Risk Intelligence. Quick Start Guide - Data Breach Risk

Size: px

Start display at page:

Download "Risk Intelligence. Quick Start Guide - Data Breach Risk"

Ferdinand Berry
5 years ago
Views:

1 Risk Intelligence Quick Start Guide - Data Breach Risk Last Updated: 19 September

2 CONTENTS Introduction 1 Data Breach Prevention Lifecycle 2 Choosing a Scan Deployment Methodology 4 Browser Plugin 4 CLI (Command Line) Scan 4 Mobile Apps 4 Performing an Expanded Data Breach Risk Scan 5 CLI Scanner Command Line Arguments 6 Command Line Arguments for Scan Type 6 Command Line Arguments for Proxy 7 CLI Scanner Deployment Scenarios 7 Monitoring Scan Progress and Viewing Individual Device Scan Results 7 Reporting 11 Creating an Expanded Data Breach Risk Report 13 Generating an Expanded Data Breach Risk Report 15 Report Sharing 18 Useful Links 20

3 Introduction There are two Data Breach Risk scan types - the original Data Breach Risk Scan and the more advanced Expanded Data Breach Risk Scan. The Expanded Data Breach Risk Scan combines three components: Security scan - identifies critical OS and application vulnerabilities including unpatched operating systems and applications. Technical Safeguards - Tests for 18 baseline Windows end-point configurations and highlights the settings that don't meet common baseline configurations. PII Data Discovery - Scans local and network devices for 60+ types of unencrypted personally identifiable information (PII) from 16 countries and regions. This is often used in the data mapping phase in regulatory compliance efforts. This Quick Start Guide describes the Data Breach Prevention Lifecycle and instructs on how to set up and run an Expanded Data Breach Risk Scan on the various endpoints in your organization - and then go on to access comprehensive reporting facilities: Data Breach Prevention Lifecycle Choosing a Scan Deployment Methodology Performing an Expanded Data Breach Risk Scan Monitoring Scan Progress and Viewing Individual Device Scan Results Creating an Expanded Data Breach Risk Report Generating an Expanded Data Breach Risk Report - 1 -

Data Breach Prevention Lifecycle The security of corporate sensitive data is under relentless attack. Fighting the war on digital data loss has reached the status of a global epidemic.

4 Data Breach Prevention Lifecycle The security of corporate sensitive data is under relentless attack. Fighting the war on digital data loss has reached the status of a global epidemic. The vast majority of data breaches are caused by unprotected data at rest, residing on vulnerable endpoints and resulting in an easy entry point for attackers. Risk Intelligence recognizes today's cyber security challenges and enables organizations to protect themselves by continuously assessing their environments using proven technology that follows the Data Breach Prevention Lifecycle stages: Discover - Unprotected sensitive data at rest and the insiders that have access to the data Detect - Security threats providing vulnerable entry points for attackers to access your data Prioritize - At-risk assets by leveraging the combined intelligence of security threat and data intelligence Remediate - Security threats by applying patches, mitigating solutions and encrypting or removing unprotected data Manage - The entire lifecycle process through a single scalable cloud-deployed console In this Quick Start Guide, we will walk through implementing the Risk Intelligence Data Breach Prevention Lifecycle using the Risk Intelligence Data Breach platform. The guide describes how to effectively: - 2 -

5 Use the system to discover data and vulnerabilities - using the Expanded Data Breach Risk Scan. See Performing an Expanded Data Breach Risk Scan. Generate data breach risk reports to help prioritize activities for remediation and help prevent a data breach in your organization before it occurs. See Reporting

