How to manage evolving threats on evolving ICT assets...
Transcript of How to manage evolving threats on evolving ICT assets...
Vaš partner za varovanje informacij
Marek Skalicky, CISM, CRISC, Qualys MD for CEE November, 2015
How to manage evolving threats on evolving ICT assets across
Enterprise
Agenda
• Security STARTs with VISIBILITY
• What to be afraid of … and how to fix it?
• Follow evolution of new threats and trends.
• Follow evolution of the ICT Assets Landscape.
• How can you manage what you don’t know?
• Aggregate, Normalize, Correlate and Prioritize!
• Security ENDs with ACCOUNTABILITY & CONTINUITY ;-)
What to be afraid of?
Trends by ENISA Threat Landscape 2014
Published on
December 2014
Based on +400 Threat Sources and incidents
CERT-EU, SANS
What can happen to you?
Can you secure what you don’t know?
ACCESS PRIVILEGES
OUTDATED SOFTWARE
MIS-"CONFIGURATIONS
CODING WEAKNESSES
INCOMPLETE INVENTORY
SOCIAL MEDIA
THREATS
VULNERABILITIES
THE EXTENDED ENTERPRISE
Dispersed IT Assets,
Data and Networks
ICT Infrastructure is not only „on premise“
7
Physical Data Centers!
Virtual Data Centers!
Remote Offices!
Mobile Users!
Cloud Data Centers!- Perimeter Network Scanning Internet Cloud Scanners
- Internal Network Scanning Internal HW / Virtual Scanners
- Virtualized Centers Scanning Hypervisor Scanners
- Cloud PaaS/IaaS Scanning Azure Scanners, EC2 Scanners
- Cloud Agent Scanning Agents for Mobile Platforms
- Passive Network Scanning Monitor traffic for unknown devices
… In ONE centralized and unified solution for
Asset Management & ICT Security & Compliance …
LIVING IN A VULNERABLE WORLD
HACKTIVISM DATA LEAKAGE
APT SOCIAL ENGINEERING
BOTNET POLICY VIOLATIONS
YOU HAVE TO PROTECT EVERYTHING… THE BAD GUYS ONLY HAVE TO FIND ONE VULNERABILITY
Explosion of vulnerabilities
http://www.cvedetails.com
Vendor Name Number of Vulnerabilities
1 Microsoft 166 2 Apple 148 3 Linux 133 4 Redhat 99 5 Mozilla 93 6 Suse 83 7 IBM 81 8 Gentoo 79 9 SUN 75
10 Oracle 61 11 Cisco 54 12 Debian 52 13 Ethereal Group 49 14 GNU 48 15 Ubuntu 44 16 HP 36 17 Mandrakesoft 33 18 BEA 33 19 Phpbb Group 32 20 Trustix 32
top 20 celkem 1431
Vendor Name Number of Vulnerabilities
1 Microsoft 317 2 Apple 302 3 Adobe 207 4 Oracle 206 5 IBM 202 6 Google 156 7 Cisco 155 8 Linux 125 9 Mozilla 122
10 HP 119 11 SUN 90 12 Realnetworks 55 13 Novell 47 14 Apache 43 15 Opera 40 16 Redhat 40 17 PHP 35 18 Macromedia 30 19 Typo3 26 20 Vmware 24
top 20 celkem 2341
Vendor Name Number of Vulnerabilities
1 Apple 579 2 Oracle 473 3 Microsoft 463 4 Cisco 412 5 Adobe 339 6 IBM 276 7 Google 254 8 Mozilla 144 9 Novell 127
10 Canonical 126 11 Debian 101 12 HP 80 13 EMC 67 14 Linux 61 15 Redhat 57 16 SAP 43 17 Apache 40 18 Fedoraproject 36 19 Siemens 35 20 Wireshark 32
top 20 celkem 3745
2005 2010 2015
Big vendors failing Big time
http://www.cvedetails.com
Vendor Name Number of Vulnerabilities
1 Microsoft 166 2 Apple 148 3 Linux 133 4 Redhat 99 5 Mozilla 93 6 Suse 83 7 IBM 81 8 Gentoo 79 9 SUN 75
10 Oracle 61 11 Cisco 54 12 Debian 52 13 Ethereal Group 49 14 GNU 48 15 Ubuntu 44 16 HP 36 17 Mandrakesoft 33 18 BEA 33 19 Phpbb Group 32 20 Trustix 32
top 20 celkem 1431
Vendor Name Number of Vulnerabilities
1 Microsoft 317 2 Apple 302 3 Adobe 207 4 Oracle 206 5 IBM 202 6 Google 156 7 Cisco 155 8 Linux 125 9 Mozilla 122
10 HP 119 11 SUN 90 12 Realnetworks 55 13 Novell 47 14 Apache 43 15 Opera 40 16 Redhat 40 17 PHP 35 18 Macromedia 30 19 Typo3 26 20 Vmware 24
top 20 celkem 2341
Vendor Name Number of Vulnerabilities
1 Apple 579 2 Oracle 473 3 Microsoft 463 4 Cisco 412 5 Adobe 339 6 IBM 276 7 Google 254 8 Mozilla 144 9 Novell 127
10 Canonical 126 11 Debian 101 12 HP 80 13 EMC 67 14 Linux 61 15 Redhat 57 16 SAP 43 17 Apache 40 18 Fedoraproject 36 19 Siemens 35 20 Wireshark 32
top 20 celkem 3745
2005 2010 2015
MICROSOFT 166 317 463
APPLE 148 302 579
ORACLE 61 206 473
CISCO 54 155 412
TOP-20 1431 2341 3745
Attack versus Defense windows
http://www.verizonenterprise.com/DBIR/2012
3. DETECTION
4. REACTION
1. PREDICTION
2. PREVENTION
Vulnerability Remediation vs. Exploitation
https://www.kennasecurity.com/resources/non-targeted-attacks-report
Vulnerability Remediation: 100 - 120 days
Vulnerability Exploitation: 40 - 60 days
Vulnerability Half-life in IS: 30 days !!!
