<Partner Name> <Partner Product> RSA ARCHER GRC Platform Implementation Guide Tenable SecurityCenter Data Feeds for RSA Archer IT Security Vulnerability Program Wesley Loeffler, RSA Engineering Last Modified: August, 2018
Solution Summary As the creator of Nessus, Tenable extended its expertise in vulnerabilities to deliver Tenable.io, the world s first platform to see and secure any digital asset on any computing platform. Tenable SecurityCenter consolidates and evaluates vulnerability data across your organization, prioritizing security risks and providing a clear view of your security posture. The integration of Tenable SecurityCenter with the RSA Archer IT & Security Vulnerabilities Program use case enables customers to leverage the discovered devices and catalog those network devices with the vulnerability library. With RSA Archer, customers can then identify which assets require remediation based on the business priority of that asset. Integration Features The Tenable SecurityCenter integration with RSA Archer enables organizations to: Catalog network devices on a corporate network Discover network device vulnerabilities using scanning technology Supplement the Vulnerability Library with Tenable s knowledge base Partner Integration Overview RSA Archer Solution RSA Archer Use Case RSA Archer Applications Uses Custom Application Requires On-Demand License IT Security Vulnerabilities Program IT Security Risk Management Devices, Vulnerability Library, Vulnerability Scan Results No No The following diagram provides an overview of the use cases and application relationships. 2
Installation and Configuration Before You Begin This section provides instructions for configuring the Tenable SecurityCenter Data Feeds for the RSA Archer IT Security Vulnerability Program use case. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. The RSA Archer IT Security Vulnerability Program use case must be installed and working prior to performing the integration. Perform the necessary tests to confirm that this is true prior to proceeding. Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact RSA Professional Services for assistance. Prerequisites (System Requirements) The Devices, Vulnerability Library, and Vulnerability Scan Results applications are required for installation and operation of the Tenable SecurityCenter Data Feeds for the IT Security Vulnerability Program use case. These applications serve as the targets for the data feeds. Components RSA Archer Pre-Requisite Applications Recommended Software RSA Archer 6.4 SP1 or later Devices, Vulnerability Library, Vulnerability Scan Results - (RSA Archer IT Security Vulnerability Program) 3
Data Feed Configuration The following data feeds are used as part of the Tenable SecurityCenter integration process: SecurityCenter Plugins is a JavaScript transporter data feed that fetches data from https://tenablesc.eastus.cloudapp.azure.com and creates/updates the records in the Vulnerability Library application. SecurityCenter Vulns is a JavaScript transporter data feed that fetches data from https://tenablesc.eastus.cloudapp.azure.com and creates/updates the records in the Vulnerability Scan Results application. SecurityCenter Vulns (Hosts) is a JavaScript transporter data feed that fetches data from https://tenablesc.eastus.cloudapp.azure.com and creates/updates the records in the Devices application. There are multiple data feeds available for the ITSVP use case. Depending on which data feeds you intend to use, they will need to be configured in the order listed below. Import and run the data feeds in the following order: 1. Set Up the NVD Data Feed 2. Set up the Qualys KnowledgeBase Data Feed 3. Set Up the Qualys Hosts Data Feed 4. Set Up the Qualys Hosts Extracted from Detections Data Feed 5. Set Up the Qualys Detections Data Feed 6. Set Up the Security Center Plugins Data Feed 7. Set Up the Security Center Vulnerabilities Data Feed 8. Set Up the Security Center Vulnerabilities (Hosts) Data Feed 9. Set Up the Data Feed for Vulnerability Historical Data After setting up the data feeds, you can schedule them to run when you want to. By default, the SecurityCenter Plugins data feed is scheduled to run on the 1st Sunday of every month and the remainder of the SecurityCenter feeds are reference feeds that will subsequently initiate after the completion of the preceding feed. For more information, see the Scheduling Data Feeds section. Configure the JavaScript Transporter Settings Before you upload a JavaScript file, you must configure JavaScript Transporter settings in the RSA Archer Control Panel. 1. On the General tab, go to the JavaScript Transporter section. a. Open the RSA Archer Control Panel. b. Go to Instance Management and select All Instances. c. Select the instance. 4
