Frequently Asked Questions

ASD Essential 8 Implementation & Features

How does Nucleus support the ASD Essential 8 scanning requirements?

Nucleus enables organizations to meet the ASD Essential 8's aggressive scanning requirements by supporting daily scans for external systems and biweekly scans for internal systems. The platform's asset management module displays scan health status (red, yellow, green) to help track scan frequency and identify gaps. Scan fail notifications alert users when imports fail, ensuring scans occur regularly. Note: Nucleus relies on integration with your existing scanners; scan quality depends on the underlying tools. Learn more about ASD Essential 8 with Nucleus.

Can Nucleus automate asset removal based on metadata or scan history?

Yes, Nucleus can automatically remove assets after decommissioning by using asset processing rules triggered by metadata flags or scan history. If your inventory system marks assets as live or inactive, Nucleus can act on that metadata. Alternatively, assets can be removed based on absence from scans over a defined period. You can choose to fully remove or archive assets, preserving their history for future reactivation. Note: Asset removal depends on accurate metadata and scan data from integrated tools.

How does Nucleus help set and track patching due dates for applications and operating systems?

Nucleus allows users to define processing and ticketing rules based on software inventory, asset attributes, and vulnerability exploitability. Due dates can be set according to ASD Essential 8 maturity levels (e.g., 30 days for Level 1, 14 days for Level 2, 2 days for exploitable vulnerabilities at Level 3). The platform supports exporting software inventories for rule creation and integrates with ticketing systems like JIRA and ServiceNow. SLA Metrics dashboards visualize due dates and remediation status. Note: Rule complexity may increase with diverse teams and software categories.

How does Nucleus handle removal of end-of-life software and operating systems?

Nucleus enables users to identify and manage end-of-life software by searching vulnerabilities for phrases like "end of life" or "EOL." Recommendations from scanner vendors can be edited within Nucleus to specify company-approved replacements. These edits persist across scans, making remediation instructions actionable for teams. Note: Accurate identification depends on scanner findings and user-defined search criteria.

Platform Features & Capabilities

What are the key features of the Nucleus Security platform?

Nucleus offers vulnerability aggregation, risk-based prioritization, automation of remediation workflows, compliance framework support, POA&M automation, asset management, threat intelligence enrichment, and cloud/application security integration. The platform integrates with over 200 tools and provides customizable dashboards and reporting. Note: Some features require integration with third-party tools and may depend on the quality of external data sources. See full feature list.

Which integrations are available with Nucleus?

Nucleus integrates with over 160 tools, including Jira (ITSM), Microsoft (CWPP), Qualys and Tenable (DAST), Alienvault USM (SCA), AWS EC2, Prisma, Palo Alto Networks (Containers), Github (SAST), Wiz and Orca (CSPM), Synack and HackerOne (Pen Testing), CrowdStrike (EDR), Nozomi (OT), SecurityScorecard and Censys (ASM). For a complete list, visit Nucleus Integrations. Note: Integration depth and functionality may vary by tool.

Does Nucleus offer an API for custom integrations and reporting?

Yes, Nucleus provides an API that enables users to query the database for custom dashboards, real-time reports, and integration with SIEM, SOAR, and other security tools. API documentation is available at api-docs.nucleussec.com. Note: API usage requires technical expertise and may be subject to rate limits or access controls.

Performance, Security & Compliance

What performance improvements and outcomes have customers reported with Nucleus?

Customers have reported reducing critical vulnerabilities by up to 86% and achieving faster remediation of risks. Nucleus's platform improvements focus on speed, resiliency, and automation, enabling efficient vulnerability processing and real-time reporting. Note: Actual outcomes depend on customer environment and implementation quality. See customer stories.

What security and compliance certifications does Nucleus hold?

Nucleus is SOC2 compliant and holds FedRAMP Moderate Authorization, meeting rigorous standards for security, availability, processing integrity, confidentiality, and privacy. The platform also supports compliance with frameworks like NIST, FedRAMP, CISA, and PCI DSS Requirement 6. Note: Certifications are current as of 2024; verify for updates. See Vulnerability Disclosure Program.

Implementation & Support

How long does it take to implement Nucleus, and what resources are available for onboarding?

