How to manage evolving threats on evolving ICT assets across Enterprise

Transcription

1 How to manage evolving threats on evolving ICT assets across Enterprise Marek Skalicky, CISM, CRISC, Qualys MD for CEE November, 2015 Vaš partner za varovanje informacij

2 Agenda Security STARTs with VISIBILITY What to be afraid of and how to fix it? Follow evolution of new threats and trends. Follow evolution of the ICT Assets Landscape. How can you manage what you don t know? Aggregate, Normalize, Correlate and Prioritize! Security ENDs with ACCOUNTABILITY & CONTINUITY ;-)

3 What to be afraid of?

4 Trends by ENISA Threat Landscape 2014 Published on December 2014 Based on +400 Threat Sources and incidents CERT-EU, SANS

5 What can happen to you?

6 Can you secure what you don t know? OUTDATED SOFTWARE ACCESS PRIVILEGES VULNERABILITIES CODING WEAKNESSES Dispersed IT Assets, Data and Networks THE EXTENDED ENTERPRISE MIS-" CONFIGURATIONS THREATS INCOMPLETE INVENTORY SOCIAL MEDIA

7 ICT Infrastructure is not only on premise Physical Data Centers! Virtual Data Centers! Remote Offices! In ONE centralized and unified solution for Mobile Users! Asset Management & ICT Security & Compliance Cloud Data Centers! - Perimeter Network Scanning Internet Cloud Scanners - Internal Network Scanning Internal HW / Virtual Scanners - Virtualized Centers Scanning Hypervisor Scanners - Cloud PaaS/IaaS Scanning Azure Scanners, EC2 Scanners - Cloud Agent Scanning Agents for Mobile Platforms - Passive Network Scanning Monitor traffic for unknown devices 7

8 LIVING IN A VULNERABLE WORLD YOU HAVE TO PROTECT EVERYTHING THE BAD GUYS ONLY HAVE TO FIND ONE VULNERABILITY BOTNET HACKTIVISM APT DATA LEAKAGE POLICY VIOLATIONS SOCIAL ENGINEERING

9 Explosion of vulnerabilities Vendor Name Number of Vulnerabilities 1 Microsoft Apple Linux Redhat 99 5 Mozilla 93 6 Suse 83 7 IBM 81 8 Gentoo 79 9 SUN Oracle Cisco Debian Ethereal Group GNU Ubuntu HP Mandrakesoft BEA Phpbb Group Trustix 32 Vendor Name Number of Vulnerabilities 1 Microsoft Apple Adobe Oracle IBM Google Cisco Linux Mozilla HP SUN Realnetworks Novell Apache Opera Redhat PHP Macromedia Typo Vmware 24 Vendor Name Number of Vulnerabilities 1 Apple Oracle Microsoft Cisco Adobe IBM Google Mozilla Novell Canonical Debian HP EMC Linux Redhat SAP Apache Fedoraproject Siemens Wireshark 32 top 20 celkem 1431 top 20 celkem 2341 top 20 celkem

10 Vendor Name Big vendors failing Big time Number of Vulnerabilities 1 Microsoft Apple Linux Redhat 99 5 Mozilla 93 6 Suse 83 7 IBM 81 8 Gentoo 79 9 SUN Oracle Cisco Debian Ethereal Group GNU Ubuntu HP Mandrakesoft BEA Phpbb Group Trustix 32 Vendor Name Number of Vulnerabilities 1 Microsoft Apple Adobe Oracle IBM Google Cisco Linux Mozilla HP SUN Realnetworks Novell Apache Opera Redhat PHP Macromedia Typo Vmware 24 Vendor Name Number of Vulnerabilities 1 Apple Oracle Microsoft Cisco Adobe IBM Google Mozilla Novell Canonical Debian HP EMC Linux Redhat SAP Apache Fedoraproject Siemens Wireshark 32 MICROSOFT APPLE ORACLE CISCO TOP top 20 celkem 1431 top 20 celkem 2341 top 20 celkem

11 Attack versus Defense windows 1. PREDICTION 2. PREVENTION 3. DETECTION 4. REACTION

12 Vulnerability Remediation vs. Exploitation Vulnerability Remediation: days Vulnerability Exploitation: days Vulnerability Half-life in IS: 30 days!!! GAP: 60 days!!!

13 5-10 years old vulnerabilites still good to go

14 Where is the problem? In scope & Pme Example of typical CEE Enterprise: avg: 100 sec. controls per/ip avg: 1000 IP avg: 20 SW components avg: 20 per/ip Critical: 4 per /IP continuous and automated view on ICT Security and Compliance Attack Surface: ICT Asset components Vulnerabilities (20% critical) Relevant Threats (Expl.&Malware) Configuration security controls avg: 2 per/ip Modern approach & solution: Data centralization / normalization / prioritization (Big)Data analytics / automation / workflow Dashboards / Alerts / Reports / Tickets Cloud based architecture

15 What is solupon? AutomaPon & PrioriPzaPon SANS TOP-7 High and Very-high Critical Controls from TOP-20 Australian Department of Defense: TOP- 4 Strategies to MiPgate Targeted Cyber Intrusions 1 Application Whitelisting only allow approved software to run 2 Application Patching keep apps, plug-ins and other software up to date 3 OS Patching keep operating systems current with the latest fixes 4 Minimize Administrative Privileges prevent malicious software from making silent changes

16 How to get visibility into ICT Assets and correlate them with Risks and Compliance Application Engines! CM AM VM PCI PC QS MDS WAS WAF LM ASSET DISCOVERY NETWORK SECURITY WEB APP SECURITY THREAT PROTECTION COMPLIANCE MONITORING Sensors! Passive Physical Virtual Cloud Cloud Agent 16

17 What to do with all that data? Aggregate, Normalize, Correlate, Filter, Report and PrioriPze! DASHBOARDS ALERTS REPORTS WORKFLOWS INTEGRATIONS ICT RISK MANAGEMENT Vulnerabilities Threats Exploits Malware Impact scenario Zero-Days Patches Workarounds Asset Values Security Risk Business Risk ICT ASSET MANAGEMENT OS / Platforms TCP/UDP Ports Services/ Protocols Databases Applications SSL Certificates Localities Responsibilities Dynamic Tagging ICT COMPLIANCE MANAGEMENT Configuration checks Policy Controls Custom Controls Internal Policies External Regulations Customizable Questionnaires BUSINESS PROCESSES / BUSINESS APPLICATIONS 17

18 set process, roles, goals and measure VM role Responsibility Internal VAS service provider BU Manager IT Asset Owner Scanner Business Owner of IT Asset InfoSec VM policy I I I I I A/R VAS system configuration Asset management A/R R I R C/I I A/R C R I Remediation I R R/A R A I Vulnerability type Network segmnets Perimeter PCI DSS scope Internal network 4 & 5 with remote exploit confirmed X days X days XY days X days (CVSS 4.0 or more) 4 & 5 - confirmed XY days XYZ days XY days (CVSS less than 4.0) 3 - confirmed XYZ days Best effort Best effort 1 i 2 - confirmed Best effort Best effort Best effort 18

19 filter data and present only need- to- know Technical Reports Executive Reports 19

20 Qualys at a Glance QualysGuard Cloud Pla_orm for ICT Assets, Security and Compliance 7,700 + Customers Countries +1 Billion +2 Billions in 2013 In

21 Vaš partner za varovanje informacij