The State of Security

Transcription

1 The State of Security Securing today s elastic IT assets Jens Freitag Senior Security Specialist DACH jfreitag@tenable.com

2 New Threats Discovered Every Day HEARTBLEED SHELLSHOCK STAGEFRIGHT 90M 70% Billion network devices vulnerable of all Internet-facing machines exposed Android devices possibly affected by major flaw in Media Library GHOST FLASH SCADA WINDOWS Almost every Linux system vulnerable due to glibc flaw Multiple zero days leveraged by exploit kits Numerous remote code execution vulnerabilities discovered Numerous remote code execution vulnerabilities discovered

3 VULNERABILITIES WE HAVE NAMED DRIVING AGENDAS

4 LOGOS LEAD TO KNEE JERK REACTIONS NOT IMPROVEMENTS

5 Many Old Issues Still Linger CAGR INVADER BANDIT Lack of visibility due to large compound annual growth rates Inability to identify attack path to defend against breach Buying expensive bandaids for massive bullet holes STUTTER ROT26 SHAKESPEARE A a Communication failure between security staff and the business Data is not encrypted Why is the data not encrypted?! Given a few tries, a chimp banging on a keyboard would guess your password

6 CAGR Lack of visibility due to large compound annual growth rates

7 MOST ORGANISATIONS LACK VISIBILITY

8 SHADOW IT Dictionary Shadow IT ˈʃadəʊ it noun IT systems and solutions used by employees without explicit approval by operations or security. Systems not known to the organisation through lack of visibility.

9 It only takes a few seconds for a new virtual machine to spin up but days, weeks or months to detect it

10 90% of workers in the US are using personal smartphones for work purposes

11 Compound annual growth rate of infrastructure* *According to 400 respondents to the Tenable State of Security survey 2015

12 Using a 20th Century approach to address a 21st Century problem

13 PERIODIC SCANNING IS NOT ENOUGH

14 ASSET DISCOVERY Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to an organization's public and private network(s). Both active tools that scan through network address ranges and passive tools that identify hosts based on analysing their traffic should be employed. SANS CRITICAL SECURITY CONTROL #1

15 Takes a 21st Century Approach Tenable.io LCE LCE LOG CORRELATION ENGINE NC SECURITYCENTER CONTINUOUS VIEW SC PVS PVS PASSIVE VULNERABILITY SCANNER N NESSUS VULNERABILITY SCANNER NA NESSUS AGENTS

16 What assets, data and vulnerabilities reside on the network?

17 INVADER Inability to identify attack path to defend against breach

18 Example Attack Path Foothold Found via phishing or vulnerability Explore Find data and systems of interest Establish Install code for permanence Evade Hide forensic footprints Exfiltrate Extract customer data or IP Profit Sell data to other 3rd parties

19 CONTINUOUSLY MONITOR THE ATTACK SURFACE

20 What controls should be implemented to continuously protect and monitor the assets?

21 DEPLOY&VERIFY CONTINUOUSLY

22 BANDIT Buying expensive bandaids for massive bullet holes

23 The Almighty Security Vendors Will Save Us!

24 Security isn t about spending a portion of the annual budget on tools it s about doing the right activities to reduce risk

25 STUTTER Communication failure between security staff and the business

26 MANY SECURITY TEAMS LACK CREDIBILITY AT THE BUSINESS LEVEL

27 How can I Demonstrate I have continuous situational Awareness?

28 How do I communicate the effectiveness of security and demonstrate value to the business?

29 its and bytes don t belong in the boardroom etrics are the language of Business

30 EFFECTIVENESS METRICS

31 IF YOU CAN T MEASURE YOU CAN T CONTROL

32 IF YOU CAN T MEASURE YOU CAN T IMPROVE

33 ALIGN SECURITY ISSUES to the BUSINESS DRIVERS

34 FOCUSING ON FIXING THE FOUNDATIONAL GLIMPSE SHAKESPEARE INVADER Lack of visibility due to large compound annual growth rates Given a few tries, a chimp banging on a keyboard would guess your password Inability to identify attack path to defend against breach BANDIT ROT26 STUTTER A a Buying expensive bandaids for massive bullet holes Data is not encrypted Why is the data not encrypted?! Communication failure between security staff and the business

35 PRACTICE THE FUNDAMENTALS FIRST

36 Organisations need to stop focusing on the 0DAY AND FIX THE 100DAY

37 The biggest issue we face in security today isn t APT IT S APATHY

38 Applications Vulnerability Management Web Application Scanning Container Security Platform Integration API and SDK Sensors Scanner Agent PVS VM Provider App Sec Provider CMDB Provider Other 3rd Party Nessus Sensors Third Party Sources

39 42