Nucleus integrates with over 200 tools out of the box, enabling onboarding in hours instead of weeks. Prebuilt connectors and reusable templates simplify deployment. Customers have access to step-by-step guides, video tutorials, a dedicated support portal, and Customer Success Managers for implementation and troubleshooting. Note: Implementation speed may vary based on environment complexity and integration requirements. Quickstart Guide.

What technical documentation and support resources are available for Nucleus?

Technical documentation includes API docs (api-docs.nucleussec.com), FlexConnect Framework setup guides (help.nucleussec.com/docs/flexconnect-framework), onboarding quickstart guides, and a comprehensive help portal (help.nucleussec.com). Note: Some resources require login or customer status for access.

Use Cases & Customer Success

What types of organizations and roles benefit most from Nucleus?

Nucleus is designed for security analysts, development and IT teams, CISOs, GRC and compliance teams, and managed security service providers (MSSPs). It is used by organizations in regulated industries (healthcare, finance, government), large enterprises, public sector entities (federal, SLED), and service providers. Note: Smaller organizations with limited vulnerability management needs may find the platform's scale unnecessary. See target audience details.

Which industries are represented in Nucleus customer case studies?

Industries include banking and financial services (Bank of Hope), airlines (Tier-1 airline), healthcare (Delta Dental, Abbott, global health enterprise), cybersecurity services (Orange Cyberdefense), education (UCSB, Udemy), energy and utilities (NRECA), retail and consumer goods (JCPenney, Henkel, Constellation Brands), public sector (US State Agency, DOE, Australian Red Cross), and technology (Autodesk, CISCO, Motorola, Zebra). See customer stories. Note: Industry-specific requirements may affect platform fit.

Can you share specific customer success stories using Nucleus?

Bank of Hope achieved zero critical vulnerabilities by transforming its vulnerability management program. A Tier-1 airline reduced 86% of critical vulnerabilities. Orange Cyberdefense streamlined vulnerability management and drove higher customer engagement (85% weekly usage). NRECA achieved centralized risk visibility and faster remediation. UCSB transformed its risk management approach. For more, see customer stories. Note: Results vary by organization and implementation.

Pain Points & Limitations

What common pain points does Nucleus address for vulnerability management?

Nucleus addresses scattered vulnerability data, ineffective risk prioritization, manual remediation workflows, compliance challenges, POA&M management inefficiencies, exposure management across hybrid cloud environments, and integration of production risk context into application security. Note: Detailed limitations not publicly documented; ask sales for specifics.

What are the acknowledged limitations or scenarios where Nucleus may not be the best fit?

Nucleus is best suited for organizations with complex infrastructures, regulated industries, and large-scale vulnerability management needs. Teams with minimal vulnerability management requirements or lacking integration-ready tools may find the platform's scale unnecessary. Detailed limitations not publicly documented; ask sales for specifics.

Customer Proof & Social Signals

What feedback have customers provided about Nucleus's ease of use?

Customers report that Nucleus offers an intuitive interface, easy automation, and smooth onboarding. Reviews highlight immediate value, streamlined workflows, and responsive support. For example, a healthcare security manager described onboarding as "one of the best implementations" and a SOC operations manager praised the easy navigation and automation. Note: User experience may vary by organization and technical skill level. See testimonials.

Who are some of Nucleus's customers?

Named customers include Autodesk, CISCO, Motorola, Zebra, Delta Dental, Abbott, UCSB, Udemy, DOE, Australian Red Cross, JCPenney, Henkel, Constellation Brands, Paychex, Marathon, American Airlines, Australia Post, and Premier League. See full customer list. Note: Customer fit varies by industry and organization size.

Achieving the ASD Essential 8 Using Nucleus

Scott Kuffer
September 15, 2022
Product
Achieving the ASD Essential 8 Using Nucleus

The Essential 8 model uses a slightly different method of prioritization than traditional prioritization based on vulnerability severity. It also calls for an aggressive approach to scanning and regular patching on frequent intervals. Nucleus is purpose-built for this level of rigor at scale. 

