Vaš partner za varovanje informacij

Marek  Skalicky,  CISM,  CRISC,  Qualys  MD  for  CEE  November,  2015  

How to manage evolving threats on evolving ICT assets across

Enterprise

Agenda  

•  Security STARTs with VISIBILITY

•  What to be afraid of … and how to fix it?

•  Follow evolution of new threats and trends.

•  Follow evolution of the ICT Assets Landscape.

•  How can you manage what you don’t know?

•  Aggregate, Normalize, Correlate and Prioritize!

•  Security ENDs with ACCOUNTABILITY & CONTINUITY ;-)

What  to  be  afraid  of?  

Trends  by  ENISA  Threat  Landscape  2014  

Published on

December 2014

Based on +400 Threat Sources and incidents

CERT-EU, SANS

What  can  happen  to  you?  

         Can  you  secure  what  you  don’t  know?  

ACCESS PRIVILEGES

OUTDATED SOFTWARE

MIS-"CONFIGURATIONS

CODING WEAKNESSES

INCOMPLETE INVENTORY

SOCIAL MEDIA

THREATS

VULNERABILITIES

THE EXTENDED ENTERPRISE

Dispersed IT Assets,

Data and Networks

ICT  Infrastructure  is  not  only  „on  premise“

7

Physical Data Centers!

Virtual Data Centers!

Remote Offices!

Mobile Users!

Cloud Data Centers!-  Perimeter Network Scanning Internet Cloud Scanners

-  Internal Network Scanning Internal HW / Virtual Scanners

-  Virtualized Centers Scanning Hypervisor Scanners

-  Cloud PaaS/IaaS Scanning Azure Scanners, EC2 Scanners

-  Cloud Agent Scanning Agents for Mobile Platforms

-  Passive Network Scanning Monitor traffic for unknown devices

… In ONE centralized and unified solution for

Asset Management & ICT Security & Compliance …

LIVING IN A VULNERABLE WORLD

HACKTIVISM DATA LEAKAGE

APT SOCIAL ENGINEERING

BOTNET POLICY VIOLATIONS

YOU HAVE TO PROTECT EVERYTHING… THE BAD GUYS ONLY HAVE TO FIND ONE VULNERABILITY

Explosion of vulnerabilities

http://www.cvedetails.com

Vendor Name Number of Vulnerabilities

1  Microsoft   166  2  Apple   148  3  Linux   133  4  Redhat   99  5  Mozilla   93  6  Suse   83  7  IBM   81  8  Gentoo   79  9  SUN   75  

10  Oracle   61  11  Cisco   54  12  Debian   52  13  Ethereal Group   49  14  GNU   48  15  Ubuntu   44  16  HP   36  17  Mandrakesoft   33  18  BEA   33  19  Phpbb Group   32  20  Trustix   32  

top 20 celkem   1431  

Vendor Name Number of Vulnerabilities

1 Microsoft 317 2 Apple 302 3 Adobe 207 4 Oracle 206 5 IBM 202 6 Google 156 7 Cisco 155 8 Linux 125 9 Mozilla 122

10 HP 119 11 SUN 90 12 Realnetworks 55 13 Novell 47 14 Apache 43 15 Opera 40 16 Redhat 40 17 PHP 35 18 Macromedia 30 19 Typo3 26 20 Vmware 24

top 20 celkem 2341

Vendor Name Number of Vulnerabilities

1 Apple 579 2 Oracle 473 3 Microsoft 463 4 Cisco 412 5 Adobe 339 6 IBM 276 7 Google 254 8 Mozilla 144 9 Novell 127

10 Canonical 126 11 Debian 101 12 HP 80 13 EMC 67 14 Linux 61 15 Redhat 57 16 SAP 43 17 Apache 40 18 Fedoraproject 36 19 Siemens 35 20 Wireshark 32

top 20 celkem 3745

2005 2010 2015

Big vendors failing Big time

http://www.cvedetails.com

Vendor Name Number of Vulnerabilities

1  Microsoft   166  2  Apple   148  3  Linux   133  4  Redhat   99  5  Mozilla   93  6  Suse   83  7  IBM   81  8  Gentoo   79  9  SUN   75  

10  Oracle   61  11  Cisco   54  12  Debian   52  13  Ethereal Group   49  14  GNU   48  15  Ubuntu   44  16  HP   36  17  Mandrakesoft   33  18  BEA   33  19  Phpbb Group   32  20  Trustix   32  

top 20 celkem   1431  

Vendor Name Number of Vulnerabilities

1 Microsoft 317 2 Apple 302 3 Adobe 207 4 Oracle 206 5 IBM 202 6 Google 156 7 Cisco 155 8 Linux 125 9 Mozilla 122

10 HP 119 11 SUN 90 12 Realnetworks 55 13 Novell 47 14 Apache 43 15 Opera 40 16 Redhat 40 17 PHP 35 18 Macromedia 30 19 Typo3 26 20 Vmware 24

