18 QUALYS SECURITY CONFERENCE 2018 First Look Showcase Expanding our prevention, detection and response solutions Marco Rottigni Chief Technical Security Officer, Qualys, Inc.
Secure Enterprise Mobility
Identity (X.509, Asset ID, Device ID) Device Hardware Visibility Network and Interactions Apps Analytics Security Posture 3 QSC Conference, 2018 December 6, 2018
4 QSC Conference, 2018 December 6, 2018
5 QSC Conference, 2018 December 6, 2018
6 QSC Conference, 2018 December 6, 2018
Vulnerability Management Security Asset Lockdown Asset Hardening Enterprise Integrations 7 QSC Conference, 2018 December 6, 2018
Compliance Policies On Enrollment Continuous Monitoring Protection Enforcement and Remedial Actions Policy Management Containerization 8 QSC Conference, 2018 December 6, 2018
9 QSC Conference, 2018 December 6, 2018
DIY Portal Privacy Audit Control Ownership (Corporate/BYOD) Transparency 10 QSC Conference, 2018 December 6, 2018
Roadmap Feb 2019 Closed Beta Multiple releases during 2019 11 QSC Conference, 2018 December 6, 2018
Security Analytics & Orchestration
Security Analytics & Orchestration Human Guided Policy-Driven Response Playbooks for Bi-Dir Ecosystems Integration BYOP- Bring-Your-Own-Playbook Response & Orchestration Advanced Analytics Correlation & Enrichment Cross-Product Correlation Additional Context from 3 rd Party Sources Detect KNOWN threats w/ out-ofbox rules Detect UNKNOWN threats Using Machine Learning Hacker Behavioral Analytics Predictive & Prescriptive SoC 13 QSC Conference, 2018
Security Analytics & Orchestration Apps ML/AI Service Patterns Outlier Predictive SoC Orchestration & Automation Ecosystems Integration Playbooks Response UEBA User & Entity Behavior Analytics Threat Hunt Search Exploration Behavior Graph Security Analytics Anomaly Visualization Dashboard Advanced Correlation Actionable Insights Out-of-box Rules Qualys Security Data Lake Platform Data Ingestion Normalization Enrichment Governance CA VM AI PC IOC WAS WAF Network Security Server Endpoint Apps Cloud Users IoT Qualys Apps Qualys Quick Connectors 14 QSC Conference, 2018
Characteristics of Data Lake Collect Anything Dive in Anywhere Flexible Access Future Proof 15
What is Security Data Lake? Single data store (single source of truth) Structured and unstructured data Data is transformed, normalized, and enriched Threat Intelligence feed integration, GeoIP etc. Data has governance, semantic consistency, and access controls Store-once / Process-once / Use-multiple Apps, dashboards, data analytics Cross product search, reporting, visualization Machine learning, forensics, etc. 16
Simplified View SECURITY LOGS FROM MULTIPLE SOURCE BEHAVIOR ANALYTICS CLOUD CONNECTORS DATA VALIDATION DATA AGGREGATION DATA VISUALIZATION THREAT HUNTING SECURITY ANALYTICS LOG CONNECTORS DATA NORMALIZATION ML/AI MODELLING RESTFUL API SERVICES ORCHESTRATION AUTOMATION QUALYS SECURITY DATA LAKE PLATFORM 3 RD PARTY INTEGRATION AD/LDAP/HRMS 17 QSC Conference, 2018
Secure Access Control
Agenda What is Secure Access Control Use-cases Capabilities Policy-based orchestration Operationalizing Secure Access Control Mockups 20 Qualys Security Conference, 2018 December 6, 2018
Use Cases Block vulnerable assets from accessing critical network resources Limit access (e.g. quarantine) of vulnerable assets Grant access to resources only on a need basis. Block everything else Automated asset attribute processing and enforcement without the need for manual action 21 Qualys Security Conference, 2018 December 6, 2018
Use Cases Vulnerabilities Quarantine assets if vulnerable Vulnerability Found Local Data Center LDC-01 Remote Office Remote Data Center RDC-01 Employee Laptop Quarantine 22 Qualys Security Conference, 2018 Enterprise December 6, 2018 DHCP Server DNS Server Active Directory Windows Update Servers http://windowsupdate.microsoft.com http:// *.windowsupdate.microsoft.com https:// *.windowsupdate.microsoft.com http://*.update.microsoft.com https://*.update.microsoft.com http://*.windowsupdate.com http://download.windowsupdate.com http://download.microsoft.com http:// *.download.windowsupdate.com http:// test.stats.update.microsoft.com http://ntservicepack.microsoft.com
