CyberArk Database Dynamic Scanning

Summary

We are proud to announce a major feature request for our modern CyberArk integration that eliminates A) the requirement for the user to manually add specific targets to the target settings and B) the need to create multiple credentials in a single scan. However, this feature does allow end users to create up to five credentials in a single scan. This feature takes advantage of CyberArk’s PVWA REST API to gather bulk account data, adds targets to the scan automatically based on user driver query parameters, and requests passwords from the CCP/AIM Web Service. Not only does this eliminate the requirement for the user to manually add specific targets to the settings and the need to create multiple credentials, but it also reduces calls to gather passwords.

How it Works

When users create a scan they only need to add one arbitrary target to the settings and set up a single credential (reference the two new credential types in the changes below). The credential simply allows communication and authentication between the scanner/sensor and the two CyberArk APIs (PVWA REST API and CCP/AIM Web Service REST API). First, we reach out to the PVWA REST API to gather bulk account details for accounts that meet criteria entered by the user within a ‘platform’ query field. We store this account data and automatically add targets/hosts to the scan. On a host-by-host basis, we request a password based on specific account details. If there are 100 targets added to the scan automatically, we make 100 password requests. As mentioned in the summary, this eliminates the need to make unnecessary requests to ‘try’ multiple credentials against a single target.

Changes and Important Notes

• There is a new Database Credential for all Database Types called CyberArk Database Auto-Discovery
• Users only need to enter a single arbitrary target to the scan
• users only need to set up a single credential mentioned above, but can configure up to 5 if they choose to.
• The current CyberArk credential will remain unchanged and is still available for use
• Users will have to configure specific UI/backend properties (field) within their CyberArk instance for some of the database types. Some database types require more details for authentication like service (database name), service type, and authentication type). Specific guidance can be found in our Cyberark Integration Doc

For more information please refer to our documentation pages.

TVM: https://docs.tenable.com/integrations/CyberArk/vulnerability-management/Content/DynamicScannngIntro.htm

Nessus: https://docs.tenable.com/integrations/CyberArk/Nessus/Content/DynamicScannngIntro.htm

Impact to Existing Scan Policies

There are no impacts to existing CyberArk credential configurations.

Release Date

• TVM/Nessus: Tuesday September 5th 2023