Nessus Integration with CTSP
Nessus Scanners are among the most used vulnerability scanners to identify and report the vulnerabilities on the assets. We have built Xshield to fetch CVE-based vulnerability exposure data from Nessus Scanners using Nessus APIs. This integration helps you see the known vulnerabilities on your assets that are managed from Xshield.
How Nessus integration works
Integrate a commercial version of the Nessus Vulnerability Scanner with Xshield.
Add the Nessus scanner’s FQDN or IP address and the administrative login credentials to Xshield.
- Xshield maps the probe results that the agents on the assets collected (when the agents were installed or when probes were run on demand) with the open ports and the vulnerabilities listed in the Nessus scan results.
- Xshield fetches the Nessus scan results of the hosts it manages (by the hostnames of the assets) from the setup where Nessus is hosted.
Nessus scan results are fetched automatically, once every 24 hours at 12:00 EST. Scan results can also be fetched on an on-demand and a per-resource basis within a few seconds.
You must wait until 12 AM EST to see the first set of data after integrating Nessus Scanner.
CVE-IDs and CVSS 3.0 base scores of the vulnerabilities are displayed on a per asset basis on the fly panel of the asset. By design, Xshield only lists vulnerabilities above a CVSS base score of 7.0.
On Flow Explorer, traffic flows can be filtered by flows associated with vulnerable ports. See Monitor and investigate vulnerable flows for more details.
The open ports on the vulnerable assets can be closed from Xshield by enforcing policies on the asset or by deleting the Xshield policies’ allow-rules that use the open ports.
The vulnerable ports are not removed from the fly panel when they are blocked or remediated. They still appear on the fly panel to indicate the progress in the efforts to subside or fix the vulnerabilities.
See Shield vulnerable ports on assets for more details.
Usage guidelines
The Nessus setup must always be reachable to Xshield. Xshield performs a reachability check to the Nessus setup only during the integration.
If the Nessus setup is unreachable, you may not be seeing the latest vulnerability data for your assets.
- Allow the Nessus Scanner to scan all the assets that you are managing from Xshield. This ensures the best possible protection for your network and assets from Xshield.
To see vulnerabilities data from the Nessus setup, you must have run Nessus Scanner for your assets at least once, after integrating it with Xshield.
Xshield only fetches data from the Nessus Scanner's vulnerabilities report; it does not probe or scan the assets for vulnerabilities.
Activate and configure Nessus Scanner
By design, ColorTokens Scanner is enabled for your Xshield tenant.
You must activate Nessus Scanner to use it. Xshield deactivates ColorTokens Scanner when you activate the Nessus scanner.
|
Interpret vulnerabilities data for an asset
Vulnerabilities data is displayed on the fly panels of the assets.
|
Click a port in the fly panel to see the complete list of CVEs on the port in the Vulnerability details pop-up.
You will see the CVE IDs, CVSS scores, and the names and descriptions of the vulnerabilities on the port.
Disconnect and re-connect Nessus Scanner
Disconnect Nessus Scanner when you want to stop fetching vulnerabilities data from the Nessus setup temporarily.
- Go to Settings > Tools > Risk assessment tools.
- Click Configure in the Nessus tile.
- Click Disconnect in the fly panel.
- To re-connect Xshield with the Nessus setup, click Connect in the fly panel.
Fetch the latest vulnerability status from Nessus Scanner
To see the most current exposure status of your assets, we recommend that you run the Nessus Scanner for your assets once every day before Xshield fetches CVSS data or immediately after you make critical changes on the assets.