Data Breach Risk Scanning and Reporting

Size: px

Start display at page:

Download "Data Breach Risk Scanning and Reporting"

Marvin Moody
5 years ago
Views:

1 Data Breach Risk Scanning and Reporting

2 2017. SolarWinds. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. SolarWinds is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, SolarWinds makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-date information, or errors. SolarWinds makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical. Version: Last updated (day/month/year): 25 May 2017

3 Contents 1 Introduction 1 2 Data Breach Prevention Lifecycle 4 3 Choosing a Scan Deployment Methodology 6 4 Performing a Data Breach Risk Scan CLI Scanner Command Line Arguments CLI Scanner Deployment Scenarios Monitoring Scan Progress 14 5 Reporting Creating a Data Breach Risk Report Generating a Data Breach Risk Report Report Sharing 28 6 Useful Links 30 7 Index 32

4 1 Introduction In today's world of cyber attacks and data breaches, it is important to understand the goals and motivations of attackers as well as how attacks happen. Every day, businesses are at risk of becoming victim to data breaches - and these breaches continue to happen because organizations do not have the tools to discover the data which exposes security threats, unprotected data at rest and insider access to unprotected data. Risk Intelligence provides a powerful patented data breach risk intelligence platform that delivers the combined intelligence necessary for organizations to understand and act upon their risk exposure of a data breach attack. Businesses recognize the importance of security, but they often don't realize the urgency until they see something tangible. MAX Risk Intelligence makes it concrete by assigning real dollars to your data sensitivity, helping you: Build a strong business case for sensitive data protection Triage the most important problems to tackle. The Risk Intelligence Cloud Console provides high level dashboards and detailed reporting across the entire enterprise. Several dashboard widgets are available and they display top hosts by risk, most vulnerable hosts and various other statistics relating to discovered data and trends. MSP Risk Intelligence - 1 -

5 Some of the powerful features include: Cost-based risk assessment Sensitive data discovery Deep vulnerability scanning Risk trending reports Inappropriate access discovery and alerts PCI compliance scans MSP Risk Intelligence

6 This Quick Start Guide describes the Data Breach Prevention Lifecycle and instructs on how to set up and run a Data Breach Risk Scan on the various endpoints in your organization - and then go on to access comprehensive reporting facilities: Data Breach Prevention Lifecycle (page 4) Choosing a Scan Deployment Methodology (page 6) Performing a Data Breach Risk Scan (page 8) Monitoring Scan Progress (page 14) Creating a Data Breach Risk Report (page 20) Generating a Data Breach Risk Report (page 25) MSP Risk Intelligence - 3 -

2 Data Breach Prevention Lifecycle The security of corporate sensitive data is under relentless attack. Fighting the war on digital data loss has reached the status of a global epidemic.

7 2 Data Breach Prevention Lifecycle The security of corporate sensitive data is under relentless attack. Fighting the war on digital data loss has reached the status of a global epidemic. The vast majority of data breaches are caused by unprotected data at rest, residing on vulnerable endpoints and resulting in an easy entry point for attackers. Risk Intelligence recognizes today's cyber security challenges and enables organizations to protect themselves by continuously assessing their environments using proven technology that follows the Data Breach Prevention Lifecycle stages: Discover - Unprotected sensitive data at rest and the insiders that have access to the data Detect - Security threats providing vulnerable entry points for attackers to access your data Prioritize - At-risk assets by leveraging the combined intelligence of security threat and data intelligence MSP Risk Intelligence

8 Remediate - Security threats by applying patches, mitigating solutions and encrypting or removing unprotected data Manage - The entire lifecycle process through a single scalable cloud-deployed console In this Quick Start Guide, we will walk through implementing the Risk Intelligence Data Breach Prevention Lifecycle using the Risk Intelligence Data Breach platform. The guide describes how to effectively: Use the system to discover data and vulnerabilities - using the Data Breach Risk Scan. See Performing a Data Breach Risk Scan (page 8). Generate data breach risk reports to help prioritize activities for remediation and help prevent a data breach in your organization before it occurs. See Reporting (page 18). MSP Risk Intelligence - 5 -