6 Choosing a Scan Deployment Methodology The Risk Intelligence Data Breach platform utilizes a host-based scanning methodology to discover unprotected data at rest, as well as security threats and vulnerabilities that may exist on the endpoints where data is stored. The host-based scans can be delivered in various ways depending upon the target user-base, network topologies involved and device types. Currently Risk Intelligence supports three primary scan delivery methods: Browser Plugin CLI (Command Line) Scan Mobile Apps Browser Plugin The Risk Intelligence Browser Plugin for Mac and Windows provides a simple way for users to selfassess their own devices. It can be integrated into network access points with captive portals, offered as a self service scan option on intranets or public facing web pages and can even be integrated with web single sign on providers. This powerful and flexible solution can help solve one of the biggest challenges for enterprises by providing opportunistic assessment of devices which typically go undetected by traditional scan methodologies. CLI (Command Line) Scan The Risk Intelligence CLI Scanner for Mac, Windows and Linux is the most versatile scan delivery method and is the one we will focus on in this guide. Its non-persistent design allows scans to be launched from the command line, or integrated with a variety of system management tools such as McAfee epo, LanDesk, Dell Kace, Microsoft Active Directory or System Center as well as other script capable endpoint management solutions. Other common deployment scenarios include scanning remote users via VPN using the on-connect script functionality. The CLI scanner does not require installation on the endpoint and can be launched from a network share. Mobile Apps For scanning Android and Apple ios devices, Risk Intelligence provides native mobile apps available via the Google Play store or from the itunes App Store. These native mobile apps provide data discovery and vulnerability scanning. As you plan your production deployment strategy, consider each of the scan deployment methods above - each provides a valuable means of scanning devices. For the purpose of this Quick Start Guide, we will focus primarily on the CLI scan - and deploying using common system management tools

7 Performing an Expanded Data Breach Risk Scan 1. After logging onto the Risk Intelligence Console, click on Scan Computers in the side navigation panel: In the Choose Organization section, the currently selected organization is shown. In the Risk Intelligence Console, 'Organizations' are used to group devices and results using terms familiar to your company. For example an Organization might be defined as an office location or particular types of devices (servers vs workstations) or whatever is meaningful to you. 2. To change the organization you want to scan, click on Change and select the appropriate organization from those available. 3. From the Choose a Scan Type list select Expanded Data Breach Risk Scan. In the screenshot shown above, notice the Short Code. This code is created automatically by the system when accounts and organizations are created - and defines the particular scan type and configuration for the organization. Short codes can be used as command line arguments to the CLI scanner as described in the next step. 4. From the Scan Delivery Method dropdown select Command Line Executable. The various platforms and corresponding deployment options for the CLI scanner are displayed

8 The simplest way to run a command line scan is to use the provided PowerShell script on Windows platforms or the curl script on Mac and Linux platforms. These scripts are designed to automatically download the CLI executable (if it doesn't exist or is outdated on the target) and launch the selected scan on the device. See CLI Scanner Command Line Arguments for details of the commands you can use to run your scan. 5. Once you have chosen your command line scan option, enter the appropriate script to run the scan. As the scan runs, you can monitor its progress and view the scan results of individual devices from the View and Manage - Scan Results page - see Monitoring Scan Progress and Viewing Individual Device Scan Results. The time taken to run a scan depends on a variety of factors: the amount of data to be scanned; the amount of used space; the scan type (Data Breach Risk and PCI & PAN scans generally take the longest); the network conditions e.g. internet speed and device usage. Run times can range from a few minutes to several hours or several days for huge amounts of data. Once one or more scans have completed you will be able to report on results in the Reporting module. See Reporting and in particular Generating an Expanded Data Breach Risk Report. Before you can generate a Data Breach Risk Report you must first create one - see Creating an Expanded Data Breach Risk Report. CLI Scanner Command Line Arguments Command Line Arguments for Scan Type If you have chosen to download the CLI Scanner and not the Powershell or curl scripts, it will be named iscanruntime_xxxxxx_.exe (where XXXXXX is the short code for the scan type you selected). The file is named this as a matter of convenience so that command line switches are not required. The download is saved to your default download directory. You can move it to a different directory, but when you are ready to run the scan you need to be in the correct directory. Once the file is downloaded, navigate to the correct directory and type in: iscanruntime_xxxxxx_.exe This will run the scan for the type that is assigned to that short code. Alternatively, you can also rename the file to iscanruntime.exe and pass a command line argument with the desired short code. For example: C:>ren iscanruntime_xxxxxx.exe iscanruntime.exe Then: C:> iscanruntime -k XXXXXX This allows you to store a single copy of the executable on a shared file path and pass the desired scan configuration short code to the executable at run time

