organizations ensure complete visibility into their entire IT infrastructure to be able to answer those questions? Tenable secures both on-premises environments and Google Cloud Platform through the use of SecurityCenter Continuous View. SecurityCenter CV integrates with Google Cloud Platform to enable organizations to continuously monitor their cloud environment to help eliminate blind spots. As a result, organizations can employ a single technology for monitoring hybrid environments, thereby eliminating the need to purchase, deploy, and manage multiple tools. ® The Log Correlation Engine™ (LCE ), a component of SecurityCenter CV, integrates with the Google Cloud Platform Publish and Subscription service to provide the following benefits: Complete view of on-premises and Google Cloud Platform environments in one interface (SecurityCenter CV) saves time and money purchasing, deploying, and maintaining multiple solutions Discover malicious or unauthorized activity through SecurityCenter CV alerts, resulting in a quicker time to resolution and a better assurance of your security posture Achieve compliance goals more easily through new host discovery to uncover when new systems are provisioned Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. Integration Configuration Google Cloud Platform Configuration In order to access Google Cloud Platform, customers are required to create and activate an account at https://cloud.google.com. Once the Google Cloud Platform account is active, users can log into https://console.cloud.google.com to begin integration configuration. To enable Google Pub/Sub logging, begin by clicking on the “hamburger” button (three horizontal lines) in the top-left hand corner. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 2 Select “Permissions” from the drop-down menu. Navigate to “Service accounts” and select “Create service account”. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 3 In the “Create service account” window, enter a name for the service account and enable the “Furnish a new private key” option. The “JSON” key type is the required setting and is enabled by default. Click “Create” to complete the service account setup. The service account’s public/private key pair will be stored locally on the system used to create the account. It is the only copy of the key and will need to be stored securely. Once the service account is set up, click the “hamburger” button in the top-left corner and select “API Manager”. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 4 Navigate to “Credentials” in the left-hand menu, click “Create credentials”, and select the “Service account key” option in the drop-down menu. Click the “Service account” drop-down and select the previously created service account. JSON is the required “Key type” and is enabled by default. Click “Create” to complete the credentials setup. The JSON key will be automatically downloaded and will be used during the LCE Web Query Client policy configuration. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 5 Click the “hamburger” button in the top-left corner and navigate to “Pub/Sub”. Click “Create topic” and enter a descriptive name for the topic. Click “Create”. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 6 Once created, the new topic will appear in the “Topic” list. Hover the mouse over the newly created topic and a “+ New subscription” option will appear to the right of the topic. Click the “+ New subscription” button. Enter a descriptive name for the subscription and ensure that the “Delivery Type” is set to “Pull”. This will allow the LCE Web Query Client to pull the logs from the Pub/Sub subscription. Click “Create” to create the new subscription. Tenable recommends making note of the Subscription URI as it will be needed for the LCE Web Query Client configuration. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 7 Click the “hamburger” button on the top-left corner and navigate to “Logging”. Select “Exports” from the left-hand menu. From the “Select service” drop-down, select the service(s) you wish to be able to log with the LCE Client. If all services are to be logged, check the “All sources” checkbox. Once the service(s) is selected, click “+ Add item” button. Next, click the drop-down under “Publish to Pub/Sub topic” and select the previously created topic. Click “Save” to complete the configuration within Google Cloud Platform. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 8 Tenable Log Correlation Engine Configuration The Tenable Log Correlation Engine (LCE) version 4.8+ and LCE Web Query Client version 4.6+ are both required for integration with Google Cloud Platform. The software downloads and installation instructions for both are available on the Tenable Support Portal. Once the LCE and LCE Web Query Client have been installed and initial configurations have been performed, log into the LCE web console and navigate to “Clients”. The LCE Web Query Client should appear in the client list if it was configured correctly during the initial setup. If the LCE Web Query Client does not appear in the client list as shown in the screenshot below, please refer to the LCE 4.8 User Guide for troubleshooting tips. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 9 Navigate to “Policies” and click “Add policy”. Click the “OS” drop-down and select the OS of the system the LCE Web Query Client is installed on. Next, click the “Client” drop-down and select “LCE Web Query”. Click “Start Editing”. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 10 To allow the LCE Web Query Client to interact with Google Cloud Platform, the “default_rhel_web.lcp” policy requires modification. Begin by clicking the “+” to the right of “Group” to add a new group endpoint. Enter a name for the “Add a new endpoint group” and configure the “Optional parameters”. Refer to Table 1: Add a New Endpoint Group below for a description of each field. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 11 Table 1: Add a New Endpoint Group Options Endpoint Group Option Description Name Enter a descriptive name for the Google Cloud Platform endpoint. Usage limit The limit of calls or bytes the LCE Web Client can make to Google Cloud Platform. Bytes can be set to an integer followed by K (Kilobyte), M (Megabyte), or G (Gigabyte). Set to “unlimited” for no limit restriction. Usage limit type Groups can be limited by either “bytes” or “calls”. Usage limit reset period Frequency that the usage limit will reset to zero. Usage limit start day Defines the starting day when the time parameter is set to monthly. Click the “+ Add Google Cloud endpoint” option to add the endpoint. Once the endpoint is added, enter an “Endpoint name” and select the “Active” checkbox. Specify the “Query interval (in seconds)” that the LCE Web Query Client communicates with Google Cloud Platform. Enter the “JSON service account key” and “Subscription” information generated during the Google Cloud Platform configuration. Click “Save”. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 12 Once the policy file has been modified, click “+ Save as” in the upper right-hand corner and enter a descriptive name. Click “OK”. Once the policy is saved, navigate to “Clients” and click the LCE Web Query Client. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 13 Click the “Policy” drop-down and select the previously created Google Cloud policy. Click “Update”. The LCE Web Query Client will now begin monitoring Google Cloud Platform logs. To verify the logs are being imported into SecurityCenter, log into your SecurityCenter instance, navigate to “Analysis”, and click “Events” from the drop-down. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 14 Click the “Type Summary” drop-down and select “Normalized Event Summary”. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 15 Click “>>” to the left of “Normalized Event Summary” to expand the “Filters” section and click “Select Filters”. Check the boxes next to the “Timeframe”, “Syslog Text”, “LCEs”, “Normalized Event”, and “Type” filters and click “Apply” to add each filter. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 16 Click the “Syslog Text” filter, type “google” in the text box, and click “OK”. Click the “Type” filter, select “unnormalized” from the list, and click “OK”. Click “Apply All” to display the Google Cloud Platform syslog events. About Tenable Network Security Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization. Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss. With more than one million users and more than 20,000 enterprise customers worldwide, organizations trust Tenable for proven security innovation. Tenable's customers range from Fortune Global 500 companies, to the Department of Defense, to mid-sized and small businesses in all sectors, including finance, government, healthcare, higher education, retail, and energy. Transform security with Tenable, the creators of Nessus and leaders in continuous monitoring, by visiting tenable.com. Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners. 17