Tim White, Director of Product Management at Qualys, presented on Qualys ThreatPROTECT at RSA Conference 2016.
Qualys ThreatPROTECT helps InfoSec professionals automatically prioritize the vulnerabilities that pose the greatest risk to the organization.
Start a free trial: https://www.qualys.com/forms/trials/threatprotect/
Contact Qualys for more information: 800.745.4355 https://www.qualys.com/company/contacts
3. Where to Start?
"Organizations would need access to all threat intelligence indicators
in order for the information to be helpful—a Herculean task"
Verizon Data Breach Report - 2015
3
5. Realtime Threat Intelligence Attributes
Exploit Public
Zero Day
Actively Attacked
High Lateral
Movement
5
Easy Exploit
No Patch
High Data Loss
Denial of Service
~5000 vulns/year, last few years increasing significantly
Qualys reported 58% increase in Microsoft patches in 2015
26442 QID’s in Qualys KB Today
Critical issues remain unaddressed for longer exposure periods
Not all Common Vulnerabilities and Exposures (CVEs) are created equal.
According to the 2015 Verizon Data Breach Investigations Report:
Half of the CVEs exploited within a month
10 CVEs account for almost 97 percent of exploits, per the report.
Must prioritize remediation efforts to have an immediate and measurable impact on risk reduction.
Requires not only accurately identifying vulnerabilities
, but also understanding a variety of point-in-time factors that contribute significantly to the overall risk exposure.
For example, publicly available exploits that are actively being leveraged by attackers present greater threat exposure compared to less well-known and automated vulnerabilities.
Actionable security intelligence with organizational context leads to better countermeasures against the threats that matter most
"Ten CVEs account for almost 97% of the exploits observed in 2014"
"A CVE being added to Metasploit is probably the single most reliable predictor of exploitation in the wild."
Built on the Qualys Cloud Platform, ThreatPROTECT correlates data from
- vulnerability scans and agents
threatPROTECT correlates this data with Real-time Threat Indicators (RTI)
ElasticSearch, Help rapidly find & prioritize response
easy-to-understand dashboard provide a holistic and contextual view of an organization’s threat exposure.
provides clear insight into which vulnerabilities to fix first
helps customers to rapidly find and prioritize responses to vulnerabilities
based on these RTIs according to the level of threat seen in the wild.
Key Features:
Actionable Threat Intelligence Data
Native Integration with VM
Integrates with AssetView and the Qualys Platform
Completely Customizable
Advanced Search and Drill Through Capabilities
With ThreatPROTECT, customers can visualize, prioritize and take action to minimize exposure from vulnerabilities related to the threats that matter most.
Define RTIs
standalone basis or cascaded with each other to prioritize efforts for patching,
or to select compensating controls to reduce exposure when patches are not available.
can be combined with additional information about the environment from other modules such as AssetView™.
allowing mine asset information to prioritize remediation to the most important assets with the greatest threat exposure.
Where From?
- Qualys Research Labs
- Mention laws of vulns
This includes information on
Robust Real-time Threat data from external sources
attacks, exploits and exploits kits.
Lateral movement and other info
gathered many of the RTIs for years now for internal use to prioritize vulnerability signature development
2 Billion annual Qualys scans
100 billion detections
are data points collected per vulnerability
accurate, timely and actionable information aggregated
from multiple reliable data sources to prioritize and shrink flood of security alerts.
Qualys has partnerships
Core Security, Exploit Database, Immunity, TrendMicro, VeriSign iDefense and others
Current RTIs provided by the new service include:
Zero Day - Active attack has been observed in the wild but there is no patch from the vendor.
Exploit Public - Exploit Knowledge is well known and a working exploitation code is publically available. Potential of active attacks is very high.
Actively Attacked - Active attacks have been observed in the wild. If there are no patches, Qualys will mark it as zero day in addition to actively attacked.
High Lateral Movement - After a successful compromise, attacker has high potential to compromise other machines in the network.
Easy Exploit - The attack can be carried out easily and requires little skills or does not require additional information.
High Data Loss - Successful exploitation will result in massive data loss on the host.
Denial of Service - Successful exploitation will result in denial of service.
No Patch - Vendor has not provides an official fix.
Malware - Malware has been associated with this vulnerability.
Exploit Pack - Exploit Pack has been associated with this vulnerability.