Francois Gratiolet - Isaca

Transforming IT Security & CompliancePresenting a hard target to attackers-Automating the SANS Institute20 Critical ControlsFrançois GRATIOLET, Qualys Inc., CSO EMEACISM, CISA - fgratiolet@qualys.comManchester, April 17 th , 2013

2Cyber risks management …

The importance of speedTime is moneyProfits – Competitive advantage – Innovation – New business models – Time to Market –Growth through M&A – Extended enterprise with a complex value chain – Economy of scope /scaleTechnology makes business more efficientIT services fast and agile – Heterogeneous IT assets – Complex IT supply chain with multi ITsoftware vendors and MSPs, hosters, etc.IT security is often simply ignoredThe security function is allowed to be governed at a leisurely pace. Architects can spendmonths designing frameworks. Consultants conduct risk assessments before giving advice. CIOsand CISOs are expected to make lengthy business cases before remedial action is carried out. Itcan take months to fix a glaring flaw3

How to use betterpublic threat intelligence ?

2011 – the Yearof Data Breaches

2012 – started ina similar Way

South Carolina cyber attack (October 2012)Business impactsScenarioSouth Carolina announced that the state's Department ofRevenue (DOR) had suffered a data breach, which exposed3.8 million individual and 700,000 business tax records,3.2 Million bank accounts plus a small number of credit cards.A fairly standard attack starting with an e-mail, leading toworkstation compromise, network access and ultimatelyserver compromise. Attacker had access to more than 40systems and extracted over 70 GB of data from the DOR.CausesA mix of human weaknesses, vulnerabilities at websites andusers’ end points.9Key takeawaysUpdating the workstation software to the latest version andapplying basic hardening guidelines would have preventedthe installation of the malware and aborted the attackalready at an early level

New cyber threats ?Emerging trendsMobile computing, social technology, critical infrastructures, trust infrastructures, cloudcomputing and big data.Top one threatThe injection of malicious code in HTML code of websites that exploits vulnerabilities inuser web browsers (known as drive-by download attacks). Web applications and browsersare becoming critical points and attack vectors, and need to be inventoried andprotected. The current trend for this threat is increasing.Evolving threat agentsCorporations, cybercriminals, employees, hacktivists, nation states and terrorists.Motivation is still there !GCCM – Glory, Curiosity, Country, Money10

New cyber threats ?11Source « Threat Landscape Responding to the Evolving ThreatEnvironment » [Deliverable – 2012-09-28])

12Combined and complex attacks: the APT

13Why the attacker has the advantage?

Why the attacker has the advantage?Source « Qualys Laws of Vulnerabilities »Time interval metricsTime interval between an exploit announcement andthe first attack. Exploitation is faster, often happening in lessthan 10 days compared to 60 days in 2004. Eighty percent ofvulnerability exploits are now available within single digit daysafter the vulnerability's public releaseHalf life metricsTime interval for reducing occurrence of vulnerability by half.IT administrators at Qualys customers take roughly 30 days toremediate critical vulnerabilities on half of their vulnerableworkstations and servers. Average duration of half-lifecontinues to be about 30 days, varying by industry sector.14ExploitationUpdating Reliable exploits have long lifespans. Attackerswould rather use old reliable exploits such as CVE-2010-3333that are proven to work instead of experimenting with new,but unreliable exploits.

Why the attacker has the advantage ?Keeping tracks of assets is a nightmareSimply keeping track of assets is a huge challenge for companies with diverse, global activities.Managing risks to assets is an order of magnitude harder.Our enemies are a step aheadOur enemies however are a step ahead in terms of innovation, business models, working as ateam, embracing automation, etc. They can attack us whenever they like, and they only needto find a single flaw to penetrate our enterprises.We need to admit the realityThe defender has greater knowledge, privileged access, and should be able to find and fix flawsbefore an attacker does. But it's not a fair fight. Hackers are fast and agile.15

Traditional ToolsAre Failing

AttackerCompetenceIs Rising

Background• Open System Administration Channels• Default and Weak Passwords• End-user has Administrator Privileges• Outdated Software Versions• Non-hardened Configurations=> Flaws in System Administration22

