Real-Time Vulnerability Management Operationalizing the VM process from detection to remediation

Transcription

1 18 QUALYS SECURITY CONFERENCE 2018 Real-Time Vulnerability Management Operationalizing the VM process from detection to remediation Jimmy Graham Senior Director, Product Management, Qualys, Inc.

2 Agenda Expanding Vulnerability Management Introducing Qualys Patch Management Unified Dashboard 2 QSC Conference, 2018 November 29, 2018

3 Vulnerability Management Lifecycle Asset Inventory Vulnerability Management Patch Management Threat Risk and Prioritization 3 QSC Conference, 2018 November 29, 2018

4 Expanding Vulnerability Management Containers Private Cloud IoT Devices ICS / SCADA Mobile Devices Workstations Public Cloud On Premise 4 QSC Conference, 2018 November 29, 2018

5 Case Study: Large US Bank Challenge Difficult to prioritize vulnerabilities across 100,000 endpoints Manual correlation of external threat data No active alerting on highthreat vulnerabilities Low visibility into workstations Solution Threat Protection RTIs automates prioritization Threat Protection Live Feed provides one-click access to impacted assets Continuous Monitoring combined with RTIs Qualys Cloud Agent for continuous and complete visibility 5

6 Vulnerability Management Platform Evolution

7 Elastic VM Dashboard Merges AssetView technology into Qualys VM Build widgets with vulnerability counts Search filters for quickly building queries Replace long-running reports with live widgets 7 QSC Conference, 2018 November 29, 2018

8 Opening Up the VM Detections Platform Custom Remote Detections Qualys Remote Detection Interface (QRDI) Create your own or share on Qualys Community Supports HTTP(S) and raw TCP Regex grouping and capturing LUA scripting for advanced logic 8 QSC Conference, 2018 November 29, 2018

9 Demo VM Elastic VM Dashboard

10 Qualys Patch Management Overview

11 Current Patch Management Tools Challenges and Impact Manual correlation of vulnerability to patch leads to delayed mean-time-toremediation Waiting for vulnerability reports to confirm the patch has fixed the vulnerability Remote systems only patched when connected to corporate network Limited or no coverage of third-party apps Multiple patching solutions for each OS type 11 QSC Conference, 2018 November 29, 2018

12 Introducing Qualys Patch Management Automated correlation of vulnerability and patch data Which patch fixes the CVE? Simple dashboarding for tracking patch deployments Patch using the Qualys Cloud Agent, anywhere Patch OS and third-party applications Single solution for Windows, macos, and Linux 12 QSC Conference, 2018 November 29, 2018

13 Shift From Reaction Mode to Operational Security Always up-to-date on missing patches Security and IT teams can speak the same language Collaboration key to successful digital transformation Unify discovery, prioritization, and remediation into one platform Rapid remediation of highprofile vulnerabilities in days vs. weeks Regularly scheduled deployments are repeatable and reported on 13 QSC Conference, 2018 November 29, 2018

14 Demo PM Patch Management Beta

15 Platform Support XP SP3+ Vista Windows 7 Windows 8/8.1 Windows 10 Server 2003 SP2+ Server 2008/R2 Server 2012/R2 Server 2016 OS X Yosemite OS X El Capitan macos Sierra macos High Sierra macos Mojave RHEL 6,7 CentOS 5.4+,6,7 SUSE Linux Enterprise Server/ Desktop 11,12,15 Oracle Ent Linux 6,7(Server) Ubuntu 14.x,15.x,16.x, 18.x * Beta will focus on Windows- other operating systems will follow later * Roadmap items are future-looking; timing and specifications may change 15 QSC Conference, 2018 November 29, 2018

16 Roadmap Beta: Q Windows patch deployment General Availability: Early 2019 Beta 1 Windows patching (desktops and servers) Qualys serves patches Third party Windows applications Beta 2 On-prem Caching of patches (QGS) Direct download from vendors for off-prem Additional tokens for dashboarding Upcoming Mac patching Linux patching Repository integration Automation Rules & Approval workflows 18 QSC Conference, 2018 November 29, 2018

