riskiq across the globe june 2019 · riskiq across the globe customer stories and partner...

RiskIQ Across the GlobeCustomer Stories and Partner Integrations

Benjamin PowellTechnical Marketing Manager

© 2018 RiskIQ | Confidential Information 2

Benjamin PowellTechnical Marketing Manager (CEH)

Background• Worked in IT over 30 years.• Focused on Security 15 years.• I have personally worked in IT in

the following industries:– State government– International Airport– Port District– Education– Biotech– Financial services– Manufacturing– Software development

Fun Fact:Be careful when you tell people in Cyber Security your hobby is spearfishing.


The Problem: Internet Visibility

• The Blind Spot for most organizations is the Internet – the scale and velocity is extremely difficult for security teams to monitor

• Companies have spent budgets building up internal visibility and prevention

• Need a way to automate internal data collection with discovery capabilities to determine what’s happening on the internet

• Organizations want a way to analyze inventory for threats and prevent or stop them before it hits their company, partners, and customers

Discovery

Enrichment

Inventory

Insights

Risks

Orchestrate

Best Practices for Attack Surface Management

Discovery

Enrichment

Inventory

Insights

Risks

Orchestrate

Continuously discover, catalogue and map every

asset on the internet


Discovery

Enrichment

Inventory

Insights

Risks

OrchestrateData is enriched with RiskIQ historical, 3rd

party, and human intelligence


Discovery

Enrichment

Inventory

Insights

Risks

Orchestrate

Identify an organization’s attack surface—exposed,

public facing assets (including rogue

assets)


Discovery

Enrichment

Inventory

Insights

Risks

Orchestrate

Insights

Curated set of facts on threats, vulnerabilities, & any information requiring

investigation or action


Discovery

Enrichment

Inventory

Insights

Risks

Orchestrate

Curated set of facts on threats, vulnerabilities, & any

information requiring investigation or action


Discovery

Enrichment

Inventory

Insights

Risks

OrchestrateManage the

investigation and remediation of

prioritized incidents


Discovery

Enrichment

Inventory

Insights

Risks

Orchestrate

ILLUMINATE



5 Steps to Reduce Risk to Your Attack Surface

1. Create an up-to-date inventory of Internet facing assets owned by the business • Including web, mobile, social assets and those from 3rd-parties

2. Identify threats and vulnerabilities in inventory assets• Address detected threats (hosted malware, blacklisted IPs)• Patch critical vulnerabilities or use mitigating controls


5 Steps to Reduce Risk to Your Attack Surface (cont)

3. Reduce number of orphaned assets or those lacking clear ownership4. Limit exposure to partner and third party components5. Monitor all digital channels for potential impact to the organization

• Brand infringing assets designed to deceive employees and customers• Includes web, mobile, social, dark web locations for mention of brand, specific

keywords or partners• Actively monitor and take down infringing assets


Best Practices In Protecting Against JavaScript Attacks1. Gain immediate awareness of your attack surface, include 3rd

parties 2. Minimize 3rd party libraries on payment pages3. Implement appropriate security controls in Javascript:

a. iframe sandboxingb. CSP (Content Security Policy)c. SRI (Subresource Integrity Checking)

4. Continuous auditing and monitoring for on everything listed above


Customer Stories - Benefits of Attack Surface Management

• Increase efficiencies in your security programs

• Reducing mean time to respond to incidents

• Reducing false positives and free staff to work on other projects and

tasks

• Make your existing tools more efficient with RiskIQ


Customer Stories from around the world• Inventory analysis of website similarities in the organization's large

dynamic inventory to improve vulnerability program.

• Orchestration with rules, automation and internal processes to create and maintaining an up to date dynamic inventory.

• Automation of abuse box submissions with use of OCR to extract URLs from submitted SMSishing images.

• Automation of event creation from Digital Footprint insights and alerting on changes in open ports

• Partner Integrations


• Wasting money on unnecessary vulnerability scanning of websites that are virtually the same

• No way to find and classify similar websites

• No way to detect if changes create unique, non similar websites

• Fear of impacting website services from excessive vulnerability scanning

• Continuous discovery of new websites and changes to existing

• Identify websites to cluster and only vulnerability scan one cluster, not every website

• Integration with vulnerability scanner to initiate workflow from RiskIQ

• An efficient way to discover new and changed assets

• Automating workflow to initiate vulnerability scanning of selected websites

• Optimized spending with vulnerability to minimize wasteful vuln scanning costs

• Reduced risk of impacting website services

• 97% reduction in vulnerability scanning needs!

