Francois Gratiolet - Isaca
Francois Gratiolet - Isaca
Francois Gratiolet - Isaca
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Transforming IT Security & CompliancePresenting a hard target to attackers-Automating the SANS Institute20 Critical ControlsFrançois GRATIOLET, Qualys Inc., CSO EMEACISM, CISA - fgratiolet@qualys.comManchester, April 17 th , 2013
2Cyber risks management …
The importance of speedTime is moneyProfits – Competitive advantage – Innovation – New business models – Time to Market –Growth through M&A – Extended enterprise with a complex value chain – Economy of scope /scaleTechnology makes business more efficientIT services fast and agile – Heterogeneous IT assets – Complex IT supply chain with multi ITsoftware vendors and MSPs, hosters, etc.IT security is often simply ignoredThe security function is allowed to be governed at a leisurely pace. Architects can spendmonths designing frameworks. Consultants conduct risk assessments before giving advice. CIOsand CISOs are expected to make lengthy business cases before remedial action is carried out. Itcan take months to fix a glaring flaw3
How to use betterpublic threat intelligence ?
2011 – the Yearof Data Breaches
2012 – started ina similar Way
South Carolina cyber attack (October 2012)Business impactsScenarioSouth Carolina announced that the state's Department ofRevenue (DOR) had suffered a data breach, which exposed3.8 million individual and 700,000 business tax records,3.2 Million bank accounts plus a small number of credit cards.A fairly standard attack starting with an e-mail, leading toworkstation compromise, network access and ultimatelyserver compromise. Attacker had access to more than 40systems and extracted over 70 GB of data from the DOR.CausesA mix of human weaknesses, vulnerabilities at websites andusers’ end points.9Key takeawaysUpdating the workstation software to the latest version andapplying basic hardening guidelines would have preventedthe installation of the malware and aborted the attackalready at an early level
New cyber threats ?Emerging trendsMobile computing, social technology, critical infrastructures, trust infrastructures, cloudcomputing and big data.Top one threatThe injection of malicious code in HTML code of websites that exploits vulnerabilities inuser web browsers (known as drive-by download attacks). Web applications and browsersare becoming critical points and attack vectors, and need to be inventoried andprotected. The current trend for this threat is increasing.Evolving threat agentsCorporations, cybercriminals, employees, hacktivists, nation states and terrorists.Motivation is still there !GCCM – Glory, Curiosity, Country, Money10
New cyber threats ?11Source « Threat Landscape Responding to the Evolving ThreatEnvironment » [Deliverable – 2012-09-28])
12Combined and complex attacks: the APT
13Why the attacker has the advantage?
Why the attacker has the advantage?Source « Qualys Laws of Vulnerabilities »Time interval metricsTime interval between an exploit announcement andthe first attack. Exploitation is faster, often happening in lessthan 10 days compared to 60 days in 2004. Eighty percent ofvulnerability exploits are now available within single digit daysafter the vulnerability's public releaseHalf life metricsTime interval for reducing occurrence of vulnerability by half.IT administrators at Qualys customers take roughly 30 days toremediate critical vulnerabilities on half of their vulnerableworkstations and servers. Average duration of half-lifecontinues to be about 30 days, varying by industry sector.14ExploitationUpdating Reliable exploits have long lifespans. Attackerswould rather use old reliable exploits such as CVE-2010-3333that are proven to work instead of experimenting with new,but unreliable exploits.