9 3 Choosing a Scan Deployment Methodology The Risk Intelligence Data Breach platform utilizes a host-based scanning methodology to discover unprotected data at rest, as well as security threats and vulnerabilities that may exist on the endpoints where data is stored. The host-based scans can be delivered in various ways depending upon the target userbase, network topologies involved and device types. Currently Risk Intelligence supports three primary scan delivery methods: Browser Plugin CLI (Command Line) Scan Mobile Apps Browser Plugin The Risk Intelligence Browser Plugin for Mac and Windows provides a simple way for users to self-assess their own devices. It can be integrated into network access points with captive portals, offered as a self service scan option on intranets or public facing web pages and can even be integrated with web single sign on providers. This powerful and flexible solution can help solve one of the biggest challenges for enterprises by providing opportunistic assessment of devices which typically go undetected by traditional scan methodologies. CLI (Command Line) Scan The Risk Intelligence CLI Scanner for Mac, Windows and Linux is the most versatile scan delivery method and is the one we will focus on in this guide. Its non-persistent design allows scans to be launched from the command line, or integrated with a variety of system management tools such as McAfee epo, LanDesk, Dell Kace, Microsoft Active Directory or System Center as well as other script capable endpoint management solutions. Other common deployment scenarios include scanning remote users via VPN using the on-connect script functionality. The CLI scanner does not require installation on the endpoint and can be launched from a network share. Mobile Apps For scanning Android and Apple ios devices, Risk Intelligence provides native mobile apps available via the Google Play store or from the itunes App Store. These native mobile apps provide data discovery and vulnerability scanning MSP Risk Intelligence

10 Note - As you plan your production deployment strategy, consider each of the scan deployment methods above - each provides a valuable means of scanning devices. For the purpose of this Quick Start Guide, we will focus primarily on the CLI scan - and deploying using common system management tools. MSP Risk Intelligence - 7 -

11 4 Performing a Data Breach Risk Scan The Data Breach Risk Scan combines two scan types - the Data Discovery scan and the Security scan. In this Quick Start Guide we are focusing on how to perform a Data Breach Risk Scan on various endpoints in your organization using the CLI scanner. 1. After logging onto the Risk Intelligence Console, click on Scan Computers from the side navigation menu: In the Choose Organization section, the currently selected organization is shown. Note - In the Risk Intelligence Console, 'Organizations' are used to group devices and results using terms familiar to your company. For example an Organization might be defined as an office location or particular types of devices (servers vs workstations) or whatever is meaningful to you MSP Risk Intelligence

12 2. To change the organization you want to scan, click on Change and select the appropriate organization from those available. 3. Now you need to choose a Data Breach Risk Scan from the Choose a Scan Type list. The Data Breach Risk Scan is pre-configured to discover the following types of sensitive data: Credit Cards Social Security Numbers Driver's License Date of birth Note - In the screenshot shown above, notice the Short Code. This code is created automatically by the system when accounts and organizations are created - and defines the particular scan type and configuration for the organization. Short codes can be used as command line arguments to the CLI scanner as described in the next step. 4. Next, you need to choose the Scan Delivery Method from the dropdown. In this guide we are using the CLI scanner to perform a Data Breach Risk Scan, so select Command Line Executable. MSP Risk Intelligence - 9 -

13 The various platforms and corresponding deployment options for the CLI scanner are then displayed: MSP Risk Intelligence

14 MSP Risk Intelligence

15 Tip - The simplest way to run a command line scan is to use the provided PowerShell script on Windows platforms or the curl script on Mac and Linux platforms. These scripts are designed to automatically download the CLI executable (if it doesn't exist or is outdated on the target) and launch the selected scan on the device. See CLI Scanner Command Line Arguments (page 12) for details of the commands you can use to run your scan. 5. Once you have chosen your command line scan option, enter the appropriate script. The scan will now run. You will be able to monitor its progress and view scan results from the View and Manage - Scan Results page - see Monitoring Scan Progress (page 14). Note - The time taken to run a scan depends on a variety of factors: the amount of data to be scanned; the amount of used space; the scan type (Data Breach Risk and PCI & PAN scans generally take the longest); the network conditions e.g. internet speed and device usage. Run times can range from a few minutes to several hours or several days for huge amounts of data. Once one or more scans have completed you will be able to report on results in the Reporting module. See Reporting (page 18) and in particular Generating a Data Breach Risk Report (page 25). Tip - Before you can generate a Data Breach Risk Report you must first create one - see Creating a Data Breach Risk Report (page 20). 4.1 CLI Scanner Command Line Arguments Command Line Arguments for Scan Type If you have chosen to download the CLI Scanner and not the Powershell or curl scripts, it will be named iscanruntime_xxxxxx_.exe (where XXXXXX is the short code for the scan type you selected). The file is named this as a matter of convenience so that command line switches are not required. Important - The download is saved to your default download directory. You can move it to a different directory, but when you are ready to run the scan you need to be in the correct directory. Once the file is downloaded, navigate to the correct directory and type in: MSP Risk Intelligence

