Skybox Security, profile picture
Uploaded bySkybox Security
PPTX, PDF1,870 views

Using a Network Model to Address SANS Critical Controls 10 and 11

The document discusses strategies to address SANS Critical Controls 10 and 11, focusing on secure network configurations and management of services. It emphasizes the importance of effective security zones, preventing breaches, and maintaining rigorous management processes to reduce vulnerabilities. The document also provides historical context for critical security controls and highlights challenges associated with implementing these controls in complex network environments.

Technology
Related topics:
Network Security

Embed presentation

Downloaded 89 times
1 Strategies to Address SANS Critical Controls 10 and 11 - Secure Configurations and Control of Network Devices John Pescatore, SANS Michelle Johnson Cobb, Skybox Security Brian Kelly, Skybox Security
2 Making Security Advances During Turbulent Times  Prevent more, detect faster, respond more effectively  Third party connections are increasingly targeted  How to implement security zones without impacting business?  Misconfigured security controls worse than no controls at all
3 Disrupting the Breach Chain Source: SecurityIntelligence.com
4 Target Breach Lessons Learned • Why could HVAC contractors see POS systems/servers? ○ Zoning • Why could PoS system malware talk to server? ○ Application control policies • Why could internal file server talk to external world? ○ All of the above • Usual reasons: ○ Segmentation broke apps or sys admin ○ Policy was changed “temporarily”
5 The Critical Security Controls History • 2008 – NSA “Consensus Audit Guidelines” • 2009 – Center for Strategic and International Studies publishes the “20 Critical Security Controls” • 2011 – SANS takes over stewardship • 2013 – Council on Cybersecurity formed • 2015 – Critical Security Controls and Council become part of the Center for Internet Security (MS-ISAC)
6 Critical Security Controls 6 1 2 3 4 5 6 7 8 9 1011 12 13 14 15 16 17 18 19 20 1) Inventory of Authorized and Unauthorized Devices 11) Limitation and Control of Network Ports, Protocols and Services 2) Inventory of Authorized and Unauthorized Software 3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4) Continuous Vulnerability Assessment and Remediation 5) Malware Defense 6) Application Software Security 7) Wireless Access Control 8) Data Recovery Capability 9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configuration of Devices such as Firewalls, Routers, and Switches 20) Penetration Tests and Red Team Exercises 19) Secure Network Engineering 18) Incident Response Capability 17) Data Protection 15) Controlled Access Based on Need to Know 14) Maintenance, Monitoring and Analysis of Audit Logs 13) Boundary Defense 12) Controlled Use of Administrative Privileges 16) Account Monitoring and Control
7 Critical Security Controls V6 Draft Critical Security Controls Version 5.1 Critical Security Controls Draft 6.0 1 Inventory of Auth/Unauth Devices Inventory of Auth/Unauth Devices 2 Inventory of Auth/Unauth Software Inventory of Auth/Unauth Software 3 Secure Configurations for HW/SW Secure Configurations for HW/SW 4 Continuous Vulnerability Assessment Continuous Vulnerability Assessment 5 Malware Defenses Controlled Use of Admin Privileges 6 Application/Software Security Maint, Monitor, Analysis of Audit Logs 7 Wireless Access Control Email/Browser Security (new) 8 Data Recovery Malware Defenses 9 Security Skills Limitation/Control of Ports 10 Secure Configurations for Network HW Data Recovery
8 Critical Security Controls V6 Draft Critical Security Controls Version 5.1 Critical Security Controls Draft 6.0 11 Limitation/Control of Ports Secure Configurations for Network HW 12 Controlled Use of Admin Privileges Boundary Defenses 13 Boundary Defenses Data Protection 14 Maint, Monitor, Analysis of Audit Logs Controlled Access/Need to Know 15 Controlled Access/Need to Know Wireless Access Control 16 Account Monitoring and Control Account Monitoring and Control 17 Data Protection Security Skills 18 Incident Response and Management Application and Software Security 19 Secure Network Engineering Incident Response and Management 20 Penetration Test/Red Team Exercises Penetration Test/Red Team Exercises
