Risk Intelligence. Quick Start Guide - Data Breach Risk

Similar documents
Data Breach Risk Scanning and Reporting

AppSpider Enterprise. Getting Started Guide

Endpoint Security. powered by HEAT Software. Patch and Remediation Best Practice Guide. Version 8.5 Update 2

ForeScout Extended Module for Tenable Vulnerability Management

Community Edition Getting Started Guide. July 25, 2018

ForeScout Extended Module for Qualys VM

Tenable.io User Guide. Last Revised: November 03, 2017

10 FOCUS AREAS FOR BREACH PREVENTION

Integrate Saint Security Suite. EventTracker v8.x and above

Configuring Vulnerability Assessment Devices

Remote Support 19.1 Web Rep Console

McAfee Total Protection for Data Loss Prevention

ForeScout Extended Module for ServiceNow

ForeScout Extended Module for ServiceNow

ForeScout Extended Module for MaaS360

This guide details the deployment and initial configuration necessary to maximize the value of JetAdvantage Insights.

Chapter 5: Vulnerability Analysis

Remote Support Web Rep Console

Sophos Mobile. startup guide. Product Version: 8.1

Netwrix Auditor for Active Directory

VMware AirWatch Content Gateway Guide for Linux For Linux

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Duration Level Technology Delivery Method Training Credits. System Center Configuration Manager

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

ForeScout Extended Module for Carbon Black

Sophos Mobile as a Service

User Guide. Version R95. English

Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform

Demo KACE K1000 System Management Appliance

Administering System Center Configuration Manager ( A)

Comodo Unknown File Hunter Software Version 2.1

Changing face of endpoint security

ForeScout Extended Module for MobileIron

Comodo Unknown File Hunter Software Version 5.0

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

FortiNAC Citrix XenMobile Device Integration

SailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

Sophos Mobile Control SaaS startup guide. Product version: 7

Sophos Mobile SaaS startup guide. Product version: 7.1

A: Administering System Center Configuration Manager

Brocade Virtual Traffic Manager and Parallels Remote Application Server

ADMINISTERING SYSTEM CENTER CONFIGURATION MANAGER

How to Secure Your Cloud with...a Cloud?

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

Sophos Mobile Control startup guide. Product version: 7

Comodo Endpoint Manager Software Version 6.26

Quick Start Guide. Version R95. English

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

the SWIFT Customer Security

Comodo Endpoint Manager Software Version 6.25

BYOD: BRING YOUR OWN DEVICE.

Best Practices in Securing a Multicloud World

Acronis Data Cloud plugin for ConnectWise Automate


Phil Schwan Technical

ForeScout Extended Module for VMware AirWatch MDM

TECHNICAL DESCRIPTION

DreamFactory Security Guide

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

Security Challenges: Integrating Apple Computers into Windows Environments

YOUR IT REMOTE MANAGEMENT & SUPPORT SOLUTION. Goverlan REACH vs TeamViewer

Network Discovery Policies

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

ForeScout CounterACT. Configuration Guide. Version 5.0

ForeScout Extended Module for IBM BigFix

Zero Trust with Okta: A Modern Approach to Secure Access from Anywhere. How Okta enables a Zero Trust solution for our customers

Installation Guide Revision B. McAfee Cloud Workload Security 5.0.0

Table of Contents HOL-1757-MBL-5

Comodo One Software Version 3.26

How NOT To Get Hacked

Cloud Security Whitepaper

905M 67% of the people who use a smartphone for work and 70% of people who use a tablet for work are choosing the devices themselves

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

PCI DSS Compliance. White Paper Parallels Remote Application Server

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Windows Intune Trial Guide Getting the most from your Windows Intune trial. Simplify PC management. Amplify productivity.

