DevSecOps Shift Left Security. Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

Similar documents
Automating Security Practices for the DevOps Revolution

Security Configuration Assessment (SCA)

THE FOUR PILLARS OF MODERN VULNERABILITY MANAGEMENT

The Four Pillars of Modern Vulnerability Management

Qualys Cloud Platform

Qualys Release Notes

Reinvent Your 2013 Security Management Strategy

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Qualys Cloud Platform

SIEMLESS THREAT DETECTION FOR AWS

Vulnerability Management From B Movie to Blockbuster Rahim Jina

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

BUYER S GUIDE EVALUATING VULNERABILITY ASSESSMENT SOLUTIONS

Atlassian Crowdsourced Penetration Test Results: January 2018

CLOUD WORKLOAD SECURITY

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

RSA IT Security Risk Management

Evaluating Vulnerability Assessment Solutions

AppSec in a DevOps World

WHITEHAT SECURITY. T.C. NIEDZIALKOWSKI Technical Evangelist. DECEMBER 2012

CyberPosture Intelligence for Your Hybrid Infrastructure

Think Like an Attacker

Overcoming the Challenges of Automating Security in a DevOps Environment

Endpoint Security Can Be Much More Effective and Less Costly. Here s How

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

Device Discovery for Vulnerability Assessment: Automating the Handoff

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Everything visible. Everything secure.

Think Like an Attacker

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Qualys Cloud Platform

Threat Centric Vulnerability Management

Datacenter Security: Protection Beyond OS LifeCycle

Product Security Program

McAfee Public Cloud Server Security Suite

Development. Architecture QA. Operations

IBM Internet Security Systems Proventia Management SiteProtector

Security Solution. Web Application

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Cyber Resilience. Think18. Felicity March IBM Corporation

locuz.com SOC Services

Murray Goldschmidt. Chief Operating Officer Sense of Security Pty Ltd. Micro Services, Containers and Serverless PaaS Web Apps? How safe are you?

Cloud is the 'Only' Way Forward in Information Security. Leveraging Scale to Make the Unknown Known, in Dev, Sec & Ops.

A Risk Management Platform

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Securing Production Applications & Data at Runtime. Prevoty

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Logging, Monitoring, and Alerting

SYMANTEC DATA CENTER SECURITY

Real-Time Vulnerability Management Operationalizing the VM process from detection to remediation

Defending Against Unkown Automation is the Key. Rajesh Kumar Juniper Networks

Taking Control of Your Application Security

K12 Cybersecurity Roadmap

DevSecOps Why Aren t You Doing It? Brian Liceaga, CISSP 1

Infrastructure Blind Spots Continue to Fuel Personal Data Breaches. Sanjay Raja Lumeta Corporation Lumeta Corporation

RiskSense Attack Surface Validation for IoT Systems

Chapter 5: Vulnerability Analysis

Case Study: The Evolution of EMC s Product Security Office. Dan Reddy, CISSP, CSSLP EMC Product Security Office

PCI Compliance. Network Scanning. Getting Started Guide

Automating the Top 20 CIS Critical Security Controls

An SDLC for the DevSecOps Era Or SecDevOps, or DevOpsSec,

Vulnerability Management

Implementing and maintaining a DevSecOps approach in the cloud George Gerchow - VP of Security &

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Qualys Cloud Suite Release Notes

Digital Defense Frontline VM 6.0

Tripwire State of Container Security Report

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

The Divine and Felonious Nature of Cyber Security

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Regaining Our Lost Visibility

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Instructor-led Training Course Catalog

News Flash: Some Things Actually Do Work in Security!!!

A company built on security

8 Must Have. Features for Risk-Based Vulnerability Management and More

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Synology Security Whitepaper

Secure DevOps: A Puma s Tail

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

SOLUTION BRIEF. RiskSense Platform. RiskSense Platform the industry s most comprehensive, intelligent platform for managing cyber risk.

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Operationalizing the Three Principles of Advanced Threat Detection

THE IMPACT OF HYBRID AND MULTI CLOUDS TO CYBERSECURITY PRIORITIES

2018 VULNERABILITY STATISTICS REPORT

How Verizon boosted product delivery with Dynatrace Software Intelligence

Standard: Vulnerability Management & Standard

10 FOCUS AREAS FOR BREACH PREVENTION

AWS Reference Design Document

RiskSense Attack Surface Validation for Web Applications

7 strategies for scaling product security. QCon 2018 New York City Angelo Prado, Senior Director Jet.com Walmart

Real-Time Vulnerability Management Operationalizing the VM process from detection to remediation

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Transcription:

DevSecOps Shift Left Security Prioritizing Incident Response using Security Posture Assessment and Attack Surface Analysis

Themes

Vulnerabilities are Low Hanging Fruit

Why so many breaches that Anti-Virus missed? 2015 largest disclosed breaches

Known Critical Vulnerabilities are Increasing 9,000 8,000 7,000 6,000 5,000 4,000 3,000 2,000 1,000 0 Vulnerabilities 2011 2012 2013 2014 2015 2016 Total High (CVSS 7-10)

WannaCry Retrospective

THOUSANDS WannaCry Timeline and Remediation 700 MS17-010 Patch Release EternalBlue Exploit WannaCry 600 Authenticated / Agent Detection 500 400 300 Continued + Unauthenticated Detection 200 100 0

Endpoint Breach Prevention by Reducing Attack Surfaces

1 Discover and Know your Assets

2 Detect and Measure Vulnerabilities

3 Prioritize Remediation

4 Identify and Deploy Patches

Exercise: I already know all my assets

Auto-Deploy Qualys Cloud Agent (Vuln)

Vulnerability Results

Exploitability Posture

Get Proactive Reduce the Attack Surface!

Get Visibility into your Public Clouds

Common AWS Misconfigurations

Continuous Security Monitoring

Actionable Responses Reduce Attack Surface

Can Security Teams do better?

Digital Transformation Priorities Source: https://news.microsoft.com/apac/2017/02/20/80-of-businessleaders-believe-they-need-to-be-a-digital-business-to-succeed-microsoftstudy/microsoft-digital-transformation-infographic-asia

Digital Transformation Barriers Source: https://news.microsoft.com/apac/2017/02/20/80-of-businessleaders-believe-they-need-to-be-a-digital-business-to-succeed-microsoftstudy/microsoft-digital-transformation-infographic-asia

DevSecOps = / DevOps + Security

Security Security Security Security Security Security Security False Approach ~ False Start ~ Failure Plan Code Test Release Package Deploy Operate Monitor Dev Ops wait! wait! wait! wait! wait! wait!

Security + DevOps = a Revolt or Left Out? Source: https://theclumpany.wordpress.com/2015/08/09/pitchforks-and-flaming-torches/

Food Safety is a Security Problem Source: http://www.foodengineeringmag.com/articles/88990-tech-update-metal-detection-xray-inspection-

DevSecOps Shift in Thinking

Shift Time

Case Study: Financial Services Mobile Wallet

Before: Lack of Security Automation Delays Release Machine Builders VM Scan/Report 48 Hours Vulnerability Management Teams VM Scan/Report 48 Hours At least two weeks until the AMI is certified for production

1 2 DevOps Born in the Cloud: New builds in AWS every 60 days Automated Regression & Test-Driven Development Security Commercial/Open Source vulnerabilities are detected & fixed on same release cadence Automated regression finds patch issues faster 3 Docker containers abstracts applications from OS OS vulnerabilities are patched separate from Applications

After: Security at the Source in DevOps Pipeline AMAZON MACHINE IMAGE (AMI) QUALYS ASSESS ON DEV INSTANCES AUTOMATICALY ADD QUALYS CLOUD AGENT APPROVE and PUBLISH Qualys Scanner Qualys Agent OS OS Qualys Agent

Vulnerability Metric Benefits

Shift Techniques

Case Study: One of Largest Ecommerce Companies

1 Shift Technique Tag Vulnerable Libraries in Source Control 2 Shift Technique Vulnerabilities in Production are Treated as Defects 3 Shift Technique Open Vulnerabilities Reported to Business Unit VPs Apply Technique Prevent Software Check-Ins that use Vulnerable Libraries Apply Technique Automatically open tickets for Developers on security issues Apply Technique Excessive Remediation Times are escalated to CEO

Shift Tools Find/Implement the right tools for the DevOps Processes... But: You may not need to procure new tools APIs, Integrations, Self-Service UIs Collaborate with current vendors on your DevOps plans

Case Study: Financial Investment Services

1 Challenge 400+ Web Apps in production Solution Integrated the production Web Security Assessment tool into DevOps processes via API 2 Web Security Assessment found they had a lot of easily mitigated app vulnerabilities Automatically create Jira bugs for App Development to fix XSS and SQL Injection issues 3 Hard for developers to fix security issues in production Continuously assess Web Apps in the dev process so issues are not re-introduced

Integrate Production Security Tools into DevOps Selenium Qualys WAS Selenium Qualys WAS Jira Issues Jira Issues

DevSecOps: Practical Steps to Get Started

Open Q &A

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback