Your SlideShare is downloading. ×
0
www.redsealnetworks.comThreat Impact Analysis WithoutCrash Testing The NetworkVirtual Attack Simulation ForProving Securit...
www.redsealnetworks.com Continuous Monitoring:- The right idea- At the right time- Mandated Why? How? What’s special a...
www.redsealnetworks.comWhat problem?Billions of $$$ inIT security spending90% of Organizations saythey have been breachedi...
www.redsealnetworks.comLack of control leads directly to breach97% of attacks could have beenavoided through “consistentap...
www.redsealnetworks.com We’ve got data- Lots of it Making sense of itis hard- Skills shortage- Sheer scale Hard to prio...
www.redsealnetworks.comDynamic compliance© 2013 RedSeal Networks, Inc. All rights reserved.6
www.redsealnetworks.com Main idea is simple:- Asset Inventory- Policy- Check the assets (and repeat) Not too bad for phy...
www.redsealnetworks.com Network security is the same, right?- List all network gear- Write configuration rules- Test them...
www.redsealnetworks.comHow not to do itCheck the outcome, not the details© 2013 RedSeal Networks, Inc. All rights reserved.9
www.redsealnetworks.com Networks are about pairs- Can A attack B? Hosts can be checked- Lots of work, but possible For ...
www.redsealnetworks.comGather& MapTestElementsTest theSystemMeasureRiskFour gears© 2013 RedSeal Networks, Inc. All rights ...
www.redsealnetworks.com You can’t manage what youcan’t see Network configuration stores vary widely- Some have a chosen ...
www.redsealnetworks.com Every network store has gaps Maps make it obvious Good news: it’s possibleto “bootstrap” The d...
www.redsealnetworks.com RedSeal includes over 100basic single-device tests- Vendor supplied passwords- Insecure managemen...
www.redsealnetworks.com Testing elements is easy Testing whole systems is hard, for humans Automation works, if you can...
www.redsealnetworks.com Main PKI site, plus disaster recovery Strict access controls expectedZone defense in practiceInt...
www.redsealnetworks.comTesting the system end to end People set the objectives Automation to compare to the “as built” ...
www.redsealnetworks.comDrill down to see the exception Many interacting elements Something went wrong© 2013 RedSeal Netw...
www.redsealnetworks.comPin-point root cause In this case, three gaps- One for a telecommuter who left 8 years ago- Two mo...
www.redsealnetworks.comHow did this happen? A network built with care- By people who knew whatthey were doing Repeated a...
www.redsealnetworks.com Once you understand access,you can prioritize vulnerabilities Run attack simulations See what’s...
www.redsealnetworks.comVirtual Attack Simulation: a real exampleInternetDMZMain Site© 2013 RedSeal Networks, Inc. All righ...
www.redsealnetworks.com• Attackers can reach these exposed serversStep 1 – Vulnerabilities exposed in DMZ© 2013 RedSeal Ne...
www.redsealnetworks.com• Just a few pivot attacks are possibleStep 2 – Some attack paths sneak in© 2013 RedSeal Networks, ...
www.redsealnetworks.com• Attackers can get in if they find this first!Step 3 – Attack fans out© 2013 RedSeal Networks, Inc...
www.redsealnetworks.comHow easily canattackers get in?Risk metric dashboardsHow big is myattack surface?How much isundocum...
www.redsealnetworks.comLesson 4: Metrics that matter Defensive posture CAN be measured This drives to better outcomes- M...
www.redsealnetworks.comMaking lemonade Continuous Monitoring is nowpossible- And a good idea- And mandated Automation is...
www.redsealnetworks.comOptimized change process Big win: record intent up front, in Risk Assessment Use software as “cat...
www.redsealnetworks.comOptimized change processChangerequestCompliancereport“I want”EnterpriseImplementation“How”Network O...
www.redsealnetworks.comConclusions© 2013 RedSeal Networks, Inc. All rights reserved.31 Continuous Monitoring is:1. A good...
www.redsealnetworks.com
Upcoming SlideShare
Loading in...5
×

Threat Impact Analysis Without Crash Testing the Network

378

Published on

Published in: Technology, Automotive
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
378
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Threat Impact Analysis Without Crash Testing the Network"

  1. 1. www.redsealnetworks.comThreat Impact Analysis WithoutCrash Testing The NetworkVirtual Attack Simulation ForProving Security Control EffectivenessDr. Mike Lloyd | CTO | April 2013
  2. 2. www.redsealnetworks.com Continuous Monitoring:- The right idea- At the right time- Mandated Why? How? What’s special aboutnetwork security? Lessons learnedAgenda© 2013 RedSeal Networks, Inc. All rights reserved.2
  3. 3. www.redsealnetworks.comWhat problem?Billions of $$$ inIT security spending90% of Organizations saythey have been breachedin the last 12 months**Perceptions About Network Security, Ponemon Institute,© 2013 RedSeal Networks, Inc. All rights reserved.3
  4. 4. www.redsealnetworks.comLack of control leads directly to breach97% of attacks could have beenavoided through “consistentapplication of simple orintermediate controls”- Verizon Data BreachInvestigations Report, 2012© 2013 RedSeal Networks, Inc. All rights reserved.4
  5. 5. www.redsealnetworks.com We’ve got data- Lots of it Making sense of itis hard- Skills shortage- Sheer scale Hard to prioritize actions Hard to demonstrate effectiveness Compliance is pain with little gainWhat we hear from CISO’s© 2013 RedSeal Networks, Inc. All rights reserved.5
  6. 6. www.redsealnetworks.comDynamic compliance© 2013 RedSeal Networks, Inc. All rights reserved.6
  7. 7. www.redsealnetworks.com Main idea is simple:- Asset Inventory- Policy- Check the assets (and repeat) Not too bad for physical assets Doors- List all doors- Require card reader on external doors- Check Desktops are a bit harder- Can you find them all?- Policy gets more technical- Testing is downright fiddly SCAP, FDCC have worked hard on this problemContinuous Monitoring 101© 2013 RedSeal Networks, Inc. All rights reserved.7
  8. 8. www.redsealnetworks.com Network security is the same, right?- List all network gear- Write configuration rules- Test them Any problems with this?Network security© 2013 RedSeal Networks, Inc. All rights reserved.8
  9. 9. www.redsealnetworks.comHow not to do itCheck the outcome, not the details© 2013 RedSeal Networks, Inc. All rights reserved.9
  10. 10. www.redsealnetworks.com Networks are about pairs- Can A attack B? Hosts can be checked- Lots of work, but possible For the network, square it- 10,000 hosts => 100million questions Well outside human range Far too many interactionsNetworks are different© 2013 RedSeal Networks, Inc. All rights reserved.10
  11. 11. www.redsealnetworks.comGather& MapTestElementsTest theSystemMeasureRiskFour gears© 2013 RedSeal Networks, Inc. All rights reserved.11
  12. 12. www.redsealnetworks.com You can’t manage what youcan’t see Network configuration stores vary widely- Some have a chosen CMDB vendor- Some have many- Some have none All have problemsFirst gear: gather & map© 2013 RedSeal Networks, Inc. All rights reserved.121
  13. 13. www.redsealnetworks.com Every network store has gaps Maps make it obvious Good news: it’s possibleto “bootstrap” The data you have cantell you what’s missing- Report on “known unknowns”Lesson 1: Everyone has Dark Space© 2013 RedSeal Networks, Inc. All rights reserved.13Disconnected objects
  14. 14. www.redsealnetworks.com RedSeal includes over 100basic single-device tests- Vendor supplied passwords- Insecure management protocols- Industry-wide best practice checks We find around 10 issues per device Lesson 2: all configurations need to bechecked But element testing isn’t enough …Second gear: test elements© 2013 RedSeal Networks, Inc. All rights reserved.142
  15. 15. www.redsealnetworks.com Testing elements is easy Testing whole systems is hard, for humans Automation works, if you can tell themachine what your objectives areThird gear: test the system© 2013 RedSeal Networks, Inc. All rights reserved.153
  16. 16. www.redsealnetworks.com Main PKI site, plus disaster recovery Strict access controls expectedZone defense in practiceInternetCert AuthorityCert AdminsWAN toExtranetDR Site© 2013 RedSeal Networks, Inc. All rights reserved.16
  17. 17. www.redsealnetworks.comTesting the system end to end People set the objectives Automation to compare to the “as built” Red arrow meanssomething is wrong Unexpected access© 2013 RedSeal Networks, Inc. All rights reserved.17
  18. 18. www.redsealnetworks.comDrill down to see the exception Many interacting elements Something went wrong© 2013 RedSeal Networks, Inc. All rights reserved.18
  19. 19. www.redsealnetworks.comPin-point root cause In this case, three gaps- One for a telecommuter who left 8 years ago- Two more for “temporary” testing Lost among thousands of detailsAccess Found“Subway Map”showing pathFlow through one hopSpecific rules© 2013 RedSeal Networks, Inc. All rights reserved.19
  20. 20. www.redsealnetworks.comHow did this happen? A network built with care- By people who knew whatthey were doing Repeated audits, over years How did the error survive? Complexity Lesson 3: zone defense is easy forcomputers© 2013 RedSeal Networks, Inc. All rights reserved.20
  21. 21. www.redsealnetworks.com Once you understand access,you can prioritize vulnerabilities Run attack simulations See what’s easiest to break into Score using Risk = Value * Ease of ExploitFourth gear: measure risk© 2013 RedSeal Networks, Inc. All rights reserved.214
  22. 22. www.redsealnetworks.comVirtual Attack Simulation: a real exampleInternetDMZMain Site© 2013 RedSeal Networks, Inc. All rights reserved.22
  23. 23. www.redsealnetworks.com• Attackers can reach these exposed serversStep 1 – Vulnerabilities exposed in DMZ© 2013 RedSeal Networks, Inc. All rights reserved.23
  24. 24. www.redsealnetworks.com• Just a few pivot attacks are possibleStep 2 – Some attack paths sneak in© 2013 RedSeal Networks, Inc. All rights reserved.24
  25. 25. www.redsealnetworks.com• Attackers can get in if they find this first!Step 3 – Attack fans out© 2013 RedSeal Networks, Inc. All rights reserved.25
  26. 26. www.redsealnetworks.comHow easily canattackers get in?Risk metric dashboardsHow big is myattack surface?How much isundocumented?© 2013 RedSeal Networks, Inc. All rights reserved.26
  27. 27. www.redsealnetworks.comLesson 4: Metrics that matter Defensive posture CAN be measured This drives to better outcomes- Measure posture => improved posture You can sleep better- Demonstrate effectiveness, not busyness© 2013 RedSeal Networks, Inc. All rights reserved.27
  28. 28. www.redsealnetworks.comMaking lemonade Continuous Monitoring is nowpossible- And a good idea- And mandated Automation is far easier thanhuman effort But you still need to write rules There’s another process you can leverage- Change Review Board© 2013 RedSeal Networks, Inc. All rights reserved.28
  29. 29. www.redsealnetworks.comOptimized change process Big win: record intent up front, in Risk Assessment Use software as “catcher’s mitt”, detect driftChangerequestCompliancereport“I want”EnterpriseImplementation“How”Network OpsRiskassessmentContinuousmonitoring“Yes”“Yes, but”“OK”“Not OK”Security Oversight© 2013 RedSeal Networks, Inc. All rights reserved.29
  30. 30. www.redsealnetworks.comOptimized change processChangerequestCompliancereport“I want”EnterpriseImplementation“How”Network OpsRiskassessmentContinuousmonitoring“Yes”“Yes, but”“OK”“Not OK”Security OversightAuto-compute detailsContinuous monitoringAutomated assessment© 2013 RedSeal Networks, Inc. All rights reserved.30
  31. 31. www.redsealnetworks.comConclusions© 2013 RedSeal Networks, Inc. All rights reserved.31 Continuous Monitoring is:1. A good idea2. Mandatory3. Impossible with human effort alone4. Easy with automation Networks multiply the complexity Automated risk assessment is keyGather& MapTestElementsTest theSystemMeasureRisk
  32. 32. www.redsealnetworks.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×