16 iscanruntime_xxxxxx_.exe This will run the scan for the type that is assigned to that short code. Alternatively, you can also rename the file to iscanruntime.exe and pass a command line argument with the desired short code. For example: Then: C:>ren iscanruntime_xxxxxx.exe iscanruntime.exe C:> iscanruntime -k XXXXXX This allows you to store a single copy of the executable on a shared file path and pass the desired scan configuration short code to the executable at run time. Command Line Arguments for Proxy If you need to scan devices behind a proxy, Risk Intelligence requires an internet connection and the ability to send HTTPS (443) traffic to The CLI scanner accepts as an argument the proxy server IP and port for authentication as shown below: C:> iscanruntime -k XXXXXX -x : CLI Scanner Deployment Scenarios There are a variety of ways to distribute the CLI scan to endpoints in your organization. Since the CLI scanner does not require it to be installed on the actual device being scanned, it can be located on a network share and then created as a scheduled task or a cron job on Linux devices. Most common deployment scenarios leverage Microsoft Active Directory. Risk Intelligence provides detailed step by step directions for running scans via Active Directory directly from the console. Simply choose Active Directory as the Scan Delivery Method and follow the steps. The CLI scan can be run by any endpoint management tool that can execute a command on an endpoint including but not limited to: Microsoft System Center cron jobs Login script VPN on connect script Refer to your management solution documentation for instructions on how to execute a scheduled task on the desired endpoints. MSP Risk Intelligence

4.3 Monitoring Scan Progress As hosts are being scanned, you can monitor the progress of individual scans and view details of completed scan results. 1.

The Scan Results view is a simple but very useful page that displays scans that have been run or are in the process of running - it allows filtering and sorting on any column so

17 4.3 Monitoring Scan Progress As hosts are being scanned, you can monitor the progress of individual scans and view details of completed scan results. 1. Click on View and Manage then Scan Results. The Scan Results view is a simple but very useful page that displays scans that have been run or are in the process of running - it allows filtering and sorting on any column so you can see the data that is important to you. The following information about each scan is displayed: Device - Click on the Device button to open the Device Information page showing details of the device being scanned: Hostname, MAC Address, Operating system, Operating system version and Architecture (e.g. x86_64) MSP Risk Intelligence

18 Organization - The Organization the device belongs to Host Name - The Host Name of the device Start - When the scan was initiated Duration - How long the scan took to complete Note - The Duration column displays how long the scan took to complete. The following statuses can be displayed: (h)(m)(s) - The time taken for the scan to complete and post the results e.g. 1h 30m 50s Complete - The scan has completed but has not posted the results data. Incomplete - The 'Incomplete' status is displayed if: The scan is still running (verify by checking Task Manager for any processes labelled 'iscan'); The scan was prematurely terminated (intentionally or unintentionlly). What terminates a scan? Prematurely closing the command prompt Session times out Machine goes to sleep Adverse network conditions e.g. Internet connection is lost If any of the above occur, the scan must be manually restarted. Pass/Fail - The number of checks that pass or fail during a scan. For scans that contain patches and vulnerabilities, these numbers can get quite large due to the amount of checks that are carried out. Scans that are datarelated are only considered one scan - no matter how many different types of data are being scanned. User - The user initiating the scan Operating System - The scanned device's operating system Scan Type - The type of scan executed e.g. Data Breach Risk Scan 2. To display the results report for your Data Breach Risk Scan, double-click anywhere in the row for that particular scan. Alternatively, you can select the checkbox for a particular scan, then click on View Report at the bottom left of the page. MSP Risk Intelligence

19 The Data Breach Risk Scan results report is then displayed for the selected host. In one single view, it combines the discovered data to show all vulnerabilities detected and which users have access to the data: MSP Risk Intelligence

20 MSP Risk Intelligence

21 5 Reporting Risk Intelligence provides reporting on financial and sensitive data risks, exposed when scanning devices within an organization. In this Quick Start Guide we are focussing on how to create and run one of the most useful reports - the Data Breach Risk Report. Before you can run this report you must first create it - see Creating a Data Breach Risk Report (page 20). Once you have created your report and once a scan has been run on one or more devices, you can view the last run report on that scan or you can choose to generate a new report on current data - see Generating a Data Breach Risk Report (page 25). To access Reports: Navigate to Reports in the left Navigation panel: All existing reports are displayed for the selected organization MSP Risk Intelligence

The following information/options are displayed: Report - The name and type of report. Click to display the last run report. You can edit the report menu from the Report Menu (below).