9 Command Line Arguments for Proxy If you need to scan devices behind a proxy, Risk Intelligence requires an internet connection and the ability to send HTTPS (443) traffic to The CLI scanner accepts as an argument the proxy server IP and port for authentication as shown below: C:> iscanruntime -k XXXXXX -x :8080 CLI Scanner Deployment Scenarios There are a variety of ways to distribute the CLI scan to endpoints in your organization. Since the CLI scanner does not require it to be installed on the actual device being scanned, it can be located on a network share and then created as a scheduled task or a cron job on Linux devices. Most common deployment scenarios leverage Microsoft Active Directory. Risk Intelligence provides detailed step by step directions for running scans via Active Directory directly from the console. Simply choose Active Directory as the Scan Delivery Method and follow the steps. The CLI scan can be run by any endpoint management tool that can execute a command on an endpoint including but not limited to: Microsoft System Center cron jobs Login script VPN on connect script Refer to your management solution documentation for instructions on how to execute a scheduled task on the desired endpoints. Monitoring Scan Progress and Viewing Individual Device Scan Results As hosts are being scanned, you can monitor the progress of individual scans and view details of completed scan results. 1. Click on View and Manage then Scan Results. The Scan Results view is a simple but very useful page that displays scans that have been run or are in the process of running on individual devices - it allows filtering and sorting on any column so you can see the data that is important to you

The following information about each scan can be displayed. Using the Select columns link at the bottom of the page customize which columns you see.

10 The following information about each scan can be displayed. Using the Select columns link at the bottom of the page customize which columns you see. Device - Click on the Device button to open the Device Information page showing details of the device being scanned: Hostname, MAC Address, Operating system, Operating system version and Architecture (e.g. x86_64) Organization - The Organization the device belongs to Host Name - The Host Name of the device Private IP Public IP Start - When the scan was initiated End - When the scan ended Duration - How long the scan took to complete The Duration column displays how long the scan took to complete. The following statuses can be displayed: (h)(m)(s) - The time taken for the scan to complete and post the results e.g. 1h 30m 50s Complete - The scan has completed but has not posted the results data. Incomplete - The 'Incomplete' status is displayed if: The scan is still running (verify by checking Task Manager for any processes labelled 'iscan'); The scan was prematurely terminated (intentionally or unintentionlly). What terminates a scan? Prematurely closing the command prompt Session times out Machine goes to sleep Adverse network conditions e.g. Internet connection is lost If any of the above occur, the scan must be manually restarted

11 Pass/Fail - The number of checks that pass or fail during a scan. For scans that contain patches and vulnerabilities, these numbers can get quite large due to the amount of checks that are carried out. Scans that are data-related are only considered one scan - no matter how many different types of data are being scanned. Mac - The device's Mac address User - The user initiating the scan Operating System - The scanned device's operating system OS version - Operating system version Arch - System type eg. x86_64 Scan Type - The type of scan executed e.g. Data Breach Risk Scan Device Key - The device key Config Name - Scan configuration type 2. To display the results report for your Expanded Data Breach Risk Scan, double-click anywhere in the row for that particular scan. Alternatively, you can select the checkbox for a particular scan, then click on View Report at the bottom left of the page. The Expanded Data Breach Risk Scan results report is then displayed for the selected host. In one single view, it combines the discovered data to show all vulnerabilities detected and which users have access to the data: - 9 -

12 3. Expand panels to display details

13 Reporting Risk Intelligence provides reporting on financial and sensitive data risks, exposed when scanning devices within an organization. In this Quick Start Guide we focus on how to create and run one of the most useful reports - the Expanded Data Breach Risk Report. Before you can run this report you must first create it - see Creating an Expanded Data Breach Risk Report. Once you have created your report and once a scan has been run on one or more devices, you can view the last run report on that scan or you can choose to generate a new report on current data - see Generating an Expanded Data Breach Risk Report. To access Reports: Navigate to Reports in the left Navigation panel: All existing reports are displayed for the selected organization

The following information/options are displayed: Report - The name and type of report. Click to display the last run report. You can edit the report menu from the Report Menu (below).