9 Continuous Processes Shield Eliminate Root Cause Monitor/ Report Policy Assess Risk Baseline Vuln Assessment/Pen Test Secure Configuration Mitigate • FW/IPS • Anti-malware • NAC • Patch Management • Config Management • Change Management • Software Vuln Test • Training • Network Arch • Privilege Mgmt Discovery/Inventory • SIEM • Security Analytics • Incident Response Threats Regulations Requirements OTT Dictates
10 Bottom Line: Avoiding Self Inflicted Wounds • Zoning or segmenting the network is Security 101 • Flat networks are usually the path of least resistance • Reducing attack apertures without impacting business flows requires ○ Next Generation Firewall/Application Aware Policies ○ Accurate and timely inventory ○ Rapid reaction to both change requests and alerts ○ Repeatable, scalable policy management processes and governance
Michelle Johnson Cobb VP, Worldwide Marketing Using a Model of the Attack Surface to Address SANS Critical Controls 10 & 11
© 2015 Skybox Security Inc. 12 Skybox Security Overview  Powerful platform uses attack surface visibility and intelligence to address: – Firewall and change management – Network visibility and compliance – Vulnerability and threat management  Over 500 Global 2000 Customers Risk Analytics for Cyber Security
© 2015 Skybox Security Inc. 13 Challenges implementing Controls 10 & 11  Problem 1: Tons of Vendors  Problem 2: Complex Rulesets  Problem 3: Changes • 500 network devices • 25,000 FW rules • 1,000 IPS signatures • 55,000 nodes • 65 daily network changes • Infrastructure spanning three continents • Will a change introduce a new exposure? • Are IPS signatures up to date? • Impact of new vulnerabilities on network devices, hosts?
© 2015 Skybox Security Inc. 14 How do you analyze complex data? Meterology: Climate models Aerospace: Flight simulators Information Security
© 2015 Skybox Security Inc. 15 How do you analyze complex data? Meterology: Climate models Aerospace: Flight simulators Information Security: Attack surface model
© 2015 Skybox Security Inc. 16 Gain Visibility of the Attack Surface
© 2015 Skybox Security Inc. 17 Gain Visibility of the Attack Surface ASSETS • Servers • Workstations • Networks
© 2015 Skybox Security Inc. 18 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs ASSETS • Servers • Workstations • Networks
© 2015 Skybox Security Inc. 19 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks
© 2015 Skybox Security Inc. 20 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks VULNERABILITIES • Location • Criticality
© 2015 Skybox Security Inc. 21 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks VULNERABILITIES • Location • Criticality THREATS • Hackers • Insiders • Worms
© 2015 Skybox Security Inc. 22 Critical Security Control 10 “Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.”
© 2015 Skybox Security Inc. 23 Analytics to Maintain Secure Configurations  Firewall rule analysis  Platform configuration checks  Network compliance  Path visualization  Rule optimization  Change planning  Rule lifecycle management
© 2015 Skybox Security Inc. 24 Critical Security Control 11 “Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.”
© 2015 Skybox Security Inc. 25 Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Exploitable Vulnerabilities CVE-1234 CVE-0123 MS12074 CVE-4567 CVE-5678
© 2015 Skybox Security Inc. 26 Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Understand Controls Security Controls Access paths Policy violations Unauthorized changes
© 2015 Skybox Security Inc. 27 Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Understand Controls Identify Attack Vectors High-risk vector
Brian Kelly Sales Engineer Demo: Security Policy Management with Skybox
29
30 Resources • SANS : https://www.sans.org/webcasts/archive • Critical Security Controls – http://www.counciloncybersecurity.org/critical-controls/ • SANS Events: https://www.sans.org/security-training/by- location/all • Questions: q@sans.org • @John_Pescatore • Skybox Security - Best Practices for Network Security: http://www.skyboxsecurity.com/resources/best-practice-4-steps- more-automated-adaptable-network-security- management#.VgOgY8tVikp
31 Acknowledgements Thanks to our sponsor: And to our attendees: Thank you for joining us today

More Related Content

PPTX
What's Wrong with Vulnerability Management & How Can We Fix It
bySkybox Security
 
PDF
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
byEnterpriseGRC Solutions, Inc.
 