22 The following information/options are displayed: Report - The name and type of report. Click to display the last run report. You can edit the report menu from the Report Menu (below). History - Displays when the report was executed and the report status e.g. 'completed'. Also allows you to view the report in HTML or download the CSV file. You can also delete the report from here. Schedule - Details of the report scheduling (if set up in the Report Menu (see below)) Last Run At - Date and time the report was last run. Click report using current data. to re-generate the Recipients - Hover over . Edit these in the Report Menu (below) to display recipients set up to receive report by Report Menu - Click to open the Report Menu which allows you to: Edit the report columns and conditions Edit Schedule details - Daily, weekly, monthly, on a specific day of the month or no scheduling. Edit Recipients MSP Risk Intelligence

23 Edit report name Attach CSV to ed report Automatically generate shared URL for report Clone Report - Copy and give new report a name Create New Report - Allows you to create a new report. See Creating a Data Breach Risk Report (page 20). 5.1 Creating a Data Breach Risk Report 1. Navigate to Reports in the left Navigation panel: 2. Click on Create New Report at the bottom of the page. Step 1 of the create report wizard is displayed. 3. Click on Security and Data Breach Reports and click Next: MSP Risk Intelligence

24 4. Step 2 of the wizard is displayed, listing all reports of the type Security and Data Breach. Click on Data Breach Risk at the top and click on Next: MSP Risk Intelligence

25 5. Step 3 of the wizard is now displayed. Choose your report name, any recipients of the report, any automatic scheduling of the report and click on Next: MSP Risk Intelligence

26 6. Step 4 is then displayed allowing you to add columns and conditions to include/exclude data. Make your modifications to the defaults and click Next. MSP Risk Intelligence

27 7. Step 5 displays a summary of the report criteria. If you want to change anything, go back to the relevant step using the Back button and make the necessary changes. If you're happy with the report, click on Save MSP Risk Intelligence

28 The report is added to the Reports list. Now you can generate the report and view the results - see Generating a Data Breach Risk Report (page 25). 5.2 Generating a Data Breach Risk Report Once you have Creating a Data Breach Risk Report (page 20) and once a Performing a Data Breach Risk Scan (page 8) has been run on one or more devices, it is possible to generate a Data Breach Risk Report: MSP Risk Intelligence

Click to open the Data Breach Risk report: Tip - Clicking on the report name opens the

29 1. Navigate to Reports in the left Navigation panel: All existing reports are displayed for the selected organization. 2. Click to open the Data Breach Risk report: Tip - Clicking on the report name opens the last generated report. If you want to generate a new report, click on the regenerate icon. The report is displayed: MSP Risk Intelligence

30 Note - This is an active view of the report and allows filtering, grouping and analysis of data. In the report page you can: Hover over the graph to view details associated with the selected data point Click on the legend to include/exclude the selected data type from the graph MSP Risk Intelligence

31 Click on Change Columns to change columns displayed and conditions for inclusion/exclusion of data. Filter what data is displayed using the boxes in each column header. Filter expressions such as < > = can be used for numeric filtering. For example, entering > 200 in the credit card filter will show matches with greater than 200 occurences of credit card data found. 5.3 Report Sharing Risk Intelligence has implemented a unique report sharing function that allows you to distribute reports without generating PDF files. This allows the report recipient to have the same powerful filtering and analytics capability but without requiring direct access to the Risk Intelligence console. 1. To share a report, click on the Share button at the top right of the report: 2. A dialog is displayed allowing you to generate a link that will allow unauthenticated users to view this report. Click on the Share this Report button: MSP Risk Intelligence

Note - If an employee leaves and you no longer want the URL to be available, click the Unshare button to

32 The report URL is generated: Once shared, the dialog will display the public shared URL for the report. 3. Send the URL to the appropriate users in your organization so they can view the report online. Note - If an employee leaves and you no longer want the URL to be available, click the Unshare button to invalidate. If you choose to share the report again, a new URL is generated which you can distribute to permitted parties. MSP Risk Intelligence

33 6 Useful Links For a full list of links to Online Help, PDF guides and API information, see Useful Links (this link will open the Full Admin Online Help page in a new tab) MSP Risk Intelligence

34 MSP Risk Intelligence

35 7 Index R Reporting 1, 12, 18 Creating a Data Breach Risk Report 20 Data Breach Risk Report 18, 20, 25 Generating a Data Breach Risk Report 25 Report Sharing 28 Risk Intelligence Browser Plugin 6 S Scan Delivery Method Browser Plugin 6 CLI Scan 6, 8, Mobile Apps 6 Scanning Data Breach Risk Scan 3, 5, 8, 15 Monitoring Scan Progress 14 Scan Delivery Method 9, 13 MSP Risk Intelligence Index 32

Risk Intelligence. Quick Start Guide - Data Breach Risk

Risk Intelligence. Quick Start Guide - Data Breach Risk Risk Intelligence Quick Start Guide - Data Breach Risk Last Updated: 19 September 2018 --------------------------- 2018 CONTENTS Introduction 1 Data Breach Prevention Lifecycle 2 Choosing a Scan Deployment