Why the attacker has the advantage ?Keeping tracks of assets is a nightmareSimply keeping track of assets is a huge challenge for companies with diverse, global activities.Managing risks to assets is an order of magnitude harder.Our enemies are a step aheadOur enemies however are a step ahead in terms of innovation, business models, working as ateam, embracing automation, etc. They can attack us whenever they like, and they only needto find a single flaw to penetrate our enterprises.We need to admit the realityThe defender has greater knowledge, privileged access, and should be able to find and fix flawsbefore an attacker does. But it's not a fair fight. Hackers are fast and agile.15
Traditional ToolsAre Failing
AttackerCompetenceIs Rising
Background• Open System Administration Channels• Default and Weak Passwords• End-user has Administrator Privileges• Outdated Software Versions• Non-hardened Configurations=> Flaws in System Administration22
“We were getting owned throughour users that were running IE withadmin privileges”
Barriers to speedGovernanceThe Deming wheel PDCA is too slow. It can takes years to complete a cycle.StandardsStandards take even longer to gain acceptance and be enforced. They are built on practices onearlier age.ComplianceIt encourages minima, tick-box responses. Compliance acts as a break on innovation.Insufficient resourcesBudgets being squeezed, need to do more with less prioritisation – understanding you can’t doeverything, so working out what must be done. Firefighting – reactive vs proactivePeople mindsetsBusiness risks versus senior executives risks24
CISO becoming a (military) strategist• The CISO has to know his organization and businessenvironment, and has to dialogue with businessexecutives• The CISO must think like a strategist• The CISO has to know the attackers / threat agents /enemies around it, not only vulnerabilities• The CISO shall think like an attacker• New tools, new skills and a new attitude are needed!• Back to basics is needed25
Know your enemies !26« Threat Landscape Responding to the Evolving Threat Environment »[Deliverable – 2012-09-28])
Solution• 20 critical controls• Started as a program called “Consensus AuditGuidelines”• Owned by SANS• with widespread industry expert input27
2820 critical controls that help fight attacks
Solution• 20 Critical Controls• Owned by SANS with widespread industry input29
Solution• 20 Critical Controls• Owned by SANS• with widespread industry expert input• international participation30
Solution• 20 Critical Controls• Owned by SANS• with widespread industry input• international participation• Prioritized / where to invest35
Solution• 20 Critical Controls• Owned by SANS• with widespread industry input• International participation36
Solution• 20 Critical Controls• Owned by SANS• With widespread industry expert input• international participation• Prioritized / where to invest• Automation is critical to success37
Solution• 20 Critical Controls• Owned by SANS• with widespread industry input• International participation• Prioritized• Automation is critical to success38
Solution• 20 Critical Controls• Owned by SANS• with widespread industry input• International participation• Prioritized• Automation is critical to success• 90 % Risk Reduction at US DoS• 85 % Incident Reduction at DSD Australia39
85 %
85 %of past incidentswould have been prevented
DIISRTE Department of Industry,Innovation, Science, Research and Tertiary Education• About 5,000 seats• Data Breach• 6 month security project• Fully Patched in 2 weeks• Admin rights controlled• Whitelisting• No Additional Software purchased• No end user Impact
20 %
20 %327 malwares
20 %327 malwares262 bypassed AV
20 %327 malwares262 bypassed AV
So implementation ?
Implementation
Score: Use a letter grade system
Score: Use a letter grade system
Score: Use a letter grade systemor other mechanisms
Results
Opportunistic Attackers
Opportunistic Attackers✔
Targeted Attackers
Targeted AttackersDisrupt, Slow Down
Targeted AttackersDisrupt, Slow Down,Raise Cost, Force Mistakes
Where to find information ?
US DoS, DIISIRTE
US DoS, DIISIRTE,NASA, DHHS-CMS,
US DoS, DIISIRTE,NASA, DHHS-CMS,GS, OfficeMax…
Qualys• QualysGuard• Vulnerability Management• Policy Compliance• Web Application Scanning• PCI-DSS• Malware Detection• SaaS Solution• Browser-based, Multi-tenant• Public and Private Cloud Platform• Scanning, Reporting, Ticketing• Extensive API74
75CAG and QualysGuard capabilities
Four fundamental tenets to keep in mind• Focus on continuous monitoring to test andevaluate remediation• Automate processes to address security withefficiency, reliability and scalability• Provide common metrics allowing allstakeholders to objectively evaluate and adjustsecurity measures• Put the organization in charge by usingknowledge of actual attacks to build effectivedefenses
Conclusion• Employ tools that provide automation• Develop a strategy for implementation andfollow it• Focus on the controls first and vendors second• Master the art of influence• Always maintain your guard
http://www.qualys.com/forms/whitepapers/automating-sans-20-critical-controlsqualysguard/
Transforming IT Security & ComplianceAppendix-How to implement and automate quickly the20 Critical Controls ?