PDF
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
bySkybox Security
 
PPTX
Network Security Trends for 2016: Taking Security to the Next Level
bySkybox Security
 
PDF
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
byRisk Analysis Consultants, s.r.o.
 
PDF
Issa symc la 5min mr
byISSA LA
 
PDF
Best Practices for Network Security Management
bySkybox Security
 
PPTX
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
byQualys
 
What's Wrong with Vulnerability Management & How Can We Fix It
bySkybox Security
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
byEnterpriseGRC Solutions, Inc.
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
bySkybox Security
 
Network Security Trends for 2016: Taking Security to the Next Level
bySkybox Security
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
byRisk Analysis Consultants, s.r.o.
 
Issa symc la 5min mr
byISSA LA
 
Best Practices for Network Security Management
bySkybox Security
 
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
byQualys
 

What's hot

PDF
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
byQualys
 
PDF
Managing risk and vulnerabilities in a business context
byAlgoSec
 
PDF
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
byCam Fulton
 
PDF
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
byPriyanka Aash
 
PPTX
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
PPTX
Automating Critical Security Controls for Threat Remediation and Compliance
byQualys
 
PDF
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
byinfoLock Technologies
 
PDF
Qualys Corporate Brochure
byQualys
 
PPTX
Effective Cyber Defense Using CIS Critical Security Controls
byBSides Delhi
 
PDF
Cyber Security Governance
byPriyanka Aash
 
PPTX
Securing Your Public Cloud Infrastructure
byQualys
 
PDF
From SIEM to SOC: Crossing the Cybersecurity Chasm
byPriyanka Aash
 
PDF
Panda Security - Adaptive Defense
byPanda Security
 
PDF
Assessing the Security of Cloud SaaS Solutions
byDigital Bond
 
PDF
Accelerating OT - A Case Study
byDigital Bond
 
PDF
Top 5 Cloud Security Predictions for 2016
byAlert Logic
 
PDF
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
byShah Sheikh
 
PPTX
Managed Security Services from Symantec
byArrow ECS UK
 
PPTX
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
PDF
20 Security Controls for the Cloud
byNetStandard
 
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
byQualys
 
Managing risk and vulnerabilities in a business context
byAlgoSec
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
byCam Fulton
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
byPriyanka Aash
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
Automating Critical Security Controls for Threat Remediation and Compliance
byQualys
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
byinfoLock Technologies
 
Qualys Corporate Brochure
byQualys
 
Effective Cyber Defense Using CIS Critical Security Controls
byBSides Delhi
 
Cyber Security Governance
byPriyanka Aash
 
Securing Your Public Cloud Infrastructure
byQualys
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
byPriyanka Aash
 
Panda Security - Adaptive Defense
byPanda Security
 
Assessing the Security of Cloud SaaS Solutions
byDigital Bond
 
Accelerating OT - A Case Study
byDigital Bond
 
Top 5 Cloud Security Predictions for 2016
byAlert Logic
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
byShah Sheikh
 
Managed Security Services from Symantec
byArrow ECS UK
 
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
20 Security Controls for the Cloud
byNetStandard
 

Similar to Using a Network Model to Address SANS Critical Controls 10 and 11

PDF
Why Corporate Security Professionals Should Care About Information Security
byResolver Inc.
 
PDF
Avoid outages-from-misconfigured-devices-webinar-slides
byAlgoSec
 
PPTX
Cybersecurity: Challenges, Initiatives, and Best Practices
byJohn Gilligan
 
PPTX
5 Steps to Reduce Your Window of Vulnerability
bySkybox Security
 
PPTX
Network Security Best Practices - Reducing Your Attack Surface
bySkybox Security
 
PPTX
Critical Controls Of Cyber Defense
byRishu Mehra
 
PPTX
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
bytechnext1
 
ODP
Securing control systems v0.4
byCrispnCrunch
 
PPTX
Federal Cybersecurity: The latest challenges, initiatives and best practices
byJohn Gilligan
 
PPT
Consensus Audit Guidelines 2008
byJohn Gilligan
 
PDF
(Ebook) CIS Critical Security Controls by Center for Internet Security
byhqusshov3993
 
PDF
Continuous Monitoring and Real Time Risk Scoring
byQ1 Labs
 
PPTX
Extending the 20 critical security controls to gap assessments and security m...
byJohn M. Willis
 
PPTX
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
bymike parks
 
PDF
Monitoring your organization against threats - Critical System Control
byMarc-Andre Heroux
 
PPTX
DojoSec FISMA Presentation
bydanphilpott
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
PDF
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
PDF
Abb e guide3
byClaricio Gobbo
 
PDF
WP82 Physical Security in Mission Critical Facilities
bySE_NAM_Training
 
Why Corporate Security Professionals Should Care About Information Security
byResolver Inc.
 