97% Reduction in Vulnerability Scanning

ResultsChallenges Solution Details

Very large entertainment organization


Asset Clustering - Solution Overview

● RiskIQ analyzes the structure of web applications through virtual user collection in order to assign a signature value

● Signature values support the notion of thresholds and can then be used to create clusters of similar web applications within a footprint

● Customers can gain access to raw information describing the clusters, counts per cluster, centroids (core node), and assets within each cluster


WEB APPLICATIONS AREEXPENSIVE TO MAINTAIN

Do you know how many web applications you truly have in your attack surface?


Code Sharing Amongst Applications

● Frameworks produce common HTML structures

● Configurations may overlap despite aesthetic differences

● Code and images can be abstracted via summaries to find similarities

100,000

8,000

5,900386

Initial number of hosts

Hosts with a web application

Similar characteristic groupings

Unique clusters of hosts

Clustering Process

RiskIQ Web Application Clustering

Dramatically Reduce Your Scanning Volume to Save Money

Gain visibility into the total number of unique web

applications in use by the organization

Prioritize scanning efforts based on changes to hosts within a given cluster or a

new cluster discovery

Save money by reducing vulnerability and testing

operations against assets within the same cluster

Assess the impact of a new vulnerability or web

application adjustment by clusters affected


Raw Output


25 Security Hygiene: Customer Example

CONTEXT CHALLENGES SOLUTION

• Health information technology company based in North Kansas City, Missouri

• $5.4 billion revenues and 29,200 employees• CISO completed his largest initiative to implement

basic security hygiene for internal assets, then shifted focus to external assets

• Basic security controls did not extend to external, internet assets

• Many internal-only assets were misconfigured open to the internet

• Project to build own tools to discover and inventory internet assets would be a massive undertaking in terms of time, resources, and cost

• CISO uses RiskIQ Digital Footprint to gain automated visibility into all internet assets in order to implement basic security hygiene

• Security has the facts to work with IT to proactively address risks from Shadow IT

• RiskIQ’s external, internet visibility is a part of the Cerner’s security architecture inside and outside the firewall

Digital Footprint


26 Security-IT Collaboration: Customer Example


• Global financial services company based in New York City

• $37 billion revenues and 59,000 employees• Competition with Expanse, Security Scorecard,

and BitSight

• Large Security organization with multiple teams, philosophies, controls, and tools makes timely coordination problematic

• Security must also collaborate with IT Operations to remediate

• Fragmented and siloed organizations do not have the same facts for proactively identifying, prioritizing, and solving security problems

• Security organization uses RiskIQ as a centralized platform for Security and IT teams to collaborate and share information

• American Express implements security hygiene outside the firewall, monitors the internet for new threats such as Magecart, & SMSishing, and minimizes its internet attack surface, all while reducing costs

• RiskIQ’s external, internet visibility is a part of American Express’s security architecture inside and outside the firewall

RiskIQ Platform


2019-04-25

42587054

2 : http://paypalv2.com/

http://paypalv2.com/

paypalv2.com


32 ServiceNow-RiskIQ: Customer Example


• Enterprise cybersecurity company based in Santa Clara, California

• $2.4 billion revenues and 5,900 employees• Security Incident Response use case: Security

Operations team works in RiskIQ External Threats and in ServiceNow Security Operations

• Manual process to bring RiskIQ’s external, internet visibility of phish, mobile apps, and domains into ServiceNow for action

• Costly use of full-time equivalent resources• Slow security incident response

• ServiceNow-RiskIQ integration enables a seamless, automated process to bring RiskIQ events into ServiceNow for remediation

• Faster security incident response• RiskIQ’s external, internet visibility is an

integrated part of Palo Alto Network’s security architecture inside and outside the firewall

External Threats


33 Secure Digital Initiatives

Organizations are pursuing digital initiatives that need to be secure, so IT and Security need to work together.

Security leaders who have full visibility into their organizations’ external, internet assets can add value to their digital initiatives.

They have the facts to: • Balance business goals and risks• Proactively identify problems earlier• Work with IT leaders to prioritize and solve problems

Not a fact-based approach

A fact-based approach


34 ServiceNow-RiskIQ Joint Solution

Security

IT

Now Platform

Security Operations

Assets

Security

Events

Events

Events

Security and IT can work together faster and proactively to: • Implement security hygiene outside the firewall • Address external cyber threats• Minimize their organization’s internet attack surface

Digital Footprint

External Threats

Visibility Remediation

IT Service Management

DF Asset Integration with ServiceNow


RiskIQ-DF: Asset Inventory List


ServiceNow: Asset Inventory Sync Configuration

Select Asset Types to sync from RiskIQ-DF to ServiceNow platform. Can configure custom filters for syncing.


