Tenable One

- Cyber Exposure
Management –
Novan Tambunan
Presales Engineer
 “By 2026, organizations prioritizing their security
investments based on a continuous exposure
management programme will be three times less
likely to suffer fromfrom
to suffer a breach.”
a breach.”

— Implement a Continuous Threat Exposure Management (CTEM)

Programme, Gartner, July 2022.

https://www.tenable.com/analyst-research/2022-gartner-exposure-management-report
 Attack Lifecycle
Need Protection Across the Entire Attack Lifecycle

Proactiv Reactive
e
Threats with Risks Attacks

Attack Planning Attack Spreads Attack Objective Met

Attack Launched You Are Hit Attack Complete

Block/Stop Breach

2 Steps Ahead Proactive Cyber Exposure

Platform
 “We cannot
“Failed to
Prepare, Prepare Protect What
to be Failed” we Don’t
Know”
4
CYBER EXPOSURES TODAY ARE SILOED ACROSS MULTIPLE
ENTRY POINTS

Identi
ty

Cloud IT

Web App OT
TYPE OF FLAWS ENTRY POINT

Tradition “Unknow OWASP Cloud OT AD

al IT n Top 10 Misconfigs Vulns Flaws
Findings Unknown
s” -Improper -Device
-CVEs -Old URLs -CWEs -DC Shadow
rights settings -Golden Ticket
-Baseline drift -Fraud domains -SQL Injection
-CSPM -IT systems -Privilege
-Misconfigs -Shadow IT -XSS
-Boundary -Unexpected Escalation
-Zero-Days -Forgotten -Misconfigs
definitions firmware
assets
version
Industrial
Internet-
On Prem & Web Public Infrastructu
Facing re Identity
Remote IT Apps /APIs Cloud
Assets
(OT)
 E
FAC
U R
S
ACK
T N
AT ME T
SS
SE
AS

ES
DUL
INTERNE MO
T
EXTERNAL
ATTACK 3 attributes
MAPPING make the modern
SURFACE AGENTLESS CLOUD
attack surface more difficult RM
ASSESSMENT
To address the TFO
A
MULTI- than
IAC ever
POLICY to defend:
evolving attack PL
CLOUD ASSESSMENT And a broad
DYNAMIC
surface, Tenablesuite
have of
RESEARC Powered
RAPIDLY GROWING
WEBAPP built out a range of
CE H AE
products by market
to
IA ASSESSMENT S S
leading
C
CLOUD HOSTED sensors and predict
VP AC and
data
capabilities to prioritize the
R R
HIGHLY
SCANNERS DYNAMIC
NESSUS
DATA
exposures
science
WEB- LOCAL
NESSUS
adaptively assess
that
LAKE
matter
and
APPS research
INCREASINGLY
SCANNERS every asset type and
INTERCONNECTED
ENDPOIN
IT
T technology
AGENTS
AGENTLESS ACTIVE
DIRECTORY
UNIFIED EXPOSURE
IDENTITY
AUDITING
MANAGEMENT PLATFORM
FOR MODERN ATTACK
SURFACE
 VPR VULNERABILITY PRIORITY
RATING
Leverages supervised machine learning algorithms to
calculate the priority of a vulnerability based on the real
threat posed.
Key Drivers include
Threat Threat Exploitabilit Vulnerability Threat
Recency Intensity y Age Sources
 EXPOSURE MANAGEMENT PLATFORM

EXPOSURE ATTACK ASSET

VIEW PATH ANALYSIS INVENTORY
Aggregated Cyber Risk Insights Breach & Attack Mitigation Centralized View of Assets

EXPOSURE ANALYTICS
Data Aggregation, Risk Prioritization & Recommendations, Benchmarking

EXTERNAL
VULNERABILI
ATTACK
TY WEB APP CLOUD IDENTITY
SURFACE
MANAGEMEN SECURITY SECURITY SECURITY
MANAGEMEN
T
T
 Example Tenable.sc+ Deployment – Tenable.io Cloud Scanners
Cloud
Infrastructure REGION 1

