Up next in 10
Tenable is not only have Nessue, vulnerability management, but also has a powerful cloud security product, Tenable Cloud Security (Previously Ermetic), which gives you an easy way to manage your cloud environment's risk. In a couple of minutes, even you do not have much experience on this product, you will be able to integrate it with your cloud environment then starting to get a 360 degree's view of risk. This video gives you from an end user's view on how easy is the setup work and how powerful it could be. Take a look if you want to know more this product.
Related Post:
✍https://blog.51sec.org/2025/10/tenable-cloud-security-step-by-step.html
💖Chapters:
0:00 - Introduction
2:03 - Lets start it
4:19 - 1. Add Entra ID & Grant Admin Consent
8:57 - 2. Add Organization
15:28 - 3. Checking Scanning Results
20:29 - End Scene
✅#51Sec #NetSec #Cyber #Security #CyberSecurity #HomeLab
=======================================
🔰 Best VPN Link with Greatest Discount:
https://go.getproton.me/SH1ZF
Show More Show Less View Video Transcript
0:06
Hello everyone. Welcome back to my
0:09
NetSack YouTube channel. In today's
0:12
video, I'm going to show you a little
0:13
bit about the Tinabo product cloud
0:16
security. I had a chance to work on this
0:19
product recently and I really likes it.
0:23
I do see lots of potential for this
0:26
product. I used lots of tinable product
0:30
NES vulnerability management web
0:32
application scanning those kind tools
0:37
cloud security seems it's a new product
0:40
coming and two years ago October 2023
0:45
Tinbo acquired
0:48
with a price 265 million you do able to
0:53
see those blog post regarding this
0:56
acquisition machine. So, let's get
0:58
Dinable get into the cloud security
1:02
market. I believe they are still working
1:04
on it, but they already became pretty
1:06
good now. So, that's why I decided to
1:10
make a video for it. Just show you how
1:12
it looks like. This is the portal, the
1:16
documentation side. Even with the
1:19
documentation side, you won't be able to
1:22
access it directly.
1:28
So it does require you login first and
1:31
then you can work on
1:38
for now. Um let's jump into it. I'm
1:42
going to give you an example how it
1:45
works with Azure infrastructure which
1:49
I'm going to present it in this video.
1:52
just show you basic idea how it's
1:55
working, how the integration works, how
1:58
it can use to scan your whole as your
2:02
infrastructure.
2:08
There are not many documentation or even
2:11
videos to show this product. Um, I'm
2:14
going to using this opportunity to just
2:16
quickly show some basic idea, basic
2:19
steps how you can get this product to
2:24
scan your cloud infrastructure.
2:26
There's a quick start guide,
2:31
we won't be able to go through it.
2:37
Um since we are going to using Azure as
2:40
a example so I'm going to more to show
2:43
you how we can connect into as your
2:46
environment.
2:48
There's something you need to know is
2:51
about the license.
3:05
There are different type of license in
3:08
tino jit cm. I'm using standard as
3:13
example. Um but uh there's a difference
3:16
between standard and the price of course
3:18
enterprise is highest license you can
3:20
get. Uh from what I can tell not much
3:25
difference mostly will be covered by
3:27
standard. It does have some different
3:30
with admission controller for the
3:35
KSPM part. It also has little bit uh
3:40
difference on the scan workload on site
3:43
but since we are using cloud so this
3:45
won't make much difference. If you want
3:48
to scan Kubernetes workload uh you can
3:51
through the agent uh we are not going to
3:54
use in agent list scan for Kubernetes.
3:58
So this won't make much difference here
4:00
again.
4:02
So there are two type of uh scanning
4:05
agent list and agent base scan for
4:08
kubernetes.
4:10
In this video I'm going to focus on
4:12
agently scan. So now let's go to tinable
4:16
cloud security and start the
4:18
integration.
4:24
Now we are in the tinable cloud security
4:26
dashboard. We are new here. That means
4:29
we don't have any cloud environment
4:31
added in. For this lab, we're going to
4:35
add a zoo environment.
4:38
It's better you have globin row. So you
4:42
can finish all your lab here. Go to the
4:45
settings. There are couple ways to add
4:47
it.
4:52
account
4:54
integration.
4:57
There are lots of integrations you can
4:59
do. Of course, you can integrate with
5:02
cloud providers. You also can integrate
5:05
identity providers. If you add as your
5:08
organization,
5:10
then they will ask you Microsoft and ID
5:13
tenant. So basically you need to add
5:17
your tenant ID first.
5:19
So click here to add it before you
5:22
proceed to add your organization.
5:25
So you can add it here. If you don't
5:28
want to do that same thing, you can go
5:29
to the integration here uh ID then add a
5:34
Microsoft N ID. You can come here. So uh
5:38
I'm going to using the NAC as my Nid T
5:44
name. So this is public of course
5:48
depending on the domain.