Avoid outages-from-misconfigured-devices-webinar-slides
byAlgoSec
 
Cybersecurity: Challenges, Initiatives, and Best Practices
byJohn Gilligan
 
5 Steps to Reduce Your Window of Vulnerability
bySkybox Security
 
Network Security Best Practices - Reducing Your Attack Surface
bySkybox Security
 
Critical Controls Of Cyber Defense
byRishu Mehra
 
Criticalcontrolsofcyberdefensefinal 100128032433 Phpapp02
bytechnext1
 
Securing control systems v0.4
byCrispnCrunch
 
Federal Cybersecurity: The latest challenges, initiatives and best practices
byJohn Gilligan
 
Consensus Audit Guidelines 2008
byJohn Gilligan
 
(Ebook) CIS Critical Security Controls by Center for Internet Security
byhqusshov3993
 
Continuous Monitoring and Real Time Risk Scoring
byQ1 Labs
 
Extending the 20 critical security controls to gap assessments and security m...
byJohn M. Willis
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
bymike parks
 
Monitoring your organization against threats - Critical System Control
byMarc-Andre Heroux
 
DojoSec FISMA Presentation
bydanphilpott
 
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
Event Presentation: Cyber Security for Industrial Control Systems
byInfonaligy
 
Abb e guide3
byClaricio Gobbo
 
WP82 Physical Security in Mission Critical Facilities
bySE_NAM_Training
 

More from Skybox Security

PPTX
CAPITA - Network Visibility to Manage Firewall Changes & Reduce Risk
bySkybox Security
 
PPTX
Secure Data GI - Delivering Contextual Intelligence
bySkybox Security
 
PPTX
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
bySkybox Security
 
PPTX
Risk Analytics: One Intelligent View
bySkybox Security
 
PDF
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
bySkybox Security
 
PDF
Infosec 2014: Who Is Skybox Security?
bySkybox Security
 
PDF
Infosec 2014: Tech Talk - Firewall Change Management
bySkybox Security
 
PDF
Infosec 2014: Tech Talk - Non-Disruptive Vulnerability Discovery
bySkybox Security
 
PDF
Infosec 2014: Finding and Understanding the Risk Impact of Firewall Changes
bySkybox Security
 
PDF
Infosec 2014: Capita Customer Management: Network Visibility to Manage Firewa...
bySkybox Security
 
PDF
Infosec 2014: Intelligence as a Service: The Future of Frontline Security
bySkybox Security
 
PDF
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
bySkybox Security
 
PDF
RSA 2014: Firewall Change Management: Automate, Secure & Comply
bySkybox Security
 
PDF
RSA 2014: Skybox Security Risk Analytics Overview
bySkybox Security
 
PDF
Infographic: Are You Keeping Pace with Security Risks?
bySkybox Security
 
PDF
Is Your Vulnerability Management Program Keeping Pace With Risks?
bySkybox Security
 
PDF
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
bySkybox Security
 
PDF
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
bySkybox Security
 
PDF
Security at the Breaking Point: Rethink Security in 2013
bySkybox Security
 
PDF
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
bySkybox Security
 
CAPITA - Network Visibility to Manage Firewall Changes & Reduce Risk
bySkybox Security
 
Secure Data GI - Delivering Contextual Intelligence
bySkybox Security
 
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
bySkybox Security
 
Risk Analytics: One Intelligent View
bySkybox Security
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
bySkybox Security
 
Infosec 2014: Who Is Skybox Security?
bySkybox Security
 
Infosec 2014: Tech Talk - Firewall Change Management
bySkybox Security
 
Infosec 2014: Tech Talk - Non-Disruptive Vulnerability Discovery
bySkybox Security
 