top 20 celkem 2341

Vendor Name Number of Vulnerabilities

1 Apple 579 2 Oracle 473 3 Microsoft 463 4 Cisco 412 5 Adobe 339 6 IBM 276 7 Google 254 8 Mozilla 144 9 Novell 127

10 Canonical 126 11 Debian 101 12 HP 80 13 EMC 67 14 Linux 61 15 Redhat 57 16 SAP 43 17 Apache 40 18 Fedoraproject 36 19 Siemens 35 20 Wireshark 32

top 20 celkem 3745

2005 2010 2015

MICROSOFT 166 317 463

APPLE 148 302 579

ORACLE 61 206 473

CISCO 54 155 412

TOP-20 1431 2341 3745

Attack versus Defense windows

http://www.verizonenterprise.com/DBIR/2012

3. DETECTION

4. REACTION

1. PREDICTION

2. PREVENTION

Vulnerability Remediation vs. Exploitation

https://www.kennasecurity.com/resources/non-targeted-attacks-report

Vulnerability Remediation: 100 - 120 days

Vulnerability Exploitation: 40 - 60 days

Vulnerability Half-life in IS: 30 days !!!

GAP: 60 days !!!

5-10 years old vulnerabilites still good to go

http://www.verizonenterprise.com/DBIR/2015

Where  is  the  problem?  In  scope  &  Pme  

… continuous and automated view

on ICT Security and Compliance …

avg: 1000 IP avg: 20 SW components

avg: 20 per/IP Critical: 4 per /IP

avg: 2 per/IP

avg: 100 sec. controls per/IP

Attack Surface:

20.000 ICT Asset components

20.000 Vulnerabilities (20% critical)

2.000 Relevant Threats (Expl.&Malware)

100.000 Configuration security controls

Modern approach & solution:

Data centralization / normalization / prioritization

(Big)Data analytics / automation / workflow

Dashboards / Alerts / Reports / Tickets

Cloud based architecture

Example of typical CEE Enterprise:

SANS TOP-7 High and Very-high Critical Controls from TOP-20

Australian  Department  of  Defense:    “TOP-­‐4  Strategies  to  MiPgate  Targeted    Cyber  Intrusions”  

1 Application Whitelisting – only allow approved software to run

2 Application Patching – keep apps, plug-ins and other software up to date

3 OS Patching – keep operating systems current with the latest fixes

4 Minimize Administrative Privileges – prevent malicious software from making silent changes

••

••

What  is  soluPon?  AutomaPon  &  PrioriPzaPon  

How to get visibility into ICT Assets and correlate them with Risks and Compliance

Application Engines !

VMVMAMAMCMCM PCIPCI PCPC QSQS MDSMDS LMLMWASWAS WAFWAF

ASSET

DISCOVERY

NETWORK

SECURITY

WEB APP

SECURITY

THREAT

PROTECTIONCOMPLIANCEMONITORING

Passive Physical Virtual Cloud Cloud Agent

Sensors!

16

What  to  do  with  all  that  data?  Aggregate,  Normalize,  Correlate,  Filter,  Report  and  PrioriPze!  

17  

ICT RISK MANAGEMENT

•  Vulnerabilities •  Threats •  Exploits •  Malware •  Impact scenario •  Zero-Days •  Patches •  Workarounds

•  Asset Values •  Security Risk •  Business Risk

ICT COMPLIANCE MANAGEMENT

•  Configuration checks

•  Policy Controls •  Custom

Controls •  Internal

Policies •  External

Regulations

•  Customizable •  Questionnaires

DASHBOARDS | ALERTS | REPORTS | WORKFLOWS | INTEGRATIONS

BUSINESS PROCESSES / BUSINESS APPLICATIONS

ICT ASSETMANAGEMENT

•  OS / Platforms •  TCP/UDP Ports •  Services/

Protocols •  Databases •  Applications •  SSL Certificates •  Localities

•  Responsibilities •  Dynamic

Tagging

…  set  process,  roles,  goals  and  measure    

18  

VM role

Responsibility

Internal VAS service provider

BU Manager IT Asset Owner Scanner

Business Owner of IT Asset

InfoSec

VM policy I I I I I A/R

VAS system configuration A/R R I R C/I

Asset management

I A/R C R I

Remediation I R R/A R A I

Network segmnets

Vulnerability type

Perimeter PCI DSS scope Internal network

4 & 5 with remote exploit confirmed X days X days XY days

X days (CVSS 4.0 ormore)

XY days (CVSS lessthan 4.0)

3 - confirmed XYZ days Best effort Best effort

1 i 2 - confirmed Best effort Best effort Best effort

4 & 5 - confirmed XYZ daysXY days

…  filter  data  and  present  only  “need-­‐to-­‐know”  

19  

Technical Reports Executive Reports

Qualys  at  a  Glance    

20  

7,700+    Customers    107+   Countries  

+1  Billion  +2  Billions  

in  2013  In  2014  

QualysGuard  Cloud  Pla_orm  for  ICT  Assets,  Security  and  Compliance  

Vaš partner za varovanje informacij