ServiceNow: Asset Inventory List

RiskIQ-DF assets in custom ServiceNow table


ServiceNow: Asset Record

Link to asset details in RiskIQ-DF


RiskIQ-DF: Asset Details

DF/ET Event Integration with ServiceNow


RiskIQ-DF/ET: Events Dashboard

DF events: Malware, SSL, Web Compliance, and Infrastructure

ET events: Phish, Domain Infringement, Rogue Mobile App, Content, and Social


ServiceNow: Event Sync Configuration

Select Event Types to sync from RiskIQ-ET to ServiceNow platform. Can configure custom filters for syncing.


ServiceNow: Events List

RiskIQ-ET events in custom ServiceNow table


ServiceNow: Event Record

Link to event details in RiskIQ-DF/ET


RiskIQ-DF/ET: Event Details

Cause of event


ServiceNow: IT Incidents or Security Incidents

Events appear as Incidents in ServiceNow IT Service Management’s Incident Management application or as Security Incidents in ServiceNow Security Operations’s Security Incident Response application. Note that event data mapping to incident record fields may be limited in this beta version.

Can configure prioritization in ServiceNow


• Help support the organization by providing Intel to deliver a clear focused Attack Surface Management Program.

• What are the priorities today?

• What do you want to be tomorrow?

• Digital Footprint – (Mixture of Premium & Enterprise) Over 250k assets in the inventory.

• Passive Total Enterprise with API access

• Digital footprint Mapped• Delivery of tailored use cases

generated from Digital Footprint insights.

• Identified “Known” vs “Unknown” led to the creation of “Prune Logic” removing assets automatically that do not belong to the organization

• Changes in open ports in inventory

• GDPR Scans• Better understanding of their risk

landscape of their Attack Surface

• Actioning events with integration of Swimlane

Empower people to experience the world

ResultsChallenges Solution Details

Very large Travel Organization

Partner Integrations


www.eclecticiq.com

EclecticIQ has paid and integrated PassiveTotal API endpoints into their threat platform. Joint customers are able to access this content within the EclecticIQ platform.

Graph based implementation for interacting with data. Seems to use d3js, pivots off of entities for additional insight, and has intel type cards to provide additional enrichment for entities. Uses PassiveTotal API. Integrates the following capabilities: Malware Lookup, PDNS, WHOIS.

Currently ElecticIQ is adding additional RiskIQ advanced data sets to their integration to increase functionality.


www.polarity.io

Polarity is a memory augmentation platform created on the principle that people are the most integral component of the incident response process. It provides a new way for centralized or distributed Incident Responders to utilize a collective memory by delivering critical intelligence to the right team members

only when it is relevant to what they are working on. Polarity drives responders to make better and faster decisions, increasing productivity, and reducing the risk of a data breach going undetected – on unnecessarily prolonged. Polarity works by analyzing the content of a user’s screen and notifying the user about intelligence of interest helping to ensure that Incident Responders never miss the critical intelligence that could have been integral to combating a cyber intrusion.

Integration

Organizations with access to RiskIQ SIS (Security Intelligence Services) can now instantly leverage the rich Internet Data and Attack Analytics via Polarity to augment existing workflows regardless of the specific tool or application. In the following example, a SOC analyst is analyzing network packet data

for evidence of suspicious activity and receives a real time notification via the Polarity Heads Up Display (HUD) that a domain artifact has relevant information available via RiskIQ SIS. The detailed information is then seamlessly presented within the Polarity Overlay Window as illustrated below:


ProtectWise acts a SIEM for customers by ingesting local network traffic and helping surface suspicious events. They have developed an integration with PassiveTotal. ProtectWise has paid RiskIQ for the right to use our SIS data (including the blacklist) within their platform.

They also can enrich event data utilizing the PassiveTotal API.

Recently acquired by Verizon

www.protectwise.com


www.demisto.comDemisto is a Collaborative and Automated Security Operations Platform. Demisto Enterprise is the first Security Operations Platform to combine intelligent automation and collaboration into a single ChatOps interface. Demisto’s automation is provided by DBot who interacts with your team via ChatOps for playbook-based workflows, cross-correlation, and information sharing, helping security teams scale while working and learning the way humans are wired to –together.

Our integration automates enrichment of alerts as playbook tasks: passive DNS information, SSL certificate data, WHOIS data, IOC intelligence, and so on.

Runs search and query operations on WHOIS, SSL, and OSINT data based on keywords and metadata.

Leverage hundreds of Demisto product integrations to further enrich RiskIQ data and coordinate response across security functions.

Run thousands of commands (including for RiskIQ) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.

Benefits

● Orchestrate threat discovery, intelligence, and mitigation actions through playbooks.

● Reduce time to resolution by using one platform to collaborate, investigate, and document.

● Shorten decision-making cycle by automating key tasks with analyst review.

riskiq across the globe june 2019 · riskiq across the globe customer stories and partner...

Documents