RSAC_2014_SPO1_W02_wkandek
advertisement
Continuous Monitoring with the 20 Critical Security Controls SESSION ID: SPO1-W02 Wolfgang Kandek CTO We called 2013 the year of the data breach… #RSAC 2 …but 2014 started in much the same spirit… #RSAC 3 Background Open System Administration Channels Default and Weak Passwords End-user has Admin Privileges Outdated Software Versions #RSAC 4 Outdated Software Versions Vulnerability Breach Use Probability Random CVSS 10 Exploit DB Metasploit EDB+MSP 0% 5% 10% 15% 20% 25% 30% 35% #RSAC 5 Background Open System Administration Channels Default and Weak Passwords End-user has Admin Privileges Outdated Software Versions Non-Hardened Configurations => Flaws in System Administration #RSAC 6 Solution 20 Critical Security Controls What works in Security? #RSAC 7 Solution 20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity With widespread industry expert input #RSAC 8 Solution 20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity With widespread industryexpert input #RSAC 9 Solution 20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity With widespread industry expert input International Participation #RSAC 10 Solution 20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity With widespread industry expert input International Participation #RSAC 11 Solution 20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity With widespread industryexpert input International Participation #RSAC 12 Solution 20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity With widespread industryexpert input International Participation #RSAC 13 Solution 20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity With widespread industry expert input International Participation 5 Tenets #RSAC 14 5 Tenets 20 CSC Offense informs Defense Prioritization Metrics Continuous Diagnostics and Mitigation Automation #RSAC 15 5 Tenets 20 CSC Offense informs Defense Prioritization Metrics Continuous Diagnostics and Mitigation Automation #RSAC 16 Solution 20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity With widespread industry expert input International Participation 5 Tenets Prioritized #RSAC 17 Solution 20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity With widespread industry expert input International Participation 5 Tenets Prioritized #RSAC 18 Solution 20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity With widespread industry expert input International Participation 5 Tenets Prioritized Implementation Guidelines #RSAC 19 Solution 20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity With widespread industry expert input International Participation 5 Tenets Prioritized Implementation Guidelines = Quick Wins, Visibility/Attribution, Configuration/Hygiene, Advanced #RSAC 20 Implementation Guidelines #RSAC 21 Implementation Guidelines Quick Win 1 - Control 1 – HW Inventory Quick Win 3 – Control 2 – SW Inventory Scan for Deviations from Approved List Quick Win 3 – Control 3 – Secure Configurations Implement an automated discovery engine (active/passive) Limit Admin privileges Quick Win 10 – Control 4 – Vulnerability Scanning Risk rate by groups #RSAC 22 Implementation Guidelines Measure Success Control 1: Detect new machines in 24 hours Control 1: How many unauthorized machines on network? Control 2: How many unauthorized software packages installed? Control 3: Percentage of machines that do not run an approved image ? Control 4: Percentage of machines not scanned recently (3d)? #RSAC 23 Implementing Quick Wins - Prototype QualysGuard, API, PERL, Splunk Daily Authenticated Scan of Network Scripted API Access and Load #RSAC 24 Implementing Quick Wins - Prototype #RSAC 25 Implementing Quick Wins - Prototype Logins - user, date, type Scans - user, date, type, target, duration Reports - user, date, type, duration, size Hosts – machine, date, active, fixed, severity counts, scores Vulnerabilities – id, severity, cvss, age Software – name, publisher Certificates – subject, validdate, signer, self-signed Ports – date, ports #RSAC 26 Implementing Quick Wins - Prototype Logins - user, date, type Scans - user, date, type, target, duration Reports - user, date, type, duration, size Hosts – machine, date, active, fixed, severity counts, scores Vulnerabilities – id, severity, cvss, age Software – name, publisher Certificates – subject, validdate, signer, self-signed Ports – date, ports #RSAC 27 Implementing Quick Wins - Prototype QualysGuard, API, PERL, Splunk Daily Authenticated Scan of Network Scripted API Access and Load Data Transformation in Scripts Scoring – Dept. State CVSS based Data Promotion Software, Patches, MAC address Splunk for Reports and Graphing #RSAC 28 CSC1 – HW Inventory - Quick Win 1 Deploy Asset Inventory Discovery Tool (active/passive) Goal: Discover new machines within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Machines ~ where the earliest scandate is within the last day #RSAC 29 CSC1 – HW Inventory - Quick Win 1 Asset Inventory Discovery Tool (active/passive) Discover new machines within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Machines #RSAC 30 CSC2 – SW Inventory - Quick Win 3 Discover Unauthorized Software Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Server Ports ~ where the earliest scandate is within the last day #RSAC 31 CSC2 – SW Inventory - Quick Win 3 Discover Unauthorized Software Goal: Within 24 hours Daily Active Scan of the Network -> Splunk #RSAC 32 CSC2 – SW Inventory - Quick Win 3 Discover Unauthorized Software Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Software ~ where the earliest scandate is within the last day #RSAC 33 CSC2 – SW Inventory - Quick Win 3 Discover Unauthorized Software Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Server Ports ~ where the earliest scandate is within the last day Query Splunk for new Software #RSAC 34 CSC2 – SW Inventory - Quick Win 3 Discover Unauthorized Software Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Software ~ where the earliest scandate is within the last day Can be Alerted On #RSAC 35 CSC3 – Secure Configuration Automation: Discover Non Standard Setups Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for certain SoftwareMarker Here: “Qualys Desktop Build” – which is a custom SW package that identifies our IT standard builds #RSAC 36 CSC3 – Secure Configuration Automation: Discover Non Standard Setups Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for certain SoftwareMarker Here: “Qualys Desktop Build” – which is a custom SW packag that identifies out IT standard builds #RSAC 37 CSC3 – Secure Configuration Automation: Discover Non Standard Setups Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for certain Software Marker Here: “Qualys Desktop Build” – which is a custom SW package that identifies out IT standard builds Can be Alerted On #RSAC 38 Further Uses and Projects Plot Progress for a Machine #RSAC 39 Further Uses and Projects Plot Progress for a Machine #RSAC 40 Further Uses and Projects Plot Progress for a Machine Plot Progress for a Network #RSAC 41 Further Uses and Projects Plot Progress for a Machine #RSAC 42 Other Operational Reports Usage Reporting User Logins API Logins Reports Anomaly Detection GeoIP #RSAC 43 Other Operational Reports Usage Reporting User Logins API Logins Reports Anomaly Detection GeoIP #RSAC 44 Beyond Prototyping Continuous Monitoring Alert on Additions & Changes Machines Vulnerabilities Ports Certificates Simple Configuration #RSAC 45 Questions? wkandek@qualys.com @wkandek http://laws.qualys.com