d. On the General tab, go to the JavaScript Transporter section. 2. In the Max Memory Limit field, set the value to 2048 MB (2 GB). 3. In the Script Timeout field, set the value to 120 minutes (2 hours). 4. (Optional) If you want to allow only digitally signed JavaScript files in the data feed, enable Require Signature. a. In the JavaScript Transporter Settings section, enable Require Signature. b. A new cell appears in the Signing Certificate Thumbprints section. c. Double-click an empty cell in the Signing Certificate Thumbprints section. d. Enter the digital thumbprint of the trusted certificate used to sign the JavaScript file. e. Note: For information on how to obtain digital thumbprints, see Obtaining Digital Thumbprints. f. Important: If you enable Require Signature and specify no thumbprints, no JavaScript files will be accepted by the system. g. (Optional) If you want to add additional thumbprint sources, repeat steps b-c for each thumbprint. 5. On the toolbar, click Save. Obtaining Digital Thumbprints When running JavaScript data feeds, you can set the system to only allow digitally signed JavaScript files from trusted sources for security considerations. For a certificate to be trusted, all the certificates in the chain including the Root CA Certificate and Intermediate CA certificates must be trusted on both the Web Server and Services Server machines. Obtaining a Certificate Thumbprint 1. On the RSA Archer Control Panel environment, open the Manage Computer Certificates program. a. Click Start. b. Type: certificate c. From the search results, click Manage computer certificates. 2. Ensure that your trusted source certificates are located in the Certificates sub-folder of the Trust Root Certification Authorities folder. 3. Within the Certificates sub-folder, double-click the certificate whose thumbprint you want to obtain. 4. Verify that the certificate is trusted. a. In the Certificate window, click the Certification Path tab. 5
b. Ensure that the Certificate Status windows displays the following message: c. This certificate is OK. Note: If the Certificate Status windows displays something different, follow the onscreen instructions. 5. Obtain the trusted certificate thumbprint. a. In the Certificate window, click the Details tab. b. Scroll to, and select, the Thumbprint field. c. The certificate's digital thumbprint appears in the window. Set Up the Security Center Plugins Data Feed Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the RSA Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings. Important: Updates to the API files used in the JavaScript Transporter (SecurityCenterAPI.js) can only be achieved in a hosted environment with a Professional Services engagement. For more information, contact your account representative. 1. Go to the Manage Data Feeds page. a. From the menu bar, click. b. Under Integration, click Data Feeds. 2. In the Manage Data Feeds section, click Import. 3. Locate and select the Security_Center_Plugins.dfx5 file for the data feed. 4. Click Open. 5. In the General Information section, in the Status field, select Active. 6. In the Additional Properties section, enable Optimize Calculations. 7. Click the Transport tab. 8. In the Transport Configuration section, complete the following: a. Click Upload. b. From the Upload JavaScript File dialog, click Add New. c. Locate and select the SecurityCenterAPI.js file, and click Open. d. From the Upload JavaScript File dialog, click OK. 9. In the Custom Parameters section, enter key values. The following table describes the value to enter for each key in Custom Parameters. 6
Key Username Password datasource URL Value plugins For example, https://tenablesc.eastus.cloudapp.azure.com ignorelastruntime false verifycerts false Note: The listed values are in place by default. They can be configured to suit your environment. Important: The keys and values are case-sensitive, and cannot include extra spaces at the end of the strings. 10. (Optional) Add startoffset and endoffset as new keys. Note: The startoffset parameter specifies the first record in the range you want to retrieve and the endoffset parameter specifies the last record in the range you want to retrieve. Use these parameters to parse data into consumable sizes. For more information, see the Tenable Security Center API Best Practices Guide. a. Click Add New. b. Enter startoffset as the key. c. Define a valid value for the startoffset key. d. Click Add New. e. Enter endoffset as the key. f. Define a valid value for the endoffset key. 11. For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log. 12. Click the Source Definition tab. a. Click the Tokens sub-tab. b. Verify token values. c. The following table describes token values to verify. 7