17 Unified Dashboards Overview

18 Unified Dashboard Build dashboards with widgets from multiple Qualys Cloud Apps Target servers, containers, instances, web apps, etc. using Asset Tags 18 QSC Conference, 2018 November 29, 2018

19 Demo UD Unified Dashboard Preview

20 Unified Dashboard Rollout Phase 1 Unified Dashboard App Global dashboard filters Phase 2 Unified widget builder Upgrade existing Cloud App Dashboards Support for: Support for: VM PC FIM IOC WAS WAF SAQ AI PM CRI TP CS CV 20 QSC Conference, 2018 November 29, 2018

21 18 QUALYS SECURITY CONFERENCE 2018 Thank You Jimmy Graham

22 18 QUALYS SECURITY CONFERENCE 2018 Cloud Agent Platform Chris Carlson VP, Product Management, Qualys, Inc.

23 Digital Transformation is Driving IT Transformation for Organizations Private Clouds Public Clouds Internet Enterprise On Premise Remote End Users 23

24 But creates new Challenges for Security Don t know how many assets you have Don t Private know Clouds when those assets are running Credential issues / Authentication failures Monthly / weekly scanning too slow [WannaCry] Enterprise On Premise Can t scan remote users Remote End Users 24

25 Qualys Sensors Scalable, self-updating & centrally managed Physical Virtual Cloud/Container Cloud Agents Passive API Legacy data centers Private cloud infrastructure Commercial IaaS & PaaS clouds Light weight, multiplatform Passively sniff on network Integration with Threat Intel feeds Corporate infrastructure Continuous security and compliance scanning Virtualized Infrastructure Continuous security and compliance scanning Pre-certified in market place Fully automated with API orchestration Continuous security and compliance scanning On premise, elastic cloud & endpoints Real-time data collection Continuous evaluation on platform for security and compliance Real-time device discovery & identification Identification of APT network traffic Extract malware files from network for analysis CMDB Integration Log connectors 29 November

26 Qualys Cloud Agent Platform Lightweight Software Agent On-Premise Servers Public Cloud Windows Linux Mac Delivers Multiple Security Functions in (collects metadata only) User Endpoints AIX Cloud Native one Agent 26

27 Qualys Platform Central Management / API Qualys Suite of Applications Cloud Agent Efficient Network Usage (Delta Processing average) Lightweight Metadata Collection (tunable) Windows, Linux, Mac, AIX KB / day ~1-2% CPU 3 MB application 27

28 Qualys Cloud Agent IT, Security, Compliance Apps AI VM PC Asset Inventory Vulnerability Management Policy Compliance Indication of Compromise Detection File Integrity Monitoring Upcoming IT App (Beta November 2018) Patch Management 28 QSC Conference, 2018 November 29, 2018

29 Try and Manage Apps on One Cloud Agent End the fight with IT to deploy security agents! Remove point-solution agents from your endpoints Consolidate security tools

30 Cloud Agent Extends Network Scanning No scan windows needed always collecting Find vulnerabilities faster Detect a fixed vulnerability faster Many new Apps only available on Agent Best for assets that can t be scanned Unable to get credentials / authentication failures Remote systems in branch offices / NAT Roaming user endpoints Cloud / Elastic deployments 30

31 Cloud Agent Adoption

32 Cloud Agent VM Usage and Growth Drivers 10,000,000s 100,000s 2016 Deploy on servers to overcome customer limitations with their network scanning - Auth issues - Scan windows - More frequent VM assessments 1,000,000 s Increasing adoption for Servers - Initial adoption for end-users (WannaCry) - Early CA deployments in AWS and Azure Growth in endpoint deployments (50-300K) - Growth in public cloud (AWS primarily) - Initial work to build CA into CI/CD/ DevOps pipelines Visibility + Lightweight agent increases adoption - Increase endpoints - Increase in public cloud - Capture migration from on-premise servers to public cloud

33 Cloud Agent CPU Tuning - Linux AWS EC2 VM: < 1.2% CPU peak usage for less than 15 mins not allowed to scan nano, micro, or small instances using network scanning 0.5% CPU when idle / heartbeat AWS t2.micro instance running Cloud Agent London 16 November