GAP: 60 days !!!
5-10 years old vulnerabilites still good to go
http://www.verizonenterprise.com/DBIR/2015
Where is the problem? In scope & Pme
… continuous and automated view
on ICT Security and Compliance …
avg: 1000 IP avg: 20 SW components
avg: 20 per/IP Critical: 4 per /IP
avg: 2 per/IP
avg: 100 sec. controls per/IP
Attack Surface:
20.000 ICT Asset components
20.000 Vulnerabilities (20% critical)
2.000 Relevant Threats (Expl.&Malware)
100.000 Configuration security controls
Modern approach & solution:
Data centralization / normalization / prioritization
(Big)Data analytics / automation / workflow
Dashboards / Alerts / Reports / Tickets
Cloud based architecture
Example of typical CEE Enterprise:
SANS TOP-7 High and Very-high Critical Controls from TOP-20
Australian Department of Defense: “TOP-‐4 Strategies to MiPgate Targeted Cyber Intrusions”
1 Application Whitelisting – only allow approved software to run
2 Application Patching – keep apps, plug-ins and other software up to date
3 OS Patching – keep operating systems current with the latest fixes
4 Minimize Administrative Privileges – prevent malicious software from making silent changes
••
••
What is soluPon? AutomaPon & PrioriPzaPon
How to get visibility into ICT Assets and correlate them with Risks and Compliance
Application Engines !
VMVMAMAMCMCM PCIPCI PCPC QSQS MDSMDS LMLMWASWAS WAFWAF
ASSET
DISCOVERY
NETWORK
SECURITY
WEB APP
SECURITY
THREAT
PROTECTIONCOMPLIANCEMONITORING
Passive Physical Virtual Cloud Cloud Agent
Sensors!
16
What to do with all that data? Aggregate, Normalize, Correlate, Filter, Report and PrioriPze!
17
ICT RISK MANAGEMENT
• Vulnerabilities • Threats • Exploits • Malware • Impact scenario • Zero-Days • Patches • Workarounds
• Asset Values • Security Risk • Business Risk
ICT COMPLIANCE MANAGEMENT
• Configuration checks
• Policy Controls • Custom
Controls • Internal
Policies • External
Regulations
• Customizable • Questionnaires
DASHBOARDS | ALERTS | REPORTS | WORKFLOWS | INTEGRATIONS
BUSINESS PROCESSES / BUSINESS APPLICATIONS
ICT ASSETMANAGEMENT
• OS / Platforms • TCP/UDP Ports • Services/
Protocols • Databases • Applications • SSL Certificates • Localities
• Responsibilities • Dynamic
Tagging
… set process, roles, goals and measure
18
VM role
Responsibility
Internal VAS service provider
BU Manager IT Asset Owner Scanner
Business Owner of IT Asset
InfoSec
VM policy I I I I I A/R
VAS system configuration A/R R I R C/I
Asset management
I A/R C R I
Remediation I R R/A R A I
Network segmnets
Vulnerability type
Perimeter PCI DSS scope Internal network
4 & 5 with remote exploit confirmed X days X days XY days
X days (CVSS 4.0 ormore)
XY days (CVSS lessthan 4.0)
3 - confirmed XYZ days Best effort Best effort
1 i 2 - confirmed Best effort Best effort Best effort
4 & 5 - confirmed XYZ daysXY days
… filter data and present only “need-‐to-‐know”
19
Technical Reports Executive Reports
Qualys at a Glance
20
7,700+ Customers 107+ Countries
+1 Billion +2 Billions
in 2013 In 2014
QualysGuard Cloud Pla_orm for ICT Assets, Security and Compliance
Vaš partner za varovanje informacij