Oracle Enterprise Manager 11g Ops Center 2.5 Hands-on Lab

Vulnerability Validation Tutorial

Comodo Endpoint Manager Software Version 6.25

Administering System Center Configuration Manager

Integration Service. Admin Console User Guide. On-Premises

Lenovo ThinkAgile XClarity Integrator for Nutanix Installation and User's Guide

Integrate Microsoft Office 365. EventTracker v8.x and above

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Brochure. Security. Fortify on Demand Dynamic Application Security Testing

Shavlik Protect: Simplifying Patch, Threat, and Power Management Date: October 2013 Author: Mike Leone, ESG Lab Analyst

Tenable.io for Thycotic

Ekran System v Program Overview

Securing Office 365 with MobileIron

Administering System Center Configuration Manager

Acronis Data Cloud plugin for ConnectWise Automate

VMware AirWatch Content Gateway Guide for Windows

"Charting the Course... MOC A: Administering System Center Configuration Manager. Course Summary

Comodo SecureBox Management Console Software Version 1.9

Sophos Mobile in Central

VMware AirWatch Content Gateway Guide for Windows

RSA NetWitness Platform

IBM Security SiteProtector System User Guide for Security Analysts

EM L04 Using Workflow to Manage Your Patch Process and Follow CISSP Best Practices

Transcription:

Risk Intelligence Quick Start Guide - Data Breach Risk Last Updated: 19 September 2018 --------------------------- 2018

CONTENTS Introduction 1 Data Breach Prevention Lifecycle 2 Choosing a Scan Deployment Methodology 4 Browser Plugin 4 CLI (Command Line) Scan 4 Mobile Apps 4 Performing an Expanded Data Breach Risk Scan 5 CLI Scanner Command Line Arguments 6 Command Line Arguments for Scan Type 6 Command Line Arguments for Proxy 7 CLI Scanner Deployment Scenarios 7 Monitoring Scan Progress and Viewing Individual Device Scan Results 7 Reporting 11 Creating an Expanded Data Breach Risk Report 13 Generating an Expanded Data Breach Risk Report 15 Report Sharing 18 Useful Links 20

Introduction There are two Data Breach Risk scan types - the original Data Breach Risk Scan and the more advanced Expanded Data Breach Risk Scan. The Expanded Data Breach Risk Scan combines three components: Security scan - identifies critical OS and application vulnerabilities including unpatched operating systems and applications. Technical Safeguards - Tests for 18 baseline Windows end-point configurations and highlights the settings that don't meet common baseline configurations. PII Data Discovery - Scans local and network devices for 60+ types of unencrypted personally identifiable information (PII) from 16 countries and regions. This is often used in the data mapping phase in regulatory compliance efforts. This Quick Start Guide describes the Data Breach Prevention Lifecycle and instructs on how to set up and run an Expanded Data Breach Risk Scan on the various endpoints in your organization - and then go on to access comprehensive reporting facilities: Data Breach Prevention Lifecycle Choosing a Scan Deployment Methodology Performing an Expanded Data Breach Risk Scan Monitoring Scan Progress and Viewing Individual Device Scan Results Creating an Expanded Data Breach Risk Report Generating an Expanded Data Breach Risk Report - 1 -

Data Breach Prevention Lifecycle The security of corporate sensitive data is under relentless attack. Fighting the war on digital data loss has reached the status of a global epidemic. The vast majority of data breaches are caused by unprotected data at rest, residing on vulnerable endpoints and resulting in an easy entry point for attackers. Risk Intelligence recognizes today's cyber security challenges and enables organizations to protect themselves by continuously assessing their environments using proven technology that follows the Data Breach Prevention Lifecycle stages: Discover - Unprotected sensitive data at rest and the insiders that have access to the data Detect - Security threats providing vulnerable entry points for attackers to access your data Prioritize - At-risk assets by leveraging the combined intelligence of security threat and data intelligence Remediate - Security threats by applying patches, mitigating solutions and encrypting or removing unprotected data Manage - The entire lifecycle process through a single scalable cloud-deployed console In this Quick Start Guide, we will walk through implementing the Risk Intelligence Data Breach Prevention Lifecycle using the Risk Intelligence Data Breach platform. The guide describes how to effectively: - 2 -

Use the system to discover data and vulnerabilities - using the Expanded Data Breach Risk Scan. See Performing an Expanded Data Breach Risk Scan. Generate data breach risk reports to help prioritize activities for remediation and help prevent a data breach in your organization before it occurs. See Reporting. - 3 -