14 The following information/options are displayed: Report - The name and type of report. Click to display the last run report. You can edit the report menu from the Report Menu (below). History - Displays when the report was executed and the report status e.g. 'completed'. Also allows you to view the report in HTML or download the CSV file. You can also delete the report from here. Schedule - Details of the report scheduling (if set up in the Report Menu (see below)) Last Run At - Date and time the report was last run. Click to re-generate the report using current data. Recipients - Hover over to display recipients set up to receive report by . Edit these in the Report Menu (below) Report Menu - Click to open the Report Menu which allows you to: Edit the report columns and conditions Edit Schedule details - Daily, weekly, monthly, on a specific day of the month or no scheduling. Edit Recipients Edit report name Attach CSV to ed report Automatically generate shared URL for report Clone Report - Copy and give new report a name Create New Report - Allows you to create a new report. See Creating an Expanded Data Breach Risk Report

15 Creating an Expanded Data Breach Risk Report 1. Navigate to Reports in the left Navigation panel: All existing reports are listed 2. Click on Create New Report at the bottom of the page. Step 1 of the create report wizard is displayed. 3. Click on Security and Data Breach Reports and click Next:

4. Step 2 of the wizard is displayed, listing all reports of the type Security and Data Breach. Click on Expanded Data Breach Risk and click Next: 5. Step 3 of the wizard is now displayed.

16 4. Step 2 of the wizard is displayed, listing all reports of the type Security and Data Breach. Click on Expanded Data Breach Risk and click Next: 5. Step 3 of the wizard is now displayed. Choose your report name, any recipients of the report, any automatic scheduling of the report and click on Next: 6. Step 4 is then displayed allowing you to add columns and conditions to include/exclude data. Make your modifications to the defaults and click Next

17 7. Step 5 displays a summary of the report criteria. If you want to change anything, go back to the relevant step using the Back button and make the necessary changes. If you're happy with the report, click on Save. The report is added to the Reports list. Once an ExDBRS scan has been run you can generate the report and view the results - see Generating an Expanded Data Breach Risk Report. Generating an Expanded Data Breach Risk Report Once you have created an Expanded Data Breach Risk Report and once an Expanded Data Breach Risk Scan (exdbrs) has been run on one or more devices, you can generate the Expanded Data Breach Risk Report:

18 1. Navigate to Reports in the left Navigation panel: All existing reports are displayed for the selected organization. 2. Click to open the Expanded Data Breach Risk Report: Clicking on the report name opens the last generated report. If you want to generate a new report, click on the regenerate icon. The report is displayed:

19 This is an active view of the report and allows filtering, grouping and analysis of data. In the report page you can: Hover over the graph to view details associated with the selected data point Click on the legend to include/exclude the selected data type from the graph Click on Change Columns to change columns displayed and conditions for inclusion/exclusion of data. Filter what data is displayed using the boxes in each column header. Filter expressions such as < > = can be used for numeric filtering. For example, entering > 200 in the credit card filter will show matches with greater than 200 occurrences of credit card data found

Report Sharing Risk Intelligence has implemented a unique report sharing function that allows you to distribute reports without generating PDF files.

20 Report Sharing Risk Intelligence has implemented a unique report sharing function that allows you to distribute reports without generating PDF files. This allows the report recipient to have the same powerful filtering and analytics capability but without requiring direct access to the Risk Intelligence console. 1. To share a report, click on the Share button at the top right of the report: 2. A dialog is displayed allowing you to generate a link that will allow unauthenticated users to view this report. Click on the Share this Report button: The report URL is generated:

Once shared, the dialog will display the public shared URL for the report. 3. Send the URL to the appropriate users in your organization so they can view the report online.

21 Once shared, the dialog will display the public shared URL for the report. 3. Send the URL to the appropriate users in your organization so they can view the report online. If an employee leaves and you no longer want the URL to be available, click the Unshare button to invalidate. If you choose to share the report again, a new URL is generated which you can distribute to permitted parties

22 Useful Links PDFS Risk Intelligence Full Guide.pdf Risk Intelligence Quick Start Guide for MSPs.pdf Risk Intelligence Quick Start Guide - Data Breach Risk.pdf ONLINE HELP Risk Intelligence Full Admin Help Risk Intelligence Quick Start Help for MSPs Risk Intelligence Quick Start Help - Data Breach Risk OTHER RESOURCES Risk Intelligence API Documentation Software Services Agreement

Data Breach Risk Scanning and Reporting

Data Breach Risk Scanning and Reporting 2017. SolarWinds. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document