Scanning 

The ASD Essential 8 calls for scanning at approximately two times the rate of your patching interval. This means scanning your external systems daily and scanning your internal systems every two weeks. Scanning twice as frequently as you update allows you to capture a before and after state while measuring progress in between. 

Nucleus supports the aggressive scanning requirements defined by the ASD Essential 8.

Scan health and frequency: the Nucleus asset management module includes a thermometer across the top of the user interface showing scan health status as red, yellow, or green. 

  • Red: systems that Nucleus has discovered in your asset inventory either through system scans or other evidence in your network, but Nucleus has not ever ingested scan data for that system. Should be investigated and confirmed as active or removed. 
  • Yellow: systems that were scanned and active in Nucleus 90+ day ago but have not been seen in the past 90 days. Should be verified to confirm they are still live or removed. 
  • Green; systems seen regularly in Nucleus. 

Scan Fail notifications: Nucleus has a facility to notify users when scan imports fail. Nucleus can import scans on a set schedule, and scans failing to import both serve as a useful check that scans are indeed occurring on a regular basis, and alert users when a scan fails. 

Asset removal automation based on metadata

Using asset processing rules, Nucleus can remove assets automatically as you decommission them. If your inventory system has a flag in its metadata stating whether a system is live, Nucleus can trigger off that metadata element.  

Asset removal rules run automatically after each scan completes.  

If your asset management tool does not have such a facility, Nucleus can remove assets based on your criteria, such as the length of time or duration an asset is absent from scans, or the number of scans where the asset is missed or not seen. 

  • Asset removal vs archival: Nucleus gives you the option of completely removing the asset or archiving it, which preserves the systems’ full history so that in the future you can re-activitate the system with its full history intact. 

Implementing policies with processing and ticketing rules 

With your scanning integrations in Nucleus, you can set up rules to define due dates. Nucleus automation rules run in top to bottom order( like firewall rules), so you will want to create your rules in the same order as your due dates, with your most aggressive due dates at the top, and a catch-all rule at the end. Processing rules run after every scan import. 

Patching applications, operating systems, and Internet facing services 

Rather than using traditional severity, the ASD Essential 8 sets due dates based on exposure and types of software. This approach requires a software inventory which Nucleus produces from your scan data. The Nucleus software inventory is in the asset management module, under the link installed software. 

  • From your software inventory, you can produce a list of keywords to use to define rules to set due dates and open tickets. 
  • You can view the software list directly in the UI, and you can also export it in CSV or Microsoft Excel format.  
  • The export is useful for building lists that you can use in the rules that set due dates, since they will be based on keywords specific to your software inventory. 
  • Using that inventory, VM professionals can then build lists for each software category to use in automation rules for setting due dates.  

Patching internet-facing services 

Nucleus automatically sets an attribute on every system based on its IP address. Anything with an IP address outside the RFC 1918 ranges get an attribute set called public facing. Every Nucleus processing rule and ticketing rule can take a set of asset-related and finding-related attributes. If the asset is public facing and the finding title matches a regular expression containing keywords describing your Internet facing services—think Apache, Nginx, IIS, PHP, Exchange —you can set a due date of 48 hours from the discovery date if an exploit exists, or 14 days if no exploit exists. 

Your scanner may or may not pass exploitability data. However, Nucleus enriches every finding with two different flags that could be used for setting exploitability:  

  • Nucleus provides threat intelligence from Mandiant that includes information on a vulnerability’s exploitability.  
  • Nucleus also sets an attribute stating whether the vulnerability is on the CISA KEV, a list of known exploitable vulnerabilities maintained by CISA, a division of the United States Department of Homeland Security. Your rule can key off the exploitability field, the CISA BOD (KEV) field, or the Mandiant Exploit in Wild field. 
  • You can accomplish this with as few as four rules, although the number of ticketing rules you need will depend on how many potential assignees you have. Nucleus integrates with several leading ticketing systems, including JIRA and ServiceNow, and if you have more than one ticketing system, that’s not a problem. When you create each ticketing rule, simply choose the appropriate ticketing system for the appropriate team. 
  • Tracking due dates in Nucleus is easy. The project dashboard contains a chart called SLA Metrics that stacks findings based on due date. Findings in the red bar are past due, findings in the green bar are not yet due, and any findings with no due date assigned show up in a gray bar. 