Choosing a Scan Deployment Methodology The Risk Intelligence Data Breach platform utilizes a host-based scanning methodology to discover unprotected data at rest, as well as security threats and vulnerabilities that may exist on the endpoints where data is stored. The host-based scans can be delivered in various ways depending upon the target user-base, network topologies involved and device types. Currently Risk Intelligence supports three primary scan delivery methods: Browser Plugin CLI (Command Line) Scan Mobile Apps Browser Plugin The Risk Intelligence Browser Plugin for Mac and Windows provides a simple way for users to selfassess their own devices. It can be integrated into network access points with captive portals, offered as a self service scan option on intranets or public facing web pages and can even be integrated with web single sign on providers. This powerful and flexible solution can help solve one of the biggest challenges for enterprises by providing opportunistic assessment of devices which typically go undetected by traditional scan methodologies. CLI (Command Line) Scan The Risk Intelligence CLI Scanner for Mac, Windows and Linux is the most versatile scan delivery method and is the one we will focus on in this guide. Its non-persistent design allows scans to be launched from the command line, or integrated with a variety of system management tools such as McAfee epo, LanDesk, Dell Kace, Microsoft Active Directory or System Center as well as other script capable endpoint management solutions. Other common deployment scenarios include scanning remote users via VPN using the on-connect script functionality. The CLI scanner does not require installation on the endpoint and can be launched from a network share. Mobile Apps For scanning Android and Apple ios devices, Risk Intelligence provides native mobile apps available via the Google Play store or from the itunes App Store. These native mobile apps provide data discovery and vulnerability scanning. As you plan your production deployment strategy, consider each of the scan deployment methods above - each provides a valuable means of scanning devices. For the purpose of this Quick Start Guide, we will focus primarily on the CLI scan - and deploying using common system management tools. - 4 -

Performing an Expanded Data Breach Risk Scan 1. After logging onto the Risk Intelligence Console, click on Scan Computers in the side navigation panel: In the Choose Organization section, the currently selected organization is shown. In the Risk Intelligence Console, 'Organizations' are used to group devices and results using terms familiar to your company. For example an Organization might be defined as an office location or particular types of devices (servers vs workstations) or whatever is meaningful to you. 2. To change the organization you want to scan, click on Change and select the appropriate organization from those available. 3. From the Choose a Scan Type list select Expanded Data Breach Risk Scan. In the screenshot shown above, notice the Short Code. This code is created automatically by the system when accounts and organizations are created - and defines the particular scan type and configuration for the organization. Short codes can be used as command line arguments to the CLI scanner as described in the next step. 4. From the Scan Delivery Method dropdown select Command Line Executable. The various platforms and corresponding deployment options for the CLI scanner are displayed. - 5 -

The simplest way to run a command line scan is to use the provided PowerShell script on Windows platforms or the curl script on Mac and Linux platforms. These scripts are designed to automatically download the CLI executable (if it doesn't exist or is outdated on the target) and launch the selected scan on the device. See CLI Scanner Command Line Arguments for details of the commands you can use to run your scan. 5. Once you have chosen your command line scan option, enter the appropriate script to run the scan. As the scan runs, you can monitor its progress and view the scan results of individual devices from the View and Manage - Scan Results page - see Monitoring Scan Progress and Viewing Individual Device Scan Results. The time taken to run a scan depends on a variety of factors: the amount of data to be scanned; the amount of used space; the scan type (Data Breach Risk and PCI & PAN scans generally take the longest); the network conditions e.g. internet speed and device usage. Run times can range from a few minutes to several hours or several days for huge amounts of data. Once one or more scans have completed you will be able to report on results in the Reporting module. See Reporting and in particular Generating an Expanded Data Breach Risk Report. Before you can generate a Data Breach Risk Report you must first create one - see Creating an Expanded Data Breach Risk Report. CLI Scanner Command Line Arguments Command Line Arguments for Scan Type If you have chosen to download the CLI Scanner and not the Powershell or curl scripts, it will be named iscanruntime_xxxxxx_.exe (where XXXXXX is the short code for the scan type you selected). The file is named this as a matter of convenience so that command line switches are not required. The download is saved to your default download directory. You can move it to a different directory, but when you are ready to run the scan you need to be in the correct directory. Once the file is downloaded, navigate to the correct directory and type in: iscanruntime_xxxxxx_.exe This will run the scan for the type that is assigned to that short code. Alternatively, you can also rename the file to iscanruntime.exe and pass a command line argument with the desired short code. For example: C:>ren iscanruntime_xxxxxx.exe iscanruntime.exe Then: C:> iscanruntime -k XXXXXX This allows you to store a single copy of the executable on a shared file path and pass the desired scan configuration short code to the executable at run time. - 6 -