SCAN

Scan Management/Tools Cage

SNIFF

REGION 2
SCAN
M VMWare ESXi VMWare ESXi VMWare ESXi

Sweep Scan

Tenable.io - Cloud/
Remote Agent Management
Workforce
REGION 3

SCAN

12
 Full Coverage Tenable Deployment
The network vulnerability sensor

SCAN
Tenable.io cloud
Scanners / Agent management

Nessus Agents SNIFF

LOG

Splunk

SCADA /POS REGION 1

VMWare ESXi VMWare ESXi VMWare ESXi

SCAN
Tenable.sc
VM on-prem REGION 2

SCAN
1 SNIFF
3
SOC REGION 3
1
4
Credentialed/Agent Scans vs. Non-Credentialed

Non-credentialed Network Scan

Credentialed/Agent Scan
(External Details and Externally Viewable
(Internal Details and Hidden Vulnerabilities)
Vulnerabilities Only)
Credential vs Non Credentialed Scan results
 Sample Systems Requirement for 1000 – 5000 Asset nodes

Modules Function CPU Cores Memory Network Card Disk Space

Management Console (2 Options)

Tenable IO Management Console (Cloud Management Console Cloud

Based) (No Hardware Required)

Tenable SC On Premise Management Management Console Cloud 1 Gbps x 2 NiCs 180 Days : 2 TB, for
Console (Hardware Required) 8 x 3GHz cores 16 GB RAM Recommended Vulnerability Trending

Network Scanner

Tenable Nessus VM Internal Scanner Network & Asset Scanner per 1 Gbps x 2 NiCs
(Internal Asset) 1000 asset/scan 8 x 2GHz cores 16 GB RAM Recommended Minimum 100 GB
Tenable Nessus VM Scanner Network & Asset Scanner
Cloud Based (External Asset) (No Hardware Required)

Portable Scanner

Tenable Nessus VM Scanner (Internal Network & Asset Scanner per 1 Gbps x 1 NiCs
Asset) 1000 asset/scan 8 x 2GHz cores 16 GB RAM Recommended Minimum 100 GB

Web Application Scanner

Tenable Nessus WAS Internal Scanner 1 Gbps x 2 NiCs

(Internal Domain) Internal Web Application Scanner 8 x 2GHz cores 16 GB RAM Recommended Minimum 100 GB

External Facing Web Application

Tenable Nessus WAS Scanner Cloud Scanner, Cloud Based
Based (External Domain) (No Hardware Required)
BER MSSP provides Layered Security
IDENTIFY PROTECT DETECT RESPOND RECOVER

VulSc NGFW SOC (inc Backu

an SOC (inc SOAR) p
UEBA) Vault
PenTest WAF SOC + SOC +
NetMon NetMon

Patchi SASE SOC + SOC +

ng FIM FIM

EdgeProt NDR SQURA

ect NDR

AntiDDo
Add On S
Use Case Sample
Asset Vulnerability Next Gen FW SIEM, SOAR, UEBA,
FIM, NetMon
VulScan by NGFW by SOC

Website
XXX 📌
Kenali attack- 📌 ML-Powered & CDSS Aset
surface Informasi
📌 Scanning 📌 Visibilitas lebih
otomatis dalam Perusahaa
📌 Saran perbaikan 📌 Sec Lifecycle n
Review
Insider 📌 Dukungan MSSP 📌 Dukungan MSSP Data
Threat Pribadi
Identify Protect Detect (PDP)
Threats Assets & Respons Incidents

Data
Patch Management ZTNA
Sensitif
FixPatch SASE
eMail
XXX Automated PenTest Endpoint Security NDR
PenTest EDR NDR
Introducing
Tenable.ad
 ICS & SCADA

E-MAIL
Active Directory holds
the keys to
everything
• Governs authentication, holds all
CORPORATE DATA

passwords
USERS & CREDENTIALS
• Manages access rights to every vital asset
• Manages how servers and users interact
• A complex, evolving architecture that
APPLICATIONS
becomes
unmanageable over time
• Accumulates technical debt
CLOUD RESOURCES
Security Analysis, and identify missing security checks
The mother of all cyber-risks: The two methods to attack a system

For the attacker, there are only two technical ways to attack
a system (firewall, application, server, workstation, printer,
etc.): use an unpatched vulnerability or use a
misconfiguration