5:51
So if it is on your domain or maybe I
5:54
can add another Microsoft Android tenant
5:58
since we are using different
6:01
Android tenant that my user belongs to.
6:05
So grant
6:10
so I'm going to pick this account. So
6:13
permission requested they are view read
6:17
all reader permissions you need to give
6:20
to this tinable cloud security connector
6:24
remember this we're going to use in that
6:26
later on
6:29
again it's better to use global admin
6:32
account to do this kind of integration
6:35
because there are lots of permission
6:37
need to be granted
6:41
here it says consent is required to add
6:44
tenant.
6:48
In that way, we're going to go back to
6:51
our entry ID page here. Let's look at
6:56
our enterprise applications.
7:00
So, you will see this Tinable Cloud
7:03
Security connector. That's the one we
7:06
just added in. We grant the permission,
7:08
but we didn't grant admin consent yet.
7:11
So that's why we coming here
7:15
properties
7:19
permissions
7:23
grant admin consent for default
7:26
directory. Let my directory default
7:28
directory. Okay.
7:30
Grant consent. Login again.
7:37
Accept.
7:43
So we already granted through admin
7:46
consent grant and administrator all have
7:49
been granted. Now we can try to add it
7:54
again.
8:00
Tenant ID.
8:20
It's working well table cloud security.
8:24
Perfect.
8:26
Now we add Microsoft antid tenant.
8:31
It's connected. So it does take a little
8:34
bit time. We did twice grand admin
8:37
concerned to get this Android ID added
8:41
into our subscription. If you met this
8:44
issue uh which asking you to grant admin
8:49
consent even you did it so just do it
8:51
again. Next step we're going to do the
8:55
organization.
9:01
So let's go to the settings again.
9:04
Integrations
9:06
as your organization.
9:09
Add as your organization.
9:11
So what we going to do is we're going to
9:13
pick the entry id
9:18
connect to then go to next step
9:22
organizations details we gave it the
9:25
name as a net sec which automatically
9:28
already giving it automatically update
9:30
the management group structure okay so
9:34
here is a permission for future so we're
9:36
going to enable all no matter what we
9:38
are testing it so why not we're going
9:41
going to have monitoring read only.
9:42
We're going to have data resource
9:44
scanning workload protection remediation
9:47
just in dynes
9:51
or permissions. What this page will do
9:54
is it's going to ask you to grant
9:57
different permissions based on your
9:58
selection. So if you just want to do
10:02
workload protection that probably just
10:04
very specific permission you will need
10:06
but since we are testing we get
10:08
everything in here is an interesting
10:11
part there's different way you can do
10:14
you can using ARM you can use in
10:16
powershell you can use manual through as
10:19
portal to grles for your app let's do
10:24
this one
10:28
of course we is saying
10:33
tin already make this very simple to do
10:37
um
10:39
ten and loot group you don't have
10:41
authorizing perfor action
10:44
management group let's take a look what
10:46
the management group we have
10:55
so we have one subscription
10:58
but on it we have couple of management
11:02
groups
11:04
for those three management group we
11:06
don't have any subscription with it.
11:20
So for now to say we're going to add our
11:26
subscription into this management group.
11:30
So in this case we can choose this
11:33
management group PD.
11:37
Let's refresh it. Okay. Perfect. So let
11:41
me come back here. We can choose product
11:45
region.
11:47
So principal ID
11:50
Linable cloud security connector
11:52
application service principal ID let's
11:55
go back to as you would to get that
11:59
property
12:03
basically that's the object ID
12:06
so we're going to copy that
12:10
we're going to put it in
12:17
Um here's a permission we give true
12:20
since we need all of them.
12:25
Next
12:27
10 resources create. So we submiting
12:32
the deployment. Now deployment is in
12:35
progress.
12:40
Okay. Go to management group.
12:45
Yeah, that's the same principle ID
12:56
create. Wait until deployment is
12:58
completed. Okay. Um, by the way, if you
13:01
want to do it manually, you can see what
13:04
you will need to do. You can come into
13:06
manual as your portal. uh you can use in
13:09
portal to assign roles to tin cloud
13:14
security connector
13:16
and you will need to create a custom
13:18
rule as well. So this maybe we can
13:21
verify that in the future but anyways we
13:24
use the ARM as your portal to finish
13:27
that. Go to next
13:30
which is much simple.
13:33
So we're going to sync all calendar
13:35
future subscription
13:40
organization has configured
13:41
successfully. They have some warning. Um
13:45
it's lo assignment are missing on the
13:48
load management group. Uh which are
13:52
fine. We don't have to do it because we
13:54
gave it to uh we only have one
13:56
subscription. We gave it to a specific
14:00
management group POD plot. So we should
14:03
be good here.