Use Cases Asset Inventory Access control using asset inventory attributes Attributes Block Managed Assets System Information Hardware Operating System Services Network Interfaces Open Ports Software Inventory Software Lifecycle ACL Allow Quarantine Assign ACL Unmanaged Assets Assign VLAN
Use Cases Compliance - Block assets which fail compliance Compliance Malware Controls Mandates Control Policies Family Category Score Block Allow Indications of Compromise File Process Mutex Network Registry Incidents Quarantine Managed Assets Threat Protection File Integrity Zero Day Public Exploit Actively Attacked High Lateral Movement Action Actor High Data Loss DoS No Patch Exploit Kit Easy Exploit Target Incidents ACL Assign ACL Assign VLAN 24 Qualys Security Conference, 2018 December 6, 2018
Policy-based Orchestration Security Control Policy Action Options Assets 6F:1A:5E:2B:4D:3C Server.company.co m 10.16.154.20 Ruleset 6F:1A:5E:2B:4D:3C ACL 25 Qualys Security Conference, 2018 December 6, 2018
Policy-based Orchestration Access Control Policy Assets Source Inbound Traffic 6F:1A:5E:2B:4D:3C Server.company.co m 10.16.154.20 6F:1A:5E:2B:4D:3C Outbound Traffic Destination Allow Ruleset Allow Deny Deny 26 Qualys Security Conference, 2018 December 6, 2018
Best of Two Worlds In-Line Appliance Reliable first hand data Appliance enforces Low latency for data collection & enforcement SAC offers both modes Out of Band Switches Multiple enforcement options Traffic volume agnostic Powerful Together Unique Value Proposition 27 Qualys Security Conference, 2018 December 6, 2018
Operationalizing Secure Access Control Hardware Qualys Cloud App Bare-metal Virtual 28 Qualys Security Conference, 2018 December 6, 2018
MOCK-UPS Secure Access Control How do I trigger SAC Policies from Qualys Cloud Apps? How do I view and define policies? How do I troubleshoot an asset?
1 Trigger
2 View & Define
3 Troubleshoot
Breach & Attack Simulation
Problems Lack of confidence in the effectiveness of security controls Limited assessment scope and capabilities Red Team operations are expensive, not scalable, and not evaluated for completeness Blue Teams are blind towards the impact of new exploits and attacks on their existing security controls 45 Qualys Security Conference, 2018 December 6, 2018
Breach & Attack Simulation Automated simulation of real-world TTPs mapped to MITRE ATT&CK framework 46 Qualys Security Conference, 2018 December 6, 2018
Technical Approach Automated simulation of real-world TTPs Scale security assessments across the entire enterprise Transition towards a defense strategy based on offensive techniques Real-time insights mapped to MITRE ATT&CK framework Continuously measure security control drift over time 47 Qualys Security Conference, 2018 December 6, 2018
Breach & Attack Simulation Command-line interface to adversary agents running Qualys Cloud Agent 48 Qualys Security Conference, 2018 December 6, 2018
Breach & Attack Simulation Use case: Credential Harvesting and Reuse 1. Uploading / running mimikatz 2. Extracting stored credentials 3. Lateral movements 49 Qualys Security Conference, 2018 December 6, 2018
Breach & Attack Simulation Use case: Credential Harvesting and Reuse 1. Uploading / running mimikatz 2. Extracting stored credentials 3. Lateral movements 50 Qualys Security Conference, 2018 December 6, 2018
Breach & Attack Simulation Use case: Drupalgeddon2 (CVE-2018-7600) 1. Remote system discovery 2. Exploit vulnerability to control system 3. Laterally spread using ETERNALBLUE 52 Qualys Security Conference, 2018 December 6, 2018
18 QUALYS SECURITY CONFERENCE 2018 First Look Showcase Merci, Grazie! Marco Rottigni mrottigni@qualys.com