Token Value BatchContentSave 1000 LastRunTime LastFileProcessed PreviousRunContext Note: For more information about tokens, see "Data Feed Tokens" in the RSA Archer Online Documentation. 13. Verify that key field values are not missing from the data feed setup window. 14. Click Save. Set Up the Security Center Vulnerabilities Data Feed Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the RSA Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings. Important: Updates to the API files used in the JavaScript Transporter (SecurityCenterAPI.js) can only be achieved in a hosted environment with a Professional Services engagement. For more information, contact your account representative. 1. Go to the Manage Data Feeds page. a. From the menu bar, click. b. Under Integration, click Data Feeds. 2. In the Manage Data Feeds section, click Import. 3. Locate and select the Security_Center_Vulns.dfx5 file for the data feed. 4. Click Open. 5. In the General Information section, in the Status field, select Active. 6. In the Additional Properties section, enable Optimize Calculations. 7. Click the Transport tab. 8. In the Transport Configuration section, complete the following: a. Click Upload. b. From the Upload JavaScript File dialog, click Add New. 8
c. Locate and select the SecurityCenterAPI.js file, and click Open. d. From the Upload JavaScript File dialog, click OK. 9. In the Custom Parameters section, enter key values. The following table describes the value to enter for each key in Custom Parameters. Key Username Password datasource URL Value vulns For example, https://tenablesc.eastus.cloudapp.azure.com ignorelastruntime false vulnseverities 4,3,2,1 vulndatefiltertype firstseen vulnloadactive true vulnloadpatched verifycerts true false Note: The listed values are in place by default. They can be configured to suit your environment. Important: The keys and values are case-sensitive, and cannot include extra spaces at the end of the strings. 10. (Optional) Add startoffset and endoffset as new keys. Note: The startoffset parameter specifies the first record in the range you want to retrieve, and the endoffset parameter specifies the last record in the range you want to retrieve. Use these parameters to parse data into consumable sizes. For more information, see the Tenable Security Center API Best Practices Guide. a. Click Add New. b. Enter startoffset as the key. 9
c. Define a valid value for the startoffset key. d. Click Add New. e. Enter endoffset as the key. f. Define a valid value for the endoffstart key. 11. For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log. 12. Click the Source Definition tab. a. Click the Tokens sub-tab. b. Verify token values. The following table describes token values to verify. Token Value BatchContentSave 1000 LastRunTime LastFileProcessed PreviousRunContext CrossReferencesMode LinkOnly RelatedReferencesMode LinkOnly Note: For performance reasons, the CrossReferencesMode and RelatedReferencesMode tokens are link only to all other applications. Note: For more information about tokens, see "Data Feed Tokens" in the RSA Archer Online Documentation. 13. Verify that key field values are not missing from the data feed setup window. 14. Click Save. 10
Set Up the Security Center Vulnerabilities (Hosts) Data Feed Important: Before you upload a JavaScript file, configure JavaScript Transporter settings in the RSA Archer Control Panel. For more information, see Configure the JavaScript Transporter Settings. Important: Updates to the API files used in the JavaScript Transporter (SecurityCenterAPI.js) can only be achieved in a hosted environment with a Professional Services engagement. For more information, contact your account representative. 1. Go to the Manage Data Feeds page. a. From the menu bar, click. b. Under Integration, click Data Feeds. 2. In the Manage Data Feeds section, click Import. 3. Locate and select the Security_Center_Vulns_(Hosts).dfx5 file for the data feed. 4. Click Open. 5. In the General Information section, in the Status field, select Active. 6. In the Additional Properties section, enable Optimize Calculations. 7. Click the Transport tab. 8. In the Transport Configuration section, complete the following: a. Click Upload. b. From the Upload JavaScript File dialog, click Add New. c. Locate and select the SecurityCenterAPI.js file, and click Open. d. From the Upload JavaScript File dialog, click OK. 9. In the Custom Parameters section, enter key values. The following table describes the value to enter for each key in Custom Parameters. Key Username Password datasource Value hosts 11