14:05
Then we can close
14:07
connect it. See this one. Add it. If you
14:11
want to change anything here, uh you you
14:15
will be able to do that. You also can uh
14:18
verify the permissions rules we grant
14:21
to.
14:24
So everything looks good.
14:30
If now you go back to dashboard, you
14:32
will see this. We are currently
14:33
processing data in the account. Stay
14:36
tuned. What it's going to do is atttor
14:43
and connecting to your environment and
14:46
then starting to do the asset discover
14:49
for each asset they found. If it's in a
14:51
scope, let them do risk analysis and
14:54
threat detection, compliance check,
14:57
vulnerability scanning,
15:00
all those things. They're going to find
15:02
out the misconfigurations,
15:04
vulnerabilities, outdated components and
15:08
permissions or any non compliance
15:12
configurations and then give you the
15:15
visualized report to show you what the
15:18
finding is. So it might take a couple
15:21
hours to get it done. Uh so we're going
15:24
to come back and uh I will show you
15:26
result once that done.
15:32
It has been 2 hours uh since I started
15:36
the cloud security scanning to my Azure
15:39
infrastructure. Um now you can see we
15:43
did get some findings. There's no
15:46
critical there, median and the low
15:49
findings. Um I'm pretty sure the
15:52
scanning is still ongoing. So um here is
15:55
a scanning method. We are using agent
15:59
list scan. Uh you do able to use agent
16:03
basis analysis
16:06
uh scanning
16:08
for workload protection
16:12
for the WMS. It says
16:15
uh tinable attempt to scan every virtual
16:18
machine as soon as 24 hours have elapsed
16:20
from the previous scan.
16:23
But the first scan usually taking faster
16:26
couple hours for Kubernetes or for the
16:30
data even probably going to take a
16:32
longer time to get the scanned. Uh we
16:35
can take a look at data protection.
16:43
every two to seven days. So let's uh
16:46
data scan frequency.
16:52
We can take a quick look at the
16:56
like virtual machines. You will see here
16:59
we have a couple virtual machines, Linux
17:02
test one and the Windows test one. And
17:05
also we have Kubernetes VM here.
17:12
There's a cloud finding page that will
17:15
show you all findings
17:19
storage account managed disk
17:22
and ID delayed SQL server
17:26
storage account defender.
17:29
So there's quite bit findings here which
17:33
going to give us an idea how your cloud
17:36
infrastructure looks like.
17:39
If you go to explorer, you can see uh
17:42
virtual machine image container software
17:45
and the kubernetes clusters softwares
17:48
here. It's still nothing. I believe it's
17:49
still scans eventually what shows up.
17:52
Data resources uh that's storage
17:54
account. SQL my SQL server is here
18:02
identity related
18:04
uh quite a bit critical
18:08
permission
18:10
which we need to take a look
18:13
Kubernetes cluster which is a
18:16
interesting one. It shows missing
18:18
permissions.
18:20
So uh it might be not fully granted the
18:24
right permission. We need to double
18:25
check but that will be a different
18:27
topic. So we are using agent list uh
18:31
scanning. So but uh it does support
18:34
using helm to install agent on it and
18:39
you can la the command
18:42
uh it's missing kuberneti connector. So
18:45
we're going to create one um but not on
18:48
this video uh we're going to talk about
18:51
in the future. This is a settings page.
18:54
You can tune the settings for your cloud
18:58
security related topics here.
19:01
Now we got the cloud findings. We got
19:03
the lab permissions. Not nothing here.
19:07
Vulnerabilities. Still nothing to show
19:09
up. It takes some time. Malicious files.
19:12
I don't think there's any. Uh CICD, we
19:14
didn't configure config integration yet.
19:17
Here policies. Uh we don't have anything
19:21
but we do have built-in policies here.
19:23
Um you can tune that and enable based on
19:28
the environment you are using. You can
19:30
custom your policy. Add a custom policy
19:33
here.
19:35
Operation this is automation. Uh we
19:38
don't have anything yet. Report. You can
19:41
create your own report and then you can
19:44
schedule it to run.
19:48
There's an interesting icon here says
19:51
focus view. So you can see your cloud
19:53
security overview for your cloud
19:56
security inventory
19:59
uh cloud findings
20:01
and also you can do like data security
20:05
to see all everything relating to your
20:07
data. Uh that's pretty much everything
20:11
for this video. just show you basic how
20:14
tinable cloud security can be easily set
20:18
up to integrate with your Azure
20:19
infrastructure. I hope you enjoyed it.
20:22
Give me a thumb up and subscribe my
20:25
channel if you haven't. Thank you very
20:27
much and see you in my next one.
20:38
My baby my my
20:44
money.