Command Line Arguments for Proxy If you need to scan devices behind a proxy, Risk Intelligence requires an internet connection and the ability to send HTTPS (443) traffic to https://app.iscanonline.com. The CLI scanner accepts as an argument the proxy server IP and port for authentication as shown below: C:> iscanruntime -k XXXXXX -x 192.168.1.2:8080 CLI Scanner Deployment Scenarios There are a variety of ways to distribute the CLI scan to endpoints in your organization. Since the CLI scanner does not require it to be installed on the actual device being scanned, it can be located on a network share and then created as a scheduled task or a cron job on Linux devices. Most common deployment scenarios leverage Microsoft Active Directory. Risk Intelligence provides detailed step by step directions for running scans via Active Directory directly from the console. Simply choose Active Directory as the Scan Delivery Method and follow the steps. The CLI scan can be run by any endpoint management tool that can execute a command on an endpoint including but not limited to: Microsoft System Center cron jobs Login script VPN on connect script Refer to your management solution documentation for instructions on how to execute a scheduled task on the desired endpoints. Monitoring Scan Progress and Viewing Individual Device Scan Results As hosts are being scanned, you can monitor the progress of individual scans and view details of completed scan results. 1. Click on View and Manage then Scan Results. The Scan Results view is a simple but very useful page that displays scans that have been run or are in the process of running on individual devices - it allows filtering and sorting on any column so you can see the data that is important to you. - 7 -

The following information about each scan can be displayed. Using the Select columns link at the bottom of the page customize which columns you see. Device - Click on the Device button to open the Device Information page showing details of the device being scanned: Hostname, MAC Address, Operating system, Operating system version and Architecture (e.g. x86_64) Organization - The Organization the device belongs to Host Name - The Host Name of the device Private IP Public IP Start - When the scan was initiated End - When the scan ended Duration - How long the scan took to complete The Duration column displays how long the scan took to complete. The following statuses can be displayed: (h)(m)(s) - The time taken for the scan to complete and post the results e.g. 1h 30m 50s Complete - The scan has completed but has not posted the results data. Incomplete - The 'Incomplete' status is displayed if: The scan is still running (verify by checking Task Manager for any processes labelled 'iscan'); The scan was prematurely terminated (intentionally or unintentionlly). What terminates a scan? Prematurely closing the command prompt Session times out Machine goes to sleep Adverse network conditions e.g. Internet connection is lost If any of the above occur, the scan must be manually restarted. - 8 -

Pass/Fail - The number of checks that pass or fail during a scan. For scans that contain patches and vulnerabilities, these numbers can get quite large due to the amount of checks that are carried out. Scans that are data-related are only considered one scan - no matter how many different types of data are being scanned. Mac - The device's Mac address User - The user initiating the scan Operating System - The scanned device's operating system OS version - Operating system version Arch - System type eg. x86_64 Scan Type - The type of scan executed e.g. Data Breach Risk Scan Device Key - The device key Config Name - Scan configuration type 2. To display the results report for your Expanded Data Breach Risk Scan, double-click anywhere in the row for that particular scan. Alternatively, you can select the checkbox for a particular scan, then click on View Report at the bottom left of the page. The Expanded Data Breach Risk Scan results report is then displayed for the selected host. In one single view, it combines the discovered data to show all vulnerabilities detected and which users have access to the data: - 9 -

3. Expand panels to display details. - 10 -

Reporting Risk Intelligence provides reporting on financial and sensitive data risks, exposed when scanning devices within an organization. In this Quick Start Guide we focus on how to create and run one of the most useful reports - the Expanded Data Breach Risk Report. Before you can run this report you must first create it - see Creating an Expanded Data Breach Risk Report. Once you have created your report and once a scan has been run on one or more devices, you can view the last run report on that scan or you can choose to generate a new report on current data - see Generating an Expanded Data Breach Risk Report. To access Reports: Navigate to Reports in the left Navigation panel: All existing reports are displayed for the selected organization. - 11 -