In the ransomware context, this means systematically

exploiting unpatched CVE on Windows systems & on
remote access gateways to execute primo-infection, and
then exploiting AD misconfigurations to execute lateral
movement and privilege escalation through discovered
attack paths
 Active Directory Security Coverage

Enhances your
team’s User Objects
Configuration & AD Schema
understanding of (Identity)
AD security with
Contextual
Information of the
deviances

Group Policy Objects and Other Objects

Configurations (Computer, Services, Trusts)
Tenable AD Deployment
Options
Example Tenable.ad On Prem
Deployment
AD
FOREST 1

S
E
Tenable.ad Web Primary DC
Portal - Domain A
D
L

N
S
M
M
Primary DC
- Domain B
Security Tools vLAN

Customer Data
Center
Directory Listener S
D S Security Engine Storage
E M Manager
L
Legend/Key
 Connectivity list & details
On-premises network flows

26
 System Requirements for On Prem Tenable AD – PoC Purpose (Small Size)

Tenable AD Directory Listener Tenable Storage Manager

•CPU: 4 cores, at least 2.6 GHz •CPU: 4 cores, at least 2.6 GHz
•Memory: 16 GB •Memory: 16 GB
•Disk: 30 GB •Disk: 500 GB
•OS: Windows Server 2016, Windows Server •OS: Windows Server 2016, Windows Server
2019, Windows Server 2022 2019,
•Tenable AD Software Installer (download link) Windows Server 2022
•Tenable AD Software Installer (download lin
Tenable AD Security Engine Nodes

•CPU: 4 cores, at least 2.6 GHz

•Memory: 16 GB
•Disk: 250 GB
•OS: Windows Server 2016, Windows Server
2019, Windows Server 2022
•Tenable AD Software Installer (download link)
Tenable.ad Secure Relay (Cloud Management
Console)
AD FOREST
1

Tenable.ad Web Portal Primary DC -Primary DC -

Domain A Domain B

DL
TLS 1.2 Connection
TCP\443
Directory AD FOREST
Listener 1

SE Primary DC -Primary DC -
Domain C Domain D
S
M
Tenable.ad Managed
Containers
Customer Data Center
Tenable Azure Tenant

Directory Listener S
DL SE Security Engine
M

Legend/Key
BEHIND ALMOST
EVERY BREACH
HEADLINE IS
AN INSECURE
ACTIVE
DIRECTORY
 There is more beneath the surface
Compliance audits 2

Patching 3 New CVEs

1 Active Directory
Known problems Patching vulnerabilities

Unintended
Unknown problems 7
Active Directory Misconfigurations
Configuration
Configuration
Lateral 4 vulnerabilities 8
Weaknesses
Movement
Modern /
Privilege escalation 9
5 Stealthy attacks
pathways
Dangerous Poor Administrative
6 10
relationships practices

11 Post-exploitation back
doors / persistence
30
 Real-time, Automated, and Continuous AD Alert
EDR/AV are not enough

First: On average, only 26% of

major incidents were
identified by corporate
detection tools

Second: There are many

techniques to bypass EDR/AV
and evade detection

Third: EDR/AV cannot cover all

entry points used by attackers
or ransomware (firewall,
routers, printers, etc.)

31
 DISRUPT ATTACK
PATHS

Initial Foothold
via phishing or vulnerability

Explore Elevate Evade Establis Exfiltrat

Gain situational Elevate privileges Hide forensic
awareness and identify on the Active Directory
systems of interest Domain
footprints and live off
the land to mask activity
h e
Install code for Extract data and hold
permanence target to ransom

Know the misconfigurations and Identify indicators of privilege

vulnerabilities used to elevate escalation and lateral movement
permissions within Active Directory
 FIND AND FIX YOUR EXISTING
WEAKNESSES
1
• Immediately discover, map, and score existing
weaknesses
• Follow step-by-step remediation tactics and prevent
attacks

SECURE YOUR
UNCOVER NEW ATTACK PATHS
• Continuously identify new vulnerabilities and
2 misconfigurations

ACTIVE • Break attack pathways and keep your threat exposure

in check

DIRECTORY DETECT ONGOING ATTACKS IN REAL TIME

AND DISRUPT 3 • Get alerts and actionable remediation plans on AD

attacks

ATTACK PATHS • Enrich your SIEM with ongoing attack information

INVESTIGATE INCIDENTS AND HUNT FOR

THREATS
4 • Search and correlate AD changes at object and attribute levels
• Trigger response playbooks in your SOAR
 EXPOSURE MANAGEMENT PLATFORM

