Tenable Vulnerability Management - Tenable.IO / NessusTips and Tricks with Best Practices - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Sunday, June 25, 2023

Tenable Vulnerability Management - Tenable.IO / NessusTips and Tricks with Best Practices

Tenable Vulnerability Management® (formerly known as Tenable.io) allows security and audit teams to share multiple Tenable Nessus, Tenable Nessus Agent, and Tenable Nessus Network Monitor scanners, scan schedules, scan policies, and scan results among an unlimited set of users or groups.

Tenable One is an Exposure Management Platform to help organizations gain visibility across the modern attack surface, focus efforts to prevent likely attacks and accurately communicate cyber risk to support optimal business performance.

The platform combines the broadest vulnerability coverage spanning IT assets, cloud resources, containers, web apps, and identity systems, builds on the speed and breadth of vulnerability coverage from Tenable Research, and adds comprehensive analytics to prioritize actions and communicate cyber risk. Tenable One allows organizations to: 
  • Gain comprehensive visibility across the modern attack surface
  • Anticipate threats and prioritize efforts to prevent attacks
  • Communicate cyber risk to make better decisions

Tenable Vulnerability Management exists as a standalone product, or can be purchased as part of the Tenable One Exposure Management platform.


Best Practice: Run Credentialed Scans

How to Create Managed Credentials in Tenable.io

Setting up Managed Credentials allows you to use a single set of credentials on multiple scans.

  1. Choose the type of credentials you want to create (Window, SSH, etc.).
  2. Choose your authentication method, enter your credentials, and select the appropriate permissions for the group/user(s) for access.
  3. Click Create to complete the setup.
A animated GIF file on creating managed credentials.

Create a Managed Credential. (Note: this will open in a new window.)

How to Apply Managed Credentials to a Scan

Adding credentials to a scan template is easy. Let's get started with a basic scan.

  1. Under Vulnerability Management, click Create Scan.
  2. Choose the Basic Network Scan Template.
  3. Fill out basic scan setup details (Name, Targets, etc).
  4. In the left panel, click Credentials to open the menu to add managed credentials.
  5. Assign Managed Credentials (and/or scan-specific credentials, which are not reusable by other scans).

To get started with this configuration, create a basic scan to apply your managed credentials. (Note: the basic scan link will open in a new window.)

An animated GIF file on adding credentials to a scan.

Automatically Delete Stale Assets With Asset Age Out

Automatically Delete Stale Assets With Asset Age Out

  • Asset Age Out is an optional configuration used to permanently delete licensed assets on your container, on a specific network.
  • It is recommended to enable Asset Age Out on all networks you configure to better manage licenses and data retention.

Use case: An organization has a corporate policy to retain security data for no longer than 6-months. Asset Age Out would be enabled for all networks, set to 180 days.

Setting Up Asset Age Out

  • Click the Asset Age Out toggle to permanently delete assets in your network after a specific number of days. All asset records and associated vulnerabilities are deleted and cannot be recovered. The deleted assets no longer count towards your license.
  • In the text box below, enter the number of days that Tenable.io should wait before permanently deleting assets that have not been seen on a scan. The minimum value is 14 and the maximum value is 365.

Best practice: Unless your organization has policies to retain data for a specific period of time, Tenable recommends deleting newly added networks after 180 days or less.

Use Cloud Agents to Gain Vulnerability Insights on Remote Assets

Use Cloud Agents to Gain Vulnerability Insights on Remote Assets

Nessus Agents help provide visibility on assets in a mobile workforce or in environments and networks where implementing a Nessus Scanner is not possible.

Nessus Agents are highly beneficial for remote / mobile workers, providing vulnerability insights on assets that are not located in an environment controlled by the IT or IS team. If an organization employs a remote sales force, for example, the assets assigned to those team members may rarely, if ever, be in a physical location under the administration of a company’s IT or IS staff. These situations require a different solution to ensure proper asset coverage is achieved.

  • Provides coverage to mobile assets.
  • Can be built-in to the company "golden image."
  • Automatic updates to agent software.
  • Automatic updates to agent plugins.
  • Require only an Internet connection.

Since agents do not perform remote checks or compliance scans, please ensure that implementing agents is the most appropriate path for your organization.

Deploy Agents in Your Environment

To deploy Nessus Agents in your environment:

  1. Navigate to https://www.tenable.com/downloads/nessus-agents.
  2. Download the appropriate agent package / installation for your environment.
  3. Install the Nessus Agent manually or via your existing software deployment solution.

Note that your Tenable.io linking key will be required to link agents to your Tenable.io container.

Agent Deployment Guide: 
  • https://docs.tenable.com/other/nessusagent/Nessus_Agent_Large_Scale_Deployment_Guide.pdf

How to Use Exclusion Lists to Avoid Duplication

How to Use Exclusion Lists to Avoid Duplication

An exclusions list designates specific assets that you do not want your vulnerability management solution to scan.

Exclusion lists can be particularly useful to help maintain good scan hygiene and performance. If you run non-credentialed scans, for example, you may not collect enough data to uniquely identify a firewall or Layer 3 switch when multiple interfaces are scanned. An exclusion list can remove duplicate IP addresses in situations like this assessment.


  • Prevent duplication of assets with multiple NICs.
  • Exclude resources from scans that may affect performance, operations, or availability.
  • Configure a scan to target only a specific area of your network.
  • Restrict the scanning of specific hosts based on a selected schedule.

Since exclusions can create a visibility gap, you may want to consider additional mitigations or assessment methods for assets you exclude from network scanning.

Create an Exclusions List in Tenable.io

It is easy to create an exclusion list. Follow these steps to create one.

Navigate to Settings > Exclusions or click here to get started in a new browser tab.

  1. Click the ⊕ Create Exclusion button. The Create an Exclusion page appears.
  2. Add targets and/or networks to exclude.
  3. Click Save to save the exclusions list for use in your scan configurations.

Documentation link: Exclusion Settings.

Note: Exclusions apply to all Nessus scanners.

Use Case: Resolving Multiple NICs

Tenable does not recommend scanning through firewalls. Scanning through firewalls can cause IP address duplication and issues merging multiple network interface controllers (NICs) into a single asset. If you must perform a non-credentialed scan on multiple NICs, you may want to identify and exclude any duplicate IPs using an exclusions list.


  1. Scan the assets with credentials to uniquely identify any cases where an asset has multiple NICs.
  2. Add any extra IPs that do not provide value to your exclusions list.
  3. Correct any reporting inaccuracies by deleting duplicate IP addresses through the UI or API.

Best Practice: Run Remediation Scans


Best Practice: Run Remediation Scans

The purpose of running a remediation scan is to provide validation on the successful resolution of critical vulnerabilities in your network.

A remediation scan is targeted to evaluate a specific plugin against a specific scan target or targets where a vulnerability was discovered in an earlier active scan.


  • Targeted to specific vulnerabilities that previous scans identified on your network.
  • Validates remediation of the vulnerabilities identified in a previous scan.
  • Integrates easily into remediation testing cycles. Remediation scans are targeted scans to aid teams who are responsible for remediating only certain sets of vulnerabilities.

How to Launch a Remediation Scan in Tenable.io

Running a remediation scan requires the following user role and access group permissions:

a. Roles: Scan Operator, Standard, Scan Manager or Administrator

b. Access Group Permissions: Can Scan

Launch a remediation scan directly on the Vulnerability Details or the Asset Details pages using the Actions button on the top right of the page. This sets the scope of the scan to the plugin and specified asset(s).

Documentation links:

Note: Remediation scans on scan results can only be performed by using Tenable connected Nessus scanners.

Remediation Scan Tips

  • Tenable.io assigns a vulnerability state (new, active, fixed, resurfaced) to all vulnerabilities on your network. You can track and filter by vulnerability state to see the detection, resolution, and reappearance of vulnerabilities over time.

  • You can create an asset filter to view and report on assets where a vulnerability was recently mitigated.

  • In order to update the vulnerability state, the same Authentication level must be used. So it is important to identify if a plugin requires scan credentials and add credentials, if needed. Tenable.io does not automatically add credentials when creating a remediation scan. If scan credentials are missing or incorrect, the scanner will not have sufficient access to detect if the vulnerability is fixed and will not be able to assess and update the vulnerability state accordingly.

  • Tenable.io has a limit of 10k scans per container. When planning the remediation scan for a single plugin, Tenable advises targeting large groups of systems instead of creating multiple versions of the scan that only target a small number of systems.

  • Tenable recommends periodically deleting old remediation scans from the remediation scan folder to avoid reaching the 10k scan limit

Maximize Visibility on Vulnerability Mitigations

Tenable.io offers a Mitigation Summary dashboard to help you track vulnerabilities as they are fixed, get a summary of open vulnerabilities, and view current and mitigated vulnerabilities.

Follow the steps below to add this dashboard:

  1. Navigate to 'Dashboards' in the main navigation panel
  2. Click to add New Dashboard via the Template Library
  3. Search for 'Mitigation Summary'
  4. Click on the tile and choose 'Add' to include on your Dashboard for viewing and customizing.

Scan Troubleshooting


Visit Scans to view scan status and access scan results. If there is an error, a 'Warnings' tab will appear in the 'Scan Details' view. Click on 'View Error Info' to view documentation with recommended troubleshooting steps to resolve errors.

Quick Links to Scan Error Resources:

Scan Aborted

If your scan was aborted, that might be not caused by other operator or admin. The best practice is to keep some time between scans. 



MSSP Portal: https://cloud.tenable.com/tio/app.html#/mssp/dashboard

Accounts - Create Evaluation Account for one month trial of Tenable.io

Following modules:
Directly sign in from this evaluation account:

Here is how the evaluation account dashboard after logged in looks like

How to backup / restore Configuration and Scan Results

Export / Import .nessus or .db file

    You can import an exported Tenable Nessus (.nessus) or Tenable Nessus DB (.db) scan. With an imported scan, you can view scan results, export new reports for the scan, rename the scan, and update the description. You cannot launch imported scans or update policy settings.

    You can also import .nessus files as policies. For more information, see Import a Policy.


    The Nessus back up includes the following back up folders:




    Using the Nessus CLI, you can back up your Tenable Nessus to restore it later on any system, even if it is a different operating system. When you back up Tenable Nessus, your license information and settings are preserved. Tenable Nessus does not back up scan results.

    No comments:

    Post a Comment