34 Cloud Agent CPU Tuning - Windows Tunable CPU Limit Example: 8% configured max on 1-core (Effective: <2% on 4-core) London 16 November

35 Cloud Native Collect Provider Metadata AWS EC2 accountid amiid availabilityzone hostname hostnamepublic instanceid instancetype kernelid macaddress privateipaddress publicipaddress region reservationid securitygroupids securitygroups subnetid VPCId Microsoft Azure dnsservers ipv6 location macaddress name offer ostype privateipaddress publicipaddress publisher resourcegroupname tags subnet subscriptionid version vmid vmsize Google Compute Platform hostname instanceid macaddress machinetype network privateipaddress projectid projectidno publicipaddress zone Agent collects metadata locally

36 Cloud Provider Metadata (AWS EC2 example) accountid ami-id ami-d874e0a0 ami-launch-index 2 availabilityzone us-west-2a hostname ip us-west-2.compute.internal imageid ami-d874e0a0 instance-id i-03e86d77745bb2bba instancetype t2.micro local-hostname ip us-west-2.compute.internal local-ipv mac 06:26:0c:74:c5:9a privateip profile default-hvm public-hostname ec us-west-2.compute.amazonaws.com public-ipv region us-west-2 reservation-id r-06e5580c2918a00ba security-groups launch-wizard-2

37 Cloud Instance Metadata Merge and Agent Dynamic License Management EC2 Connector Available now aws.ec2.accountid aws.ec2.availabilityzone aws.ec2.hostname aws.ec2.hostnamepublic aws.ec2.imageid aws.ec2.instanceid d aws.ec2.instancestate aws.ec2.instancetype aws.ec2.kernelid aws.ec2.privatedns aws.ec2.privateipaddress aws.ec2.publicdns aws.ec2.publicipaddress aws.ec2.region.code aws.ec2.region.name aws.ec2.spotinstance aws.ec2.subnetid aws.ec2.vpcid Automatically merge on Instance ID (Nov 2018) Automated Rules (Dec 2018) When instancestate = TERMINATED, then remove Cloud Agent license 37 Cloud Agent Available now aws.ec2.accountid aws.ec2.availabilityzone aws.ec2.hostname aws.ec2.imageid aws.ec2.instanceid aws.ec2.instancetype d aws.ec2.kernelid aws.ec2.privatedns aws.ec2.privateipaddress aws.ec2.publicdns aws.ec2.publicipaddress aws.ec2.region.code aws.ec2.region.name aws.ec2.subnetid aws.ec2.vpcid

38 Integrate Cloud Agent into DevOps Use Cases for DevOps Build Cloud Agent into gold image or auto-deploy with CI/CD self-service results from Qualys API/UI & integrations Get vulnerability and configuration posture of OS and application along the DevOps pipeline Fix/verify security issues before going into production Use Cases for Security End-to-end lifecycle tracking development, deployment, production, decommission Same Cloud Agent across cloud, onpremise, endpoint, hybrid Single platform as DevOps tools evolve Qualys Container Security, Jenkins integration, API automation, more 38

39 Cloud Agent Microsoft Azure Integration 39

40 40

41 41

42 42

43 Vulnerability Spread at Speed of DevOps Red Hat 7.4 Marketplace Image

44 Auto-Deploy Qualys Cloud Agent

45 Vulnerability Results

46 Threat Protection Exploitability!

47 Cloud Agent Roadmap Agent Releases Mac released Aug 29 Linux 2.1 upgrade from 2.0 (FIM) released Aug 29 Linux 2.2 Dec rollout for Policy Compliance UDCs Windows rollout started Oct 17 / complete Oct 22 Features Cloud Provider Metadata (AWS, Azure, GCP) available EC2 Connector / Cloud Agent merge available Nov Windows agent to support Patch Management Beta Dec - Policy Compliance UDCs (Windows / Linux / AIX ) Dec Agent Lifecycle Management (Public cloud State-based w/ Connector / Any asset using Time-based)

48 18 QUALYS SECURITY CONFERENCE 2018 Thank You Chris Carlson