How to manage evolving threats on evolving ICT assets across Enterprise Marek Skalicky, CISM, CRISC, Qualys MD for CEE November, 2015 Vaš partner za varovanje informacij
Agenda Security STARTs with VISIBILITY What to be afraid of and how to fix it? Follow evolution of new threats and trends. Follow evolution of the ICT Assets Landscape. How can you manage what you don t know? Aggregate, Normalize, Correlate and Prioritize! Security ENDs with ACCOUNTABILITY & CONTINUITY ;-)
What to be afraid of?
Trends by ENISA Threat Landscape 2014 Published on December 2014 Based on +400 Threat Sources and incidents CERT-EU, SANS
What can happen to you?
Can you secure what you don t know? OUTDATED SOFTWARE ACCESS PRIVILEGES VULNERABILITIES CODING WEAKNESSES Dispersed IT Assets, Data and Networks THE EXTENDED ENTERPRISE MIS-" CONFIGURATIONS THREATS INCOMPLETE INVENTORY SOCIAL MEDIA
ICT Infrastructure is not only on premise Physical Data Centers! Virtual Data Centers! Remote Offices! In ONE centralized and unified solution for Mobile Users! Asset Management & ICT Security & Compliance Cloud Data Centers! - Perimeter Network Scanning Internet Cloud Scanners - Internal Network Scanning Internal HW / Virtual Scanners - Virtualized Centers Scanning Hypervisor Scanners - Cloud PaaS/IaaS Scanning Azure Scanners, EC2 Scanners - Cloud Agent Scanning Agents for Mobile Platforms - Passive Network Scanning Monitor traffic for unknown devices 7
LIVING IN A VULNERABLE WORLD YOU HAVE TO PROTECT EVERYTHING THE BAD GUYS ONLY HAVE TO FIND ONE VULNERABILITY BOTNET HACKTIVISM APT DATA LEAKAGE POLICY VIOLATIONS SOCIAL ENGINEERING
Explosion of vulnerabilities 2005 2010 2015 Vendor Name Number of Vulnerabilities 1 Microsoft 166 2 Apple 148 3 Linux 133 4 Redhat 99 5 Mozilla 93 6 Suse 83 7 IBM 81 8 Gentoo 79 9 SUN 75 10 Oracle 61 11 Cisco 54 12 Debian 52 13 Ethereal Group 49 14 GNU 48 15 Ubuntu 44 16 HP 36 17 Mandrakesoft 33 18 BEA 33 19 Phpbb Group 32 20 Trustix 32 Vendor Name Number of Vulnerabilities 1 Microsoft 317 2 Apple 302 3 Adobe 207 4 Oracle 206 5 IBM 202 6 Google 156 7 Cisco 155 8 Linux 125 9 Mozilla 122 10 HP 119 11 SUN 90 12 Realnetworks 55 13 Novell 47 14 Apache 43 15 Opera 40 16 Redhat 40 17 PHP 35 18 Macromedia 30 19 Typo3 26 20 Vmware 24 Vendor Name Number of Vulnerabilities 1 Apple 579 2 Oracle 473 3 Microsoft 463 4 Cisco 412 5 Adobe 339 6 IBM 276 7 Google 254 8 Mozilla 144 9 Novell 127 10 Canonical 126 11 Debian 101 12 HP 80 13 EMC 67 14 Linux 61 15 Redhat 57 16 SAP 43 17 Apache 40 18 Fedoraproject 36 19 Siemens 35 20 Wireshark 32 top 20 celkem 1431 top 20 celkem 2341 top 20 celkem 3745 http://www.cvedetails.com
Vendor Name Big vendors failing Big time 2005 2010 2015 Number of Vulnerabilities 1 Microsoft 166 2 Apple 148 3 Linux 133 4 Redhat 99 5 Mozilla 93 6 Suse 83 7 IBM 81 8 Gentoo 79 9 SUN 75 10 Oracle 61 11 Cisco 54 12 Debian 52 13 Ethereal Group 49 14 GNU 48 15 Ubuntu 44 16 HP 36 17 Mandrakesoft 33 18 BEA 33 19 Phpbb Group 32 20 Trustix 32 Vendor Name Number of Vulnerabilities 1 Microsoft 317 2 Apple 302 3 Adobe 207 4 Oracle 206 5 IBM 202 6 Google 156 7 Cisco 155 8 Linux 125 9 Mozilla 122 10 HP 119 11 SUN 90 12 Realnetworks 55 13 Novell 47 14 Apache 43 15 Opera 40 16 Redhat 40 17 PHP 35 18 Macromedia 30 19 Typo3 26 20 Vmware 24 Vendor Name Number of Vulnerabilities 1 Apple 579 2 Oracle 473 3 Microsoft 463 4 Cisco 412 5 Adobe 339 6 IBM 276 7 Google 254 8 Mozilla 144 9 Novell 127 10 Canonical 126 11 Debian 101 12 HP 80 13 EMC 67 14 Linux 61 15 Redhat 57 16 SAP 43 17 Apache 40 18 Fedoraproject 36 19 Siemens 35 20 Wireshark 32 MICROSOFT 166 317 463 APPLE 148 302 579 ORACLE 61 206 473 CISCO 54 155 412 TOP-20 1431 2341 3745 top 20 celkem 1431 top 20 celkem 2341 top 20 celkem 3745 http://www.cvedetails.com
