With the release of the new Tenable.io connector, Cisco Vulnerability Management now has the ability to pull assets directly from the Tenable central database. This removes the previous requirement to select scan IDs for Cisco Vulnerability Management to download and ingest.
While this simplified and more performant approach provides many benefits, it does present challenges for users looking to prevent certain assets from being imported into Cisco Vulnerability Management . In the past, scan selection could be utilized to ensure that only certain assets would be ingested into Cisco Vulnerability Management. Since the new Tenable.IO connector will ingest all assets which the connector account has access to, any data restrictions must be applied at the user level within the Tenable.IO console.
By default, all Tenable.IO users have access to all assets. The Tenable user which is being used to connect to Cisco Vulnerability Management must be explicitly removed from the All Assets Access Group.
Next you’ll want to create an Access Group for the Kenna connector user which only includes the assets which are in scope for ingestion into Cisco Vulnerability Management. We recommend using tags for this purpose. In the screenshot below you’ll see we’re limiting the "kennaconnector" user to only have access to assets with the tag “windowsServer2008”. You can apply whichever logic is appropriate to your business use case.
With a restrictive access group in place for the Kenna connector user, all that’s left is to wait about 10 minutes for the permissions change to replicate across the Tenable platform. Now whenever you launch a Tenable.IO connector run in Cisco Vulnerability Management only the assets in the restricted Access Group will be brought into Cisco Vulnerability Management.
The workflow described above is based around Tenable’s legacy permission model. This model is being deprecated in favor of the Access Control model, however both models will exist alongside each other for an indefinite period of time. This same workflow can be accomplished in the new model by creating a new permission, adding the Cisco Vulnerability Management user account to the permission, then selecting the inclusion tag in the Objects drop down. More information is available in this Tenable document.
Do note that it may take some time for previous assets outside of the Access Group to fall off of your Cisco Vulnerability Management reports. This period of time is determined by your existing asset inactivity limit which is configured in the Asset Settings page within Cisco Vulnerability Management.