continuous monitoring deck
TRANSCRIPT
Continuous Monitoring
And some lessons learnedTwitter: @brianfennimore
For those of you with skills in PPT, I apologize for what you are about to see.
Definition
“…maintainingongoing awareness of information security, vulnerabilities, and threats to supportorganizational risk management decisions.”
-NIST 800-137
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf
Very core points
1. Ongoing2. Awareness3. Threats4. Vulnerabilities5. Risk
3, 4, 5 have been core to security for decades1, 2 are the highlighted new points of a ConMon strategy
Executive Summary Bullets• Is grounded in a clear understanding of organizational risk tolerance and helps officials set priorities
and manage risk consistently throughout the organization
• Includes metrics that provide meaningful indications of security status at all organizational
• Ensures continued effectiveness of all security controls
• Verifies compliance with information security requirements derived from organizational missions/business functions, federal legislation, directives, regulations, policies, and standards/guidelines
• Is informed by all organizational IT assets and helps to maintain visibility into the security of the assets
• Ensures knowledge and control of changes to organizational systems and environments of operation
• Maintains awareness of threats and vulnerabilities
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf
The Process
• Define• Establish• Implement• Analyze• Respond• Review and Update
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf
Moving beyond annual/semi-annual risk assessments alone
Vulnerability ConMon
• Discovery– Code*– Network
• Raw Data• Remediation Coordination• Metrics and Tracking
Discovery Metrics and Tracking
Network
Code*
Provide Targets IPAM CMDB Cloud API’s Asset List*
Discovery Scans
Vulnerability Scans
StaticDynamic Assign Owner CVSS score supportSDLC Integration
Raw Data
SIEMSplunkELKArcsight…etc
Asset List*Recycle
RemediationCoordination
Jira Custom CVSSLots of meetingsRegression Testing
• Top Ten aged• Top Ten by CVSS• Quantity by system (owner)• Most resolved by system (owner)• Great for air support
ConMon Overview
Network Vuln Discovery
• IPAM – Know your IP address space• CMDB – do you have one that works?• * Public Cloud API discovery * • Asset List – Like a CMDB but Security owned• POV – Scan from the inside and outside
Cloud API Discovery
Azure example
#Quick one line sample#Azure CLI setup https://docs.microsoft.com/en-us/azure/xplat-cli-install
#Sample command
azure network public-ip list --json -s $subscriberID | grep ipAddress >> /tmp/ipaddylist1.txt
Discovery scans• Nmapnmap -Pn -sS -p 22,23,3389 \--max-rtt-timeout 200ms \--min-rtt-timeout 50ms \--max-retries 1 \--initial-rtt-timeout 200ms \-iL /tmp/ipaddylist1.txt -oG /tmp/mgmt-`date +"%m-%d-%y"`
#T5 does the equivalent of --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m as well as setting the maximum TCP scan delay to 5 ms
• Masscan#”…scan the whole internet in less than 5 minutes”#Use with caution. But if you have a VERY large list of targets, it can save some time.
Note: Most vulnerability scanners perform their own form of a discovery scan. Depending on size of target list, this may be skipped.
Raw Data
• Effective log/alert/event tracking is critical• Effective log/alert/event tracking is critical• Effective log/alert/event tracking is critical• Effective log/alert/event tracking is critical• Effective log/alert/event tracking is critical• Effective log/alert/event tracking is critical• Effective log/alert/event tracking is critical
Asset List vs. CMDB
• Asset List is owned by the security team• Track attributes that may be relevant only to
us• If the CMDB is really firing on all cylinders this
may not be needed
#Splunk lookup tableIpaddy,hostname,owner,impact,lastseen,firstseen
Remediation Coordination
• Jira (tracking in general)– CVSS scoring (dynamic attribute)– Various states in the workflow
• Discovered | Confirmed | Assigned | Fixed | Validated
• Lots of meetings– Be prepared to address the “so what?”
• Regression testing (Validated)
Metrics and Tracking (KPI)
• Top Ten aged• Top Ten by CVSS• Quantity by system (owner)
– Tattle• Most resolved by system (owner)
– Praise• Great for air support
Discovery Metrics and Tracking
Network
Code*
Provide Targets IPAM CMDB Cloud API’s Asset List*
Discovery Scans
Vulnerability Scans
StaticDynamic Assign Owner CVSS score supportSDLC Integration
Raw Data
SIEMSplunkELKArcsight…etc
Asset List*Recycle
RemediationCoordination
Jira Custom CVSSLots of meetingsRegression Testing
• Top Ten aged• Top Ten by CVSS• Quantity by system (owner)• Most resolved by system (owner)• Great for air support
ConMon Overview
Threat ConMon
• Threat Intelligence feed• IOC feed• STIX | TAXII• Black Lists (no context)
Three primary formats
• IP address• DNS name• File Hash (MD5 / SHA)
Anyone see the US-CERT release for Grizzly-Steppe?
https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity
JAR-16-20296A.csvSample
INDICATOR_VALUE TYPE
efax.pfdregistry.net/eFax/37486.ZIP URL
private.directinvesting.com FQDN
167.114.35.70 IPV4ADDR
AE7E3E531494B201FBF6021066DDD188 MD5
Consuming Threat Intel
• Post Mortem– This is valuable but too late for our needs
• Firewall log correlation• Proxy log correlation• E-mail (MTA) correlation• Any reputation type of service
Simplify
• Near Context-less• “Threat Data”* (a little less intelligent but still
smart-ish)• Personal project of mine: https://www.threatsourcing.com
IOC type Detect (alert) Deny
IP address Log analysisLookup tables
Firewall policyNull routeACL
DNS name DNS request logs Black-hole dnshttps://pi-hole.net/
File hash Ziften.com ?
Leverage the Threat Data
Very core points
1. Ongoing2. Awareness3. Threats4. Vulnerabilities5. Risk
3, 4, 5 have been core to security for decades1, 2 are the highlighted new points of a ConMon strategy
Q&A