81Risk-based Approach
CC1: Inventory of Authorized andUnauthorized Devices• Asset Visibility• Size of Network• Machine Types• Location82
CC1: Inventory of Authorized andUnauthorized Devices• Asset Visibility• Size of Network• Machine Types• Location83
CC1: Inventory of Authorized andUnauthorized Devices• Asset Visibility• Size of Network• Machine Types• Location84
CC1: Inventory of Authorized andUnauthorized Devices• Asset Visibility• Size of Network• Machine Types• Location• New Equipment Detection• Authorized• Unauthorized85
CC1: Inventory of Authorized andUnauthorized Devices• Asset Visibility• Size of Network• Machine Types• Location• New Equipment Detection• Authorized• Unauthorized–86
CC1: Inventory of Authorized andUnauthorized Devices• Automation• Scans are scheduled• Delta Reports are scheduled• Reports can be e-mailed• Alerting on newly discovered hosts• Via API• Integration into Asset Management Systems• Via API• To come: ticket generation on newly discovered hosts87
CC2: Inventory of Authorized andUnauthorized Software• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels• Blacklisting88
CC2: Inventory of Authorized andUnauthorized Software• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels89
CC2: Inventory of Authorized andUnauthorized Software• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels• Blacklisting• Whitelisting90
CC2: Inventory of Authorized andUnauthorized Software• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels• Blacklisting• Whitelisting91
CC2: Inventory of Authorized andUnauthorized Software• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels• Blacklisting• Whitelisting• Interactive Search92
CC2: Inventory of Authorized andUnauthorized Software• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels• Blacklisting• Whitelisting• Interactive Search93
CC2: Inventory of Authorized andUnauthorized Software• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels• Blacklisting• Whitelisting• Interactive Search94
CC2: Inventory of Authorized andUnauthorized Software• Automation• Scans are scheduled• Reports are scheduled• Reports can be emailed• Alerting on Exceptions• Via API• Integration into Asset Management Systems• Via API• To come: Ticket generation on Exceptions95
CC3: Secure Configurations for Hardwareand Software• Configuration Validation• SCAP/FDCC96
97CC3: Secure Configurations for Hardwareand Software
CC3: Secure Configurations for Hardwareand Software• Configuration Validation• SCAP/FDCC• Cyberscope Reporting• CIS98
99CC3: Secure Configurations for Hardwareand Software
CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning100
101CC4: Continuous Vulnerability Assessmentand Remediation
102CC4: Continuous Vulnerability Assessmentand Remediation
103CC4: Continuous Vulnerability Assessmentand Remediation
CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning104
CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning105
CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning106
CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning• Verify Patching107
CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning• Verify Patching108
CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning• Verify Patching• Report on Unauthorized Services109
110CC4: Continuous Vulnerability Assessmentand Remediation
CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning• Verify Patching• Report on Unauthorized Services111
CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning• Verify Patching• Report on Unauthorized Services112
CC4: Continuous VulnerabilityAssessment and Remediation• Automation• Scans are scheduled• Reports are scheduled• Reports are emailed• Alerting on Vulnerabilities• Tickets for Vulnerabilities, Remediation SLA andConfirmation• Integration into Asset Management Systems• Via API113
Other Critical Controls• CC6: Application Software Security• Automated Web Application Scans• CC7: Wireless Device Controls• Wireside Detection• CC11: Control of Network Ports• Scans and Reports for authorized and unauthorizedPorts and Services• CC16: Account Monitoring• Controls for Admin accounts, password policies, accountlockout settings114
Policy Dynamics• Ability to add tactical controls• Example: Recent Internet Explorer VulnerabilityCVE-2012-4969• Mitigated by use of EMET116
Policy Dynamics• Ability to add tactical controls• Example: Recent Internet Explorer VulnerabilityCVE-2012-4969• Mitigated by use of EMET117
Policy Dynamics• Ability to add tactical controls• Example: Recent Internet Explorer VulnerabilityCVE-2012-4969• Mitigated by use of EMET118
Policy Dynamics• Ability to add tactical controls• Example: Recent Internet Explorer VulnerabilityCVE-2012-4969• Mitigated by use of EMET• Audit the Deployment119
Policy Dynamics• Ability to add tactical controls• Example: Recent Internet Explorer VulnerabilityCVE-2012-4969• Mitigated by use of EMET• Audit the Deployment120
Policy Dynamics• Ability to add tactical controls• Example: Recent Internet Explorer VulnerabilityCVE-2012-4969• Mitigated by use of EMET• Audit the Deployment• User Defined Registry Check121
Summary• Functionality to assess Controls exist• Automation available, but frequently APIintegrations is needed• Offerings are improving with better workflowcoming122
Transforming IT Security & ComplianceThank You