Key URL Value For example, https://tenablesc.eastus.cloudapp.azure.c om ignorelastruntime false vulnseverities 4,3,2,1 vulndatefiltertype vulnloadactive firstseen true vulnloadpatched verifycerts true false Note: The listed values are in place by default. They can be configured to suit your environment. Important: The keys and values are case-sensitive, and cannot include extra spaces at the end of the strings. 10. (Optional) Add startoffset as a new key. Note: The startoffset parameter specifies the first record in the range you want to retrieve, and the endoffset parameter specifies the last record in the range you want to retrieve. Use these parameters to parse data into consumable sizes. For more information, see the Tenable Security Center API Best Practices Guide. a. Click Add New. b. Enter startoffset as the key. c. Define a valid value for the startoffset key. d. Click Add New. e. Enter endoffset at the key. f. Define a valid value for the endoffset key. 11. For each key type, determine whether you want it to be Protected or Plain Text. Selecting Protected encrypts the key value for the specified key in the log. 12. Click the Source Definition tab. a. Click the Tokens sub-tab. 12
b. Verify token values. The following table describes token values to verify. Token Value BatchContentSave 1000 LastRunTime LastFileProcessed PreviousRunContext Note: For more information about tokens, see Data Feed Tokens in the RSA Archer Online Documentation. 13. Verify that key field values are not missing from the data feed setup window. 14. Click Save. Scheduling Data Feeds Important: A data feed must be active and valid to successfully run. As you schedule your data feed, the Data Feed Manager validates the information. If any information is invalid, an error message displays. You can save the data feed and correct the errors later; but the data feed does not process until you make corrections. Note: All IT Security Vulnerabilities Program data feeds are set to run daily by default. 1. Go to the Schedule tab of the data feed that you want to modify. a. From the menu bar, click. b. Under Integration, click Data Feeds. c. Select the data feed. d. Click the Schedule tab. 2. Go to the Recurrences section and complete frequency, start and stop times, and time zone. The following table describes the fields in the Recurrences section. 13
Field Frequency Description Specifies the interval in which the data feed runs, for example, Minutely, Hourly, Daily, Weekly, Monthly, or Reference. Minutely. Runs the data feed by the interval set. For example, if you specify 45 in the Every list, the data feed executes every 45 minutes. Hourly. Runs the data feed by the interval set, for example, every hour (1), every other hour (2) and so forth. Daily. Runs the data feed by the interval set, for example, every day (1), every other day (2) and, so forth. Weekly. Runs the data feed based on a specified day of the week, for example, every Monday of the first week (1), every other Monday (2), and so forth. Monthly. Runs the data feed based on a specified week of the month, for example, 1st, 2nd, 3rd, 4th, or Last. Recurrence. Runs a specified data feed as runs before the current one. This option indicates to the Data Feed Service that this data feed starts as soon as the referenced data feed completes successfully. For example, you can select to have a Threats data feed run immediately after your Assets data feed finishes. From the Reference Feed list, select after which existing data feed the current data feed starts. A reference data feed will not run when immediately running a data feed. The Run Data Feed Now option only runs the current data feed. Every Start Time Start Date Time Zone Specifies the interval of the frequency in which the data feed runs. Specifies the time the data feed starts running. Specifies the date on which the data feed schedule begins. Specifies the time zone in of the server that runs the data feed. 3. (Optional) To override the data feed schedule and immediately run your data feed, in the Run Data Feed Now section, click Start. 4. Click Save. 14
Certification Environment for RSA Archer GRC Date Tested: August, 2018 Certification Environment Product Name Version Information Operating System RSA Archer GRC 6.4 SP1 Virtual Appliance Tenable Security Center NA NA 15