How-to Guide - Tenable Network Security

HOW-TO GUIDE
Tenable for Google Cloud Platform
Introduction
This document describes how to deploy Tenable SecurityCenter Continuous View™ (Security Center CV™) for integration
with Google Cloud Platform. Please email any comments and suggestions to support@tenable.com.
Organizations have been faced with the challenges of maintaining the security of traditional, on-premises datacenters for
years. As many organizations begin to transition key infrastructure to cloud services, such as Google Cloud Platform, the
challenges for IT departments continually increase. Knowing what systems and applications are running in your
environment, and who and what devices are trying to gain access, only becomes more complex in a hybrid environment.
Moving infrastructure and workload to Google Cloud Platform enables business agility, lowers costs, and increases
innovation, but it also introduces a new layer of security complexity. To reduce the attack surface and prevent compromise
in a hybrid environment, organizations must be able to confidently answer these key questions:

Are logs being collected for all of my assets, including those from cloud environments like Google Cloud Platform?

Have there been any brute force login attempts or unauthorized web application scans?

How many virtual machines are running in the cloud environment and when are new hosts created?
So, how do organizations ensure complete visibility into their entire IT infrastructure to be able to answer those questions?
Tenable secures both on-premises environments and Google Cloud Platform through the use of SecurityCenter Continuous
View. SecurityCenter CV integrates with Google Cloud Platform to enable organizations to continuously monitor their cloud
environment to help eliminate blind spots. As a result, organizations can employ a single technology for monitoring hybrid
environments, thereby eliminating the need to purchase, deploy, and manage multiple tools.
®
The Log Correlation Engine™ (LCE ), a component of SecurityCenter CV, integrates with the Google Cloud Platform Publish
and Subscription service to provide the following benefits:

Complete view of on-premises and Google Cloud Platform environments in one interface (SecurityCenter CV) saves
time and money purchasing, deploying, and maintaining multiple solutions

Discover malicious or unauthorized activity through SecurityCenter CV alerts, resulting in a quicker time to
resolution and a better assurance of your security posture

Achieve compliance goals more easily through new host discovery to uncover when new systems are provisioned
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
Integration Configuration
Google Cloud Platform Configuration
In order to access Google Cloud Platform, customers are required to create and activate an account at
https://cloud.google.com. Once the Google Cloud Platform account is active, users can log into
https://console.cloud.google.com to begin integration configuration.
To enable Google Pub/Sub logging, begin by clicking on the “hamburger” button (three horizontal lines) in the top-left hand
corner.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
2
Select “Permissions” from the drop-down menu.
Navigate to “Service accounts” and select “Create service account”.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
3
In the “Create service account” window, enter a name for the service account and enable the “Furnish a new private key”
option. The “JSON” key type is the required setting and is enabled by default. Click “Create” to complete the service account
setup.
The service account’s public/private key pair will be stored locally on the system used to create the account. It is
the only copy of the key and will need to be stored securely.
Once the service account is set up, click the “hamburger” button in the top-left corner and select “API Manager”.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
4
Navigate to “Credentials” in the left-hand menu, click “Create credentials”, and select the “Service account key” option in the
drop-down menu.
Click the “Service account” drop-down and select the previously created service account. JSON is the required “Key type”
and is enabled by default. Click “Create” to complete the credentials setup.
The JSON key will be automatically downloaded and will be used during the LCE Web Query Client policy
configuration.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
5
Click the “hamburger” button in the top-left corner and navigate to “Pub/Sub”.
Click “Create topic” and enter a descriptive name for the topic. Click “Create”.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
6
Once created, the new topic will appear in the “Topic” list. Hover the mouse over the newly created topic and a “+ New
subscription” option will appear to the right of the topic. Click the “+ New subscription” button.
Enter a descriptive name for the subscription and ensure that the “Delivery Type” is set to “Pull”. This will allow the LCE Web
Query Client to pull the logs from the Pub/Sub subscription. Click “Create” to create the new subscription.
Tenable recommends making note of the Subscription URI as it will be needed for the LCE Web Query Client
configuration.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
7
Click the “hamburger” button on the top-left corner and navigate to “Logging”.
Select “Exports” from the left-hand menu. From the “Select service” drop-down, select the service(s) you wish to be able to
log with the LCE Client. If all services are to be logged, check the “All sources” checkbox.
Once the service(s) is selected, click “+ Add item” button. Next, click the drop-down under “Publish to Pub/Sub topic” and
select the previously created topic. Click “Save” to complete the configuration within Google Cloud Platform.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
8
Tenable Log Correlation Engine Configuration
The Tenable Log Correlation Engine (LCE) version 4.8+ and LCE Web Query Client version 4.6+ are both required for
integration with Google Cloud Platform. The software downloads and installation instructions for both are available on the
Tenable Support Portal.
Once the LCE and LCE Web Query Client have been installed and initial configurations have been performed, log into the
LCE web console and navigate to “Clients”.
The LCE Web Query Client should appear in the client list if it was configured correctly during the initial setup. If the LCE
Web Query Client does not appear in the client list as shown in the screenshot below, please refer to the LCE 4.8 User Guide
for troubleshooting tips.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
9
Navigate to “Policies” and click “Add policy”.
Click the “OS” drop-down and select the OS of the system the LCE Web Query Client is installed on. Next, click the “Client”
drop-down and select “LCE Web Query”. Click “Start Editing”.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
10
To allow the LCE Web Query Client to interact with Google Cloud Platform, the “default_rhel_web.lcp” policy requires
modification. Begin by clicking the “+” to the right of “Group” to add a new group endpoint.
Enter a name for the “Add a new endpoint group” and configure the “Optional parameters”. Refer to Table 1: Add a New
Endpoint Group below for a description of each field.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
11
Table 1: Add a New Endpoint Group Options
Endpoint Group Option
Description
Name
Enter a descriptive name for the Google Cloud Platform endpoint.
Usage limit
The limit of calls or bytes the LCE Web Client can make to Google Cloud Platform. Bytes
can be set to an integer followed by K (Kilobyte), M (Megabyte), or G (Gigabyte). Set to
“unlimited” for no limit restriction.
Usage limit type
Groups can be limited by either “bytes” or “calls”.
Usage limit reset period
Frequency that the usage limit will reset to zero.
Usage limit start day
Defines the starting day when the time parameter is set to monthly.
Click the “+ Add Google Cloud endpoint” option to add the endpoint. Once the endpoint is added, enter an “Endpoint name”
and select the “Active” checkbox. Specify the “Query interval (in seconds)” that the LCE Web Query Client communicates
with Google Cloud Platform. Enter the “JSON service account key” and “Subscription” information generated during the
Google Cloud Platform configuration. Click “Save”.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
12
Once the policy file has been modified, click “+ Save as” in the upper right-hand corner and enter a descriptive name. Click
“OK”.
Once the policy is saved, navigate to “Clients” and click the LCE Web Query Client.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
13
Click the “Policy” drop-down and select the previously created Google Cloud policy. Click “Update”.
The LCE Web Query Client will now begin monitoring Google Cloud Platform logs. To verify the logs are being imported into
SecurityCenter, log into your SecurityCenter instance, navigate to “Analysis”, and click “Events” from the drop-down.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
14
Click the “Type Summary” drop-down and select “Normalized Event Summary”.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
15
Click “>>” to the left of “Normalized Event Summary” to expand the “Filters” section and click “Select Filters”.
Check the boxes next to the “Timeframe”, “Syslog Text”, “LCEs”, “Normalized Event”, and “Type” filters and click “Apply” to
add each filter.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
16
Click the “Syslog Text” filter, type “google” in the text box, and click “OK”. Click the “Type” filter, select “unnormalized” from
the list, and click “OK”. Click “Apply All” to display the Google Cloud Platform syslog events.
About Tenable Network Security
Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive
solutions that provide continuous visibility and critical context, enabling decisive actions to protect your organization.
Tenable eliminates blind spots, prioritizes threats, and reduces exposure and loss. With more than one million users and
more than 20,000 enterprise customers worldwide, organizations trust Tenable for proven security innovation. Tenable's
customers range from Fortune Global 500 companies, to the Department of Defense, to mid-sized and small businesses in all
sectors, including finance, government, healthcare, higher education, retail, and energy. Transform security with Tenable, the
creators of Nessus and leaders in continuous monitoring, by visiting tenable.com.
Copyright © 2016. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc.
SecurityCenter Continuous View, Log Correlation Engine, and Passive Vulnerability Scanner are trademarks of Tenable Network Security, Inc. All other products or services
are trademarks of their respective owners.
17