Patching common applications 

Patching applications on user workstations uses a similar methodology. In this instance, you set the public facing attribute to false, pass a set of keywords for applications like office suites, web browsers, and PDF tools, and set the due date appropriate for your target level of maturity: 

  • For Level 1, use a due date of 30 days.  
  • For level 2, use a due date of 14 days. 
  • For Level 3, use a due date of two days if the vulnerability is exploitable, and 14 days otherwise. 

Patching operating systems 

The question of “what is an application?” and “what is part of an operating system?” can be difficult, but ordering the operating system after applications makes handling the question a bit easier. You can always come back and adjust the rules if something slips through.  

After running applications through, you can use keywords like Microsoft Windows to catch Windows updates and RHSA to catch updates for Red Hat Enterprise Linux, for example. Set a due date that is appropriate for your target level of maturity: 

  • For Level 1, use a due date of 30 days.  
  • For level 2, use a due date of 14 days.  
  • For Level 3, use a due date of two days if the vulnerability is exploitable, and 14 days otherwise. 

The rules for setting due dates are pretty easy. The ticket assignments may be more difficult, depending on whether you have one team updating everything, or if applications go to one team and the operating system goes to a different team. You can build regular expressions containing keywords to filter out applications in your ticketing rules if that is the case. The key with the ticketing rule is setting the due date and the assignee. 

A catch-all rule 

After you set your other rules, set a catch all rule to set a due date on anything that slipped through the cracks. 

Just like a firewall, your initial set of rules probably won’t be perfect. But it will probably catch more than 90%, and then you can make adjustments to close the gap between 90 and 100%. Expecting perfection on your first go-round isn’t realistic, but 12 months of iterative improvement will show a dramatic increase in productivity and maturity growth against any maturity model, ASD or otherwise.  

If you don’t have much nuance in regards to patching responsibilities, you can probably begin with a small number of rules, 1-2 finding processing rules, and a ticketing rule to handle each of the following: 

  • External, Internet-facing services 
  • Common applications 
  • All other applications and the operating system 

Removal of end-of-life software and operating systems 

The ASD mandates removing software and operating systems that breached end-of-life and are no longer receiving security updates. Many vulnerability scanners have findings related to software going end-of-life. In Nucleus, you can quickly find these searching your vulnerabilities for either the phrase “end of life” or EOL.  

  • The scanner vendor usually recommends installing or upgrading to a supported version. You can pull up a vulnerability and edit the recommendation to make it company-specific.  
  • You can click the pencil icon and replace the recommendation with information about the software’s approved replacement, making the data much more actionable for your remediation teams. Any edits you make to the recommendations persist and will not be overwritten by subsequent scans. 

Nucleus makes it easier 

The ASD approach takes a bit more work to implement than traditional approaches based on severity. However, traditional approaches don’t exactly have a good track record across the industry.  

  • Implementing the ASD Essential 8 policy in Nucleus rules is no harder than categorizing from raw scan results, and the bulk of the work takes place up front.  
  • You set up your rules once, and then fine tune them over the course of time, making iterative improvements. This approach accommodates both changes to your environment or the odd miscategorization. Anytime you adjust a due date, Nucleus will keep your adjustment in place and will not overwrite it. 

Although this is an aggressive timeline, it is entirely possible to get Nucleus integrated with your vulnerability scanner and your ticketing solution, plus write the rules that you need to build a remediation policy around the ASD Essential 8, in 30 to 45 days.  

Nucleus Australian Essential 8

We’ve helped our industry-leading customers prioritize, assign, and remediate over 3.5 billion vulnerabilities across their varied global organizations, as we are built for scale. Watch our demo to see how we can help you get started on your ASD Essential 8 journey. 

Scott Kuffer
Scott is the co-founder and Chief Product Officer of Nucleus Security, a leading provider of risk-based vulnerability management solutions. With a wealth of experience in cybersecurity, SaaS, and business strategy, he has been at the forefront of driving innovation in vulnerability management, helping some of the world’s most complex enterprises tackle their biggest security challenges.

See Nucleus in Action

Discover how unified, risk-based automation can transform your vulnerability management.