“We were getting owned throughour users that were running IE withadmin privileges”

Barriers to speedGovernanceThe Deming wheel PDCA is too slow. It can takes years to complete a cycle.StandardsStandards take even longer to gain acceptance and be enforced. They are built on practices onearlier age.ComplianceIt encourages minima, tick-box responses. Compliance acts as a break on innovation.Insufficient resourcesBudgets being squeezed, need to do more with less prioritisation – understanding you can’t doeverything, so working out what must be done. Firefighting – reactive vs proactivePeople mindsetsBusiness risks versus senior executives risks24

CISO becoming a (military) strategist• The CISO has to know his organization and businessenvironment, and has to dialogue with businessexecutives• The CISO must think like a strategist• The CISO has to know the attackers / threat agents /enemies around it, not only vulnerabilities• The CISO shall think like an attacker• New tools, new skills and a new attitude are needed!• Back to basics is needed25

Know your enemies !26« Threat Landscape Responding to the Evolving Threat Environment »[Deliverable – 2012-09-28])

Solution• 20 critical controls• Started as a program called “Consensus AuditGuidelines”• Owned by SANS• with widespread industry expert input27

2820 critical controls that help fight attacks

Solution• 20 Critical Controls• Owned by SANS with widespread industry input29

Solution• 20 Critical Controls• Owned by SANS• with widespread industry expert input• international participation30

Solution• 20 Critical Controls• Owned by SANS• with widespread industry input• international participation• Prioritized / where to invest35

Solution• 20 Critical Controls• Owned by SANS• with widespread industry input• International participation36

Solution• 20 Critical Controls• Owned by SANS• With widespread industry expert input• international participation• Prioritized / where to invest• Automation is critical to success37

Solution• 20 Critical Controls• Owned by SANS• with widespread industry input• International participation• Prioritized• Automation is critical to success38

Solution• 20 Critical Controls• Owned by SANS• with widespread industry input• International participation• Prioritized• Automation is critical to success• 90 % Risk Reduction at US DoS• 85 % Incident Reduction at DSD Australia39

85 %

85 %of past incidentswould have been prevented

DIISRTE Department of Industry,Innovation, Science, Research and Tertiary Education• About 5,000 seats• Data Breach• 6 month security project• Fully Patched in 2 weeks• Admin rights controlled• Whitelisting• No Additional Software purchased• No end user Impact

20 %

20 %327 malwares

20 %327 malwares262 bypassed AV

20 %327 malwares262 bypassed AV

So implementation ?

Implementation

Score: Use a letter grade system

Score: Use a letter grade system

Score: Use a letter grade systemor other mechanisms

Results

Opportunistic Attackers

Opportunistic Attackers✔

Targeted Attackers

Targeted AttackersDisrupt, Slow Down

Targeted AttackersDisrupt, Slow Down,Raise Cost, Force Mistakes

Where to find information ?

US DoS, DIISIRTE

US DoS, DIISIRTE,NASA, DHHS-CMS,

US DoS, DIISIRTE,NASA, DHHS-CMS,GS, OfficeMax…

Qualys• QualysGuard• Vulnerability Management• Policy Compliance• Web Application Scanning• PCI-DSS• Malware Detection• SaaS Solution• Browser-based, Multi-tenant• Public and Private Cloud Platform• Scanning, Reporting, Ticketing• Extensive API74

75CAG and QualysGuard capabilities

Four fundamental tenets to keep in mind• Focus on continuous monitoring to test andevaluate remediation• Automate processes to address security withefficiency, reliability and scalability• Provide common metrics allowing allstakeholders to objectively evaluate and adjustsecurity measures• Put the organization in charge by usingknowledge of actual attacks to build effectivedefenses

Conclusion• Employ tools that provide automation• Develop a strategy for implementation andfollow it• Focus on the controls first and vendors second• Master the art of influence• Always maintain your guard

http://www.qualys.com/forms/whitepapers/automating-sans-20-critical-controlsqualysguard/

Transforming IT Security & ComplianceAppendix-How to implement and automate quickly the20 Critical Controls ?

81Risk-based Approach

CC1: Inventory of Authorized andUnauthorized Devices• Asset Visibility• Size of Network• Machine Types• Location82



CC1: Inventory of Authorized andUnauthorized Devices• Asset Visibility• Size of Network• Machine Types• Location• New Equipment Detection• Authorized• Unauthorized85

CC1: Inventory of Authorized andUnauthorized Devices• Asset Visibility• Size of Network• Machine Types• Location• New Equipment Detection• Authorized• Unauthorized–86

CC1: Inventory of Authorized andUnauthorized Devices• Automation• Scans are scheduled• Delta Reports are scheduled• Reports can be e-mailed• Alerting on newly discovered hosts• Via API• Integration into Asset Management Systems• Via API• To come: ticket generation on newly discovered hosts87

CC2: Inventory of Authorized andUnauthorized Software• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels• Blacklisting88

CC2: Inventory of Authorized andUnauthorized Software• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels89

CC2: Inventory of Authorized andUnauthorized Software• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels• Blacklisting• Whitelisting90

CC2: Inventory of Authorized andUnauthorized Software• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels• Blacklisting• Whitelisting91

CC2: Inventory of Authorized andUnauthorized Software• Asset Visibility• Operating Systems• Applications• Versions• Patch Levels• Blacklisting• Whitelisting• Interactive Search92



CC2: Inventory of Authorized andUnauthorized Software• Automation• Scans are scheduled• Reports are scheduled• Reports can be emailed• Alerting on Exceptions• Via API• Integration into Asset Management Systems• Via API• To come: Ticket generation on Exceptions95

CC3: Secure Configurations for Hardwareand Software• Configuration Validation• SCAP/FDCC96

97CC3: Secure Configurations for Hardwareand Software

CC3: Secure Configurations for Hardwareand Software• Configuration Validation• SCAP/FDCC• Cyberscope Reporting• CIS98

99CC3: Secure Configurations for Hardwareand Software

CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning100

101CC4: Continuous Vulnerability Assessmentand Remediation



CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning104



CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning• Verify Patching107

CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning• Verify Patching108

CC4: Continuous Vulnerability Assessmentand Remediation• Weekly/Daily Scheduled Vulnerability Scanning• Authenticated Scanning• Verify Patching• Report on Unauthorized Services109




CC4: Continuous VulnerabilityAssessment and Remediation• Automation• Scans are scheduled• Reports are scheduled• Reports are emailed• Alerting on Vulnerabilities• Tickets for Vulnerabilities, Remediation SLA andConfirmation• Integration into Asset Management Systems• Via API113

Other Critical Controls• CC6: Application Software Security• Automated Web Application Scans• CC7: Wireless Device Controls• Wireside Detection• CC11: Control of Network Ports• Scans and Reports for authorized and unauthorizedPorts and Services• CC16: Account Monitoring• Controls for Admin accounts, password policies, accountlockout settings114

Policy Dynamics• Ability to add tactical controls• Example: Recent Internet Explorer VulnerabilityCVE-2012-4969• Mitigated by use of EMET116



Policy Dynamics• Ability to add tactical controls• Example: Recent Internet Explorer VulnerabilityCVE-2012-4969• Mitigated by use of EMET• Audit the Deployment119

Policy Dynamics• Ability to add tactical controls• Example: Recent Internet Explorer VulnerabilityCVE-2012-4969• Mitigated by use of EMET• Audit the Deployment120

Policy Dynamics• Ability to add tactical controls• Example: Recent Internet Explorer VulnerabilityCVE-2012-4969• Mitigated by use of EMET• Audit the Deployment• User Defined Registry Check121

Summary• Functionality to assess Controls exist• Automation available, but frequently APIintegrations is needed• Offerings are improving with better workflowcoming122

Transforming IT Security & ComplianceThank You

Francois Gratiolet - Isaca

Create successful ePaper yourself

Delete template?

Save as template?