EXPOSURE ATTACK ASSET

VIEW PATH ANALYSIS INVENTORY
Aggregated Cyber Risk Insights Breach & Attack Mitigation Centralized View of Assets

EXPOSURE ANALYTICS
Data Aggregation, Risk Prioritization & Recommendations, Benchmarking

EXTERNAL
VULNERABILI
ATTACK
TY WEB APP CLOUD IDENTITY
SURFACE
MANAGEMEN SECURITY SECURITY SECURITY
MANAGEMEN
T
T
 Tenable Product • Exposure View

At-A-Glance
• Attack Path Analysis
Portfolio: •
•
Asset Inventory
Minimum 300 assets

Vulnerability
Risk-Based Vulnerability Management
Assessment

Minimum 300
Scan Scan Unlimited Minimum 100 Minimum 65 Minimum 65 Minimum 300
Minimum 500 IPs cloud resource
Unlimited IPs IPs assets assets assets Users
workloads

On Prem or
On Prem On Prem On Prem On Prem Cloud Cloud Cloud
Cloud

Infrastructure Traditional IT
Traditional IT Traditional IT Cloud Security
Traditional IT as Code (IaC) Traditional IT Assets
Assets Assets Infrastructure as Active Directory
Assets Attack Surface Assets Modern IT
OT Assets Modern IT Assets Code (IaC)
Mgmt. (ASM) Assets
• No API EASM includes Bundled with • Strong Can add modules Provides Asset • Security from Finds
•
• Mostly 5 domains and Tenable.sc to see preference of for: Criticality build-time to Vulnerabilities
used by unlimited sub- IT & OT assets gov customers • Web Rating & run time • Detects
pen domains • Can come as Application Benchmarking • Infrastructure attacks in real
testers Tenable.sc+ Security capabilities as Code time
• Best used including • PCI ASV • • Hunts for
Remediation of
in single passive Code threats
site up to scanner & ACR • Investigates
50 assets • EASM available in Tenable ONE, Tenable.io, Tenable.sc incidents
• Continuous discovery, inventorying, and monitoring of internet
facing assets on a bi-weekly or daily basis.
• Minimum 65 observable objects
2 Minutes Demo
Demo Samples
Demo Samples
Demo Tenable OT
 Demo Samples – Attack Path
Analysis
Blast Radius helps to
evaluate lateral
movements in the Active
Directory from a Attack Path helps
potentially exposed asset you anticipate
the privilege
escalation
technique that an
attacker will use
to reach a
business asset
from a specific
entry point&
Asset Exposure measures the security communicate to
exposure of an asset and tackle all the management
escalation paths to this asset.
41

4
1
Demo Samples – Lumin
 Cyber Risks Assesment

Steps Benefit
1. Assets Discovery Automation 1.Eliminate manual process for asset
discovery
2. Conduct risks assessment.
2.Always steps ahead before breach
3. Prepare for remediation plan. happen

4. Automate & Integrate 3.Well prepared mitigation plan, “Reduce

MTTR”
5. Prepare “Secure by design
Plan” 4.Continuous risk management plan

5.Technology readiness for business

transformation
BENEFITS OF UNIFIED EXPOSURE
MANAGEMENT

Gain visibility
across a growing,
dynamic, Apply context to Communicate
interconnected anticipate threats cyber risk at all levels
modern attack and prioritize efforts of the organization to
surface to prevent attacks make better decisions
 EXPOSURE MANAGEMENT PLATFORM

EXPOSURE ATTACK ASSET

VIEW PATH ANALYSIS INVENTORY
Aggregated Cyber Risk Insights Breach & Attack Mitigation Centralized View of Assets

EXPOSURE ANALYTICS
Data Aggregation, Risk Prioritization & Recommendations, Benchmarking

EXTERNAL
VULNERABILI
ATTACK
TY WEB APP CLOUD IDENTITY
SURFACE
MANAGEMEN SECURITY SECURITY SECURITY
MANAGEMEN
T
T