The following information/options are displayed: Report - The name and type of report. Click to display the last run report. You can edit the report menu from the Report Menu (below). History - Displays when the report was executed and the report status e.g. 'completed'. Also allows you to view the report in HTML or download the CSV file. You can also delete the report from here. Schedule - Details of the report scheduling (if set up in the Report Menu (see below)) Last Run At - Date and time the report was last run. Click to re-generate the report using current data. Email Recipients - Hover over to display recipients set up to receive report by email. Edit these in the Report Menu (below) Report Menu - Click to open the Report Menu which allows you to: Edit the report columns and conditions Edit Schedule details - Daily, weekly, monthly, on a specific day of the month or no scheduling. Edit Email Recipients Edit report name Attach CSV to emailed report Automatically generate shared URL for report Clone Report - Copy and give new report a name Create New Report - Allows you to create a new report. See Creating an Expanded Data Breach Risk Report. - 12 -

Creating an Expanded Data Breach Risk Report 1. Navigate to Reports in the left Navigation panel: All existing reports are listed 2. Click on Create New Report at the bottom of the page. Step 1 of the create report wizard is displayed. 3. Click on Security and Data Breach Reports and click Next: - 13 -

4. Step 2 of the wizard is displayed, listing all reports of the type Security and Data Breach. Click on Expanded Data Breach Risk and click Next: 5. Step 3 of the wizard is now displayed. Choose your report name, any email recipients of the report, any automatic scheduling of the report and click on Next: 6. Step 4 is then displayed allowing you to add columns and conditions to include/exclude data. Make your modifications to the defaults and click Next. - 14 -

7. Step 5 displays a summary of the report criteria. If you want to change anything, go back to the relevant step using the Back button and make the necessary changes. If you're happy with the report, click on Save. The report is added to the Reports list. Once an ExDBRS scan has been run you can generate the report and view the results - see Generating an Expanded Data Breach Risk Report. Generating an Expanded Data Breach Risk Report Once you have created an Expanded Data Breach Risk Report and once an Expanded Data Breach Risk Scan (exdbrs) has been run on one or more devices, you can generate the Expanded Data Breach Risk Report: - 15 -

1. Navigate to Reports in the left Navigation panel: All existing reports are displayed for the selected organization. 2. Click to open the Expanded Data Breach Risk Report: Clicking on the report name opens the last generated report. If you want to generate a new report, click on the regenerate icon. The report is displayed: - 16 -

This is an active view of the report and allows filtering, grouping and analysis of data. In the report page you can: Hover over the graph to view details associated with the selected data point Click on the legend to include/exclude the selected data type from the graph Click on Change Columns to change columns displayed and conditions for inclusion/exclusion of data. Filter what data is displayed using the boxes in each column header. Filter expressions such as < > = can be used for numeric filtering. For example, entering > 200 in the credit card filter will show matches with greater than 200 occurrences of credit card data found. - 17 -

Report Sharing Risk Intelligence has implemented a unique report sharing function that allows you to distribute reports without generating PDF files. This allows the report recipient to have the same powerful filtering and analytics capability but without requiring direct access to the Risk Intelligence console. 1. To share a report, click on the Share button at the top right of the report: 2. A dialog is displayed allowing you to generate a link that will allow unauthenticated users to view this report. Click on the Share this Report button: The report URL is generated: - 18 -

Once shared, the dialog will display the public shared URL for the report. 3. Send the URL to the appropriate users in your organization so they can view the report online. If an employee leaves and you no longer want the URL to be available, click the Unshare button to invalidate. If you choose to share the report again, a new URL is generated which you can distribute to permitted parties. - 19 -

Useful Links PDFS Risk Intelligence Full Guide.pdf Risk Intelligence Quick Start Guide for MSPs.pdf Risk Intelligence Quick Start Guide - Data Breach Risk.pdf ONLINE HELP Risk Intelligence Full Admin Help Risk Intelligence Quick Start Help for MSPs Risk Intelligence Quick Start Help - Data Breach Risk OTHER RESOURCES Risk Intelligence API Documentation Software Services Agreement - 20 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback