5 Steps to Reduce Your Window of Vulnerability
•Download as PPTX, PDF•
1 like•866 views
Skybox Security offers advice and an immediately actionable plan to help you reduce your window of vulnerability and attack surface on your critical network infrastructure.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to 5 Steps to Reduce Your Window of Vulnerability
Similar to 5 Steps to Reduce Your Window of Vulnerability (20)
More from Skybox Security
More from Skybox Security (17)
Recently uploaded
Recently uploaded (20)
5 Steps to Reduce Your Window of Vulnerability
- 1. Michelle Cobb Vice President, Worldwide Marketing Best Practices for Reducing Your Attack Surface: 5 Steps to Shrinking Your Window of Vulnerability
- 2. © 2015 Skybox Security Inc. There Are No Silver Bullets in Security 96% of breaches avoidable through standard controls1
- 3. © 2015 Skybox Security Inc. SANS 20 Critical Security Controls 1: Inventory of Devices 2: Inventory of Software 3: Secure Configurations for Hardware and Software on Computers 4: Continuous Vulnerability Assessment and Remediation 5: Malware Defenses 6: Application Software Security 7: Wireless Access Control 8: Data Recovery Capability 9: Security Skills Assessment and Training 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11: Limitation and Control of Network Ports, Protocols, and Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Audit Logs 15: Control Access Based on Need to Know 16: Account Monitoring and Control 17: Data Protection 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Testing
- 4. © 2015 Skybox Security Inc. Step 1: Increase Your Understanding of Your Attack Surface “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” - Sun Tzu, The Art of War Sans Critical Controls 1: Inventory of Devices 2: Inventory of Software
- 5. © 2015 Skybox Security Inc. Your Attack Surface Has Many Layers
- 6. © 2015 Skybox Security Inc. Your Attack Surface Has Many Layers Security Controls Firewalls IPS VPNs
- 7. © 2015 Skybox Security Inc. Your Attack Surface Has Many Layers Security Controls Firewalls IPS VPNs Network Topology Routers Load Balancers Switches
- 8. © 2015 Skybox Security Inc. Your Attack Surface Has Many Layers Security Controls Firewalls IPS VPNs Network Topology Routers Load Balancers Switches Assets Servers Workstations Networks
- 9. © 2015 Skybox Security Inc. Your Attack Surface Has Many Layers Security Controls Firewalls IPS VPNs Network Topology Routers Load Balancers Switches Assets Servers Workstations Networks Vulnerabilities Location Criticality
- 10. © 2015 Skybox Security Inc. Your Attack Surface Has Many Layers Security Controls Firewalls IPS VPNs Network Topology Routers Load Balancers Switches Assets Servers Workstations Networks Vulnerabilities Location Criticality Threats Hackers Insiders Worms
- 11. © 2015 Skybox Security Inc. Provide a Straight-Forward Representation 192.170.33.1 Prod FW 192.169.1.1 Main FW 200.160.1.3 Partner 1 FW 200.160.3.0 / 24 Partner 1 VPN 192.170.1.65 Finance FW 192.170.1.64 IPS 192.170.8.1 Main Router 192.170.8.4 Core Router 192.170.27.1 Core Router 192.170.27.254 BigIP Load Balancer 200.160.1.0 / 24 Partner 1 0.0.0.0 / 0 Internet 200.160.2.0 / 24 Partner 2 192.170.34.0 / 24 db 192.170.33.0 / 24 dmz 192.170.35.0 / 24 app0 192.170.36.0 / 24 app1 192.170.8.0 / 24 Backbone 192.169.1.0 / 28 GatewayEastA 192.170.1.64 / 28 GatewayNorth 192.170.1.80 / 28 GatewaySouth 192.170.25.0 / 24 financeWindows 192.170.27.0 / 24 financeServers 192.170.26.0 / 24 financeUnix Automatically created and maintained, interactive, normalized model of your network
- 12. © 2015 Skybox Security Inc. It Might Not be as Easy as You Think
- 13. © 2015 Skybox Security Inc. Step 2: Evaluate Critical Threats to Your Network Sans Critical Controls 20: Penetration Testing
- 14. © 2015 Skybox Security Inc. Penetration testing – True test of network security – Performed infrequently at preplanned time Vulnerability scanning – Detect vulnerabilities on a regular basis – Lack network context Traditional Means Are a Good Start
- 15. © 2015 Skybox Security Inc. Virtual Penetration Testing
- 16. © 2015 Skybox Security Inc. Vulnerabilities CVE 2014-0160 CVE 2014-0515 CVE 2014-1776 Virtual Penetration Testing
- 17. © 2015 Skybox Security Inc. Internet Hacker Compromised Partner Rogue Admin Vulnerabilities CVE 2014-0160 CVE 2014-0515 CVE 2014-1776 Virtual Penetration Testing
- 18. © 2015 Skybox Security Inc. Internet Hacker Compromised Partner Attack Vectors Rogue Admin Vulnerabilities CVE 2014-0160 CVE 2014-0515 CVE 2014-1776 Virtual Penetration Testing
- 19. © 2015 Skybox Security Inc. Poll Question Is your organization still dealing with the Heartbleed vulnerability? – Yes – No
- 20. © 2015 Skybox Security Inc. Step 3: Stay on Top of New Threats 2 Sans Critical Controls 4: Continuous Vulnerability Assessment and Remediation
- 21. © 2015 Skybox Security Inc. The Media is Playing a Role in Your Security Heartbleed, POODLE, Schannel, and Sandworm were all observed being exploited within a month of CVE publication date3
- 22. © 2015 Skybox Security Inc. Everyone Needs to Know the Answer Faster 4 1. Scan more 2. Scan differently
- 23. © 2015 Skybox Security Inc. Scanless Vulnerability Detection: Identify Vulnerabilities Without a Scan Vulnerability Deduction Product Catalog (CPE) OS version & patch level Application versions Vulnerability List (CVE) Vulnerability Database ProductProfiling Asset / Patch Management Networking Devices Active Scanner
- 24. © 2015 Skybox Security Inc. Determine Impact of a New Threat in Hours Typical scanner Analytical Scan 250 hosts/hour 100,000 host/hour
- 25. © 2015 Skybox Security Inc. Poll Question How mature is your process for maintaining effective security controls (firewalls, IPSs, patching vulnerabilities) – We have a formal document and audited process to which we strictly adhere – We have an undocumented informal process – Process? Huh?
- 26. © 2015 Skybox Security Inc. Step 4: Close Network Device Security Gaps Sans Critical Controls 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- 27. © 2015 Skybox Security Inc. Step 4: Close Network Device Security Gaps
- 28. © 2015 Skybox Security Inc. Monitor Firewalls and Network Devices for Security Gaps Complete visibility of – Hosts, devices, zones – Firewall rules (ACLs) – Routing, NAT, VPN Analysis – Risky access paths – Access policy compliance – Rule usage – Platform configuration Firewall allows port open from the internet
- 29. © 2015 Skybox Security Inc. Improved Success Through Automation Old Process Automated Solution Full firewall analysis 2 - 4 days Less than 1 hour Per change analysis speed 2 hours 5 minutes Analysis accuracy 70% 99% Compliance audits Annual, and VERY stressful Daily or on-demand, automated, easy Employee burnout Measured in weeks! None Window of exposure Days/months Minutes/hours Compliance process costs Expensive 80%+ reduction
- 30. © 2015 Skybox Security Inc. Identify Critical Unremediated Vulnerabilities 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published 3 Top Ten Most Exploited 1. CVE-2002-0012 2. CVE-2002-0013 3. CVE-1999-0517 4. CVE-2001-0540 5. CVE-2014-3566 6. CVE-2012-0152 7. CVE-2001-0680 8. CVE-2002-1054 9. CVE-2002-1931 10. CVE-2002-1932 Mitigation Options • Patching • Removal • Configuration • IPS • Firewall rules
- 31. © 2015 Skybox Security Inc. Step 5: Assess Risk of Planned Changes Change Management - Optimize Workflow Technical Details Change Request Risk Assessment Change Implementation Reconcile and Verify Automate the change management process Monitor changes Assess risk before change is made Identify devices involved Deliver access path information immediately Handle exceptions Reconcile changes
- 32. © 2015 Skybox Security Inc. Skybox Product Portfolio Skybox Platform • Network model, security context, visualization, predictive analytics, workflow, reporting, dashboards, API • Vulnerability and threat intelligence Solutions • Vulnerability & Threat Management • Vulnerability assessment and prioritization • Threat impact analysis • Security Policy Management – Firewall assessment and optimization – Network compliance monitoring – Network change management Scalable, Context-Aware, Automated, Actionable
- 33. © 2015 Skybox Security Inc. 33 Financial Services Technology Healthcare Government & Defense Consumer Service Providers Energy & Utilities Global 2000 Organizations Worldwide Choose Skybox Security
- 34. © 2015 Skybox Security Inc. Use Case Vulnerability and Patch Management • 26 countries • 46 regulations • 100,000+ vulnerabilities • 1,000+ changes per day Business Challenge Skybox Solution Network Assurance and Vulnerability Control Map and analyze infrastructure in minutes Patch critical vulnerabilities in 1 day Reduce risk exposure Fragmented vulnerability and patch process Lack continuous monitoring and analysis
- 35. © 2015 Skybox Security Inc. Use Case Firewall Management and Compliance Business Challenge Skybox Solution Maintain continuous firewall compliance Reduce compliance costs 70 firewalls, 40,000 active firewall rules Manual firewall management, weeks to analyze Firewall Assurance Achieved daily compliance with ISO27001, SOX 20% productivity gain – security diagnosis in minutes Easy implementation of rule changes
- 36. © 2015 Skybox Security Inc. Summary 1. Increase your understanding of your attack surface – Achieve a holistic understanding of your network 2. Evaluate critical threats to your network – Perform regular analysis to help prioritization 3. Stay on top of new threats – Use methods of quick detection 4. Close network device security gaps – Buy yourself time for future threats 5. Assess risk of proposed changes – Don’t introduce future problems
- 37. © 2015 Skybox Security Inc. 37 Questions? www.skyboxsecurity.com
- 38. © 2015 Skybox Security Inc. 38 References 1. Best Practices for Reducing Your Attack Surface 2. 2015 Skybox Enterprise Vulnerability Management Trends Report 3. Best Practices for Vulnerability Management 4. 2015 Verizon Data Breech Investigations Report
Editor's Notes
- Skybox Security PPT Template May 2014
- Network model – our foundation technology and the first thing that separates us from our competitors. Our network model accurately represents your network allowing you to interact and query it much the same way you would with a real network. You can think of the model as having multiple layers of fidelity as needed for different tasks. For firewall compliance and clean up tasks, you might just have a low fidelity model made of firewalls For path analysis and change management, your model might also contain layer 3 networking gear For vulnerably discovery and prioritization you’d want to go with the highest resolution model that includes networking as well as asset and vulnerability elements, even IPS devices. And, of course, the side benefit is the production of an up-to-date network map. Once you have a network model built there are quite a few things you can do with it. Model vs Map Pontification… One of the unique features of skybox, and the basis for what we do, is our network model. A network model is often confused with a network map, or a 2 dimensional representation of the network. The difference between a model and a map comes