Attack versus Defense windows 1. PREDICTION 2. PREVENTION 3. DETECTION 4. REACTION http://www.verizonenterprise.com/dbir/2012
Vulnerability Remediation vs. Exploitation Vulnerability Remediation: 100-120 days Vulnerability Exploitation: 40-60 days Vulnerability Half-life in IS: 30 days!!! GAP: 60 days!!! https://www.kennasecurity.com/resources/non-targeted-attacks-report
5-10 years old vulnerabilites still good to go http://www.verizonenterprise.com/dbir/2015
Where is the problem? In scope & Pme Example of typical CEE Enterprise: avg: 100 sec. controls per/ip avg: 1000 IP avg: 20 SW components avg: 20 per/ip Critical: 4 per /IP continuous and automated view on ICT Security and Compliance Attack Surface: 20.000 ICT Asset components 20.000 Vulnerabilities (20% critical) 2.000 Relevant Threats (Expl.&Malware) 100.000 Configuration security controls avg: 2 per/ip Modern approach & solution: Data centralization / normalization / prioritization (Big)Data analytics / automation / workflow Dashboards / Alerts / Reports / Tickets Cloud based architecture
What is solupon? AutomaPon & PrioriPzaPon SANS TOP-7 High and Very-high Critical Controls from TOP-20 Australian Department of Defense: TOP- 4 Strategies to MiPgate Targeted Cyber Intrusions 1 Application Whitelisting only allow approved software to run 2 Application Patching keep apps, plug-ins and other software up to date 3 OS Patching keep operating systems current with the latest fixes 4 Minimize Administrative Privileges prevent malicious software from making silent changes
How to get visibility into ICT Assets and correlate them with Risks and Compliance Application Engines! CM AM VM PCI PC QS MDS WAS WAF LM ASSET DISCOVERY NETWORK SECURITY WEB APP SECURITY THREAT PROTECTION COMPLIANCE MONITORING Sensors! Passive Physical Virtual Cloud Cloud Agent 16
What to do with all that data? Aggregate, Normalize, Correlate, Filter, Report and PrioriPze! DASHBOARDS ALERTS REPORTS WORKFLOWS INTEGRATIONS ICT RISK MANAGEMENT Vulnerabilities Threats Exploits Malware Impact scenario Zero-Days Patches Workarounds Asset Values Security Risk Business Risk ICT ASSET MANAGEMENT OS / Platforms TCP/UDP Ports Services/ Protocols Databases Applications SSL Certificates Localities Responsibilities Dynamic Tagging ICT COMPLIANCE MANAGEMENT Configuration checks Policy Controls Custom Controls Internal Policies External Regulations Customizable Questionnaires BUSINESS PROCESSES / BUSINESS APPLICATIONS 17
set process, roles, goals and measure VM role Responsibility Internal VAS service provider BU Manager IT Asset Owner Scanner Business Owner of IT Asset InfoSec VM policy I I I I I A/R VAS system configuration Asset management A/R R I R C/I I A/R C R I Remediation I R R/A R A I Vulnerability type Network segmnets Perimeter PCI DSS scope Internal network 4 & 5 with remote exploit confirmed X days X days XY days X days (CVSS 4.0 or more) 4 & 5 - confirmed XY days XYZ days XY days (CVSS less than 4.0) 3 - confirmed XYZ days Best effort Best effort 1 i 2 - confirmed Best effort Best effort Best effort 18
filter data and present only need- to- know Technical Reports Executive Reports 19
Qualys at a Glance QualysGuard Cloud Pla_orm for ICT Assets, Security and Compliance 7,700 + Customers 107 + Countries +1 Billion +2 Billions in 2013 In 2014 20
Vaš partner za varovanje informacij