down to how well it emulates and represents the network. The concept of modeling has been around for some time and has been used to address some very complex problems. Flight simulation, weather prediction and viral infection simulations are all solutions to difficult problems, based on modeling. The basis for those solutions was to create a model (of an airplane, the earth, and the human body) and then apply different “what-if” scenarios to the model. An accurate model will correctly predict the outcome of the scenario, delivering the same result that would occur if that scenario played out in real life. In networking, a network map is just a picture of boxes (network devices) connected with lines. When one tries to use a map to solve problems they are quickly faced with the need to make assumptions, or augment the map with information from other sources. When simply picking two points on a network map and asking the question, “Could a packet with a destination port of 80 make it from here to there?” the questioner would find they need to understand whether each box along the path would forward or deny the packet, and if it was forwarded, which interface would it be forwarded to. In short, they would find that they need a network model, not a network map, as a model understands the rules of each “box” and how it makes those forwarding decisions. This information comes in the form of rules - routing rules, access control rules, and network/port translation rules. The model must be able to simulate each device on the network and accurately treat a theoretical packet the same way the physical network would treat a real packet. Over 10 years ago, Skybox pioneered work in network modeling for the purpose of bringing context to vulnerability data in large organizations. Our original goal was to model the network to determine the exposure of vulnerabilities to the Internet and other parts of the network that might represent a threat origin. Over the last 10 years Skybox has perfected the network model by adding support for all the crazy stuff that can exist in networks today – transparent firewalls, asynchronous routing, multiple layers of address translation and port translation, dynamic routing, mpls clouds, vpns, etc. The result is an interactive model that can accurately be used for a variety of purposes. Skybox uses this model to answer questions like: “Does my network allow more access than is described in my company’s security policy or a specific regulation?” “If a host on network x were compromised, what systems could it reach, either directly or via pivot/stair-step attacks?” “What kind of risk is associated with making this specific change to a firewall? What vulnerabilities will be exposed? What policies would be violated?” “How bad is it that I have a specific vulnerability on a specific host? Given my “defense in depth” with firewalls and IPS, how likely is it that this vulnerability could be exploited?” “If I de-provision a specific rule on a firewall, what will the effect be? Will any of my applications stop working?” “How can my SIEM understand which hosts are at the highest risk given constant changes in the network and ongoing vulnerability discovery?” “Is there was a way to interact with the collection of multi-vendor networking devices that make up my network on a single screen?” “I have 100s of thousands of vulnerabilities on my network, which ones are truly causing risk to my organization?”
- Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing. When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
- Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing. When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
- Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing. When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
- Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing. When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
- Sales version of slide- Continuously monitor change and minimize risks Link and automate security processes Huge time savings in delivering the path information Presentation Notes: Change management -- top of that continuum. Once you got the network in compliance, you want to keep it there. Skybox has a change management API where the customer can use their own third party ticketing system to plug in to our analysis engine or we can supply that interface. Either way we can help out with all of the common phases that a workflow process will go through. Two of the big areas where we can get a return on investment: 1. Path Analysis – huge time savings. For a given request, Skybox can show you exactly which firewalls need to be changed in seconds, without this kind of automation they can take anywhere from a couple of hours to couple of days to do this research, to figure out for a given the request what are the firewalls between point A and point B, which ones currently allow the access, and which ones need to be updated to allow that access, so we can do that in seconds, takes you long time if you do it on your own. 2. Risk Analysis – ensure security and compliance. For a given request, Skybox shows if it is going to violate security policy or expose the vulnerability to a new part of the network. To do that on your own, you would be digging through documents, which is time-consuming and error-prone.
- ADP