Infosec 2014: Finding and Understanding the Risk Impact of Firewall Changes
bySkybox Security
 
Infosec 2014: Capita Customer Management: Network Visibility to Manage Firewa...
bySkybox Security
 
Infosec 2014: Intelligence as a Service: The Future of Frontline Security
bySkybox Security
 
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
bySkybox Security
 
RSA 2014: Firewall Change Management: Automate, Secure & Comply
bySkybox Security
 
RSA 2014: Skybox Security Risk Analytics Overview
bySkybox Security
 
Infographic: Are You Keeping Pace with Security Risks?
bySkybox Security
 
Is Your Vulnerability Management Program Keeping Pace With Risks?
bySkybox Security
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
bySkybox Security
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
bySkybox Security
 
Security at the Breaking Point: Rethink Security in 2013
bySkybox Security
 
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
bySkybox Security
 

Recently uploaded

PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
The Landscape of Computer Software Development Companies
byYash Singh
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
The Landscape of Computer Software Development Companies
byYash Singh
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 

Using a Network Model to Address SANS Critical Controls 10 and 11

  • 1.
    1 Strategies to AddressSANS Critical Controls 10 and 11 - Secure Configurations and Control of Network Devices John Pescatore, SANS Michelle Johnson Cobb, Skybox Security Brian Kelly, Skybox Security
  • 2.
    2 Making Security AdvancesDuring Turbulent Times  Prevent more, detect faster, respond more effectively  Third party connections are increasingly targeted  How to implement security zones without impacting business?  Misconfigured security controls worse than no controls at all
  • 3.
    3 Disrupting the BreachChain Source: SecurityIntelligence.com
  • 4.
    4 Target Breach LessonsLearned • Why could HVAC contractors see POS systems/servers? ○ Zoning • Why could PoS system malware talk to server? ○ Application control policies • Why could internal file server talk to external world? ○ All of the above • Usual reasons: ○ Segmentation broke apps or sys admin ○ Policy was changed “temporarily”
  • 5.
    5 The Critical SecurityControls History • 2008 – NSA “Consensus Audit Guidelines” • 2009 – Center for Strategic and International Studies publishes the “20 Critical Security Controls” • 2011 – SANS takes over stewardship • 2013 – Council on Cybersecurity formed • 2015 – Critical Security Controls and Council become part of the Center for Internet Security (MS-ISAC)
  • 6.
    6 Critical Security Controls 6 12 3 4 5 6 7 8 9 1011 12 13 14 15 16 17 18 19 20 1) Inventory of Authorized and Unauthorized Devices 11) Limitation and Control of Network Ports, Protocols and Services 2) Inventory of Authorized and Unauthorized Software 3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4) Continuous Vulnerability Assessment and Remediation 5) Malware Defense 6) Application Software Security 7) Wireless Access Control 8) Data Recovery Capability 9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configuration of Devices such as Firewalls, Routers, and Switches 20) Penetration Tests and Red Team Exercises 19) Secure Network Engineering 18) Incident Response Capability 17) Data Protection 15) Controlled Access Based on Need to Know 14) Maintenance, Monitoring and Analysis of Audit Logs 13) Boundary Defense 12) Controlled Use of Administrative Privileges 16) Account Monitoring and Control
  • 7.
    7 Critical Security ControlsV6 Draft Critical Security Controls Version 5.1 Critical Security Controls Draft 6.0 1 Inventory of Auth/Unauth Devices Inventory of Auth/Unauth Devices 2 Inventory of Auth/Unauth Software Inventory of Auth/Unauth Software 3 Secure Configurations for HW/SW Secure Configurations for HW/SW 4 Continuous Vulnerability Assessment Continuous Vulnerability Assessment 5 Malware Defenses Controlled Use of Admin Privileges 6 Application/Software Security Maint, Monitor, Analysis of Audit Logs 7 Wireless Access Control Email/Browser Security (new) 8 Data Recovery Malware Defenses 9 Security Skills Limitation/Control of Ports 10 Secure Configurations for Network HW Data Recovery
  • 8.
    8 Critical Security ControlsV6 Draft Critical Security Controls Version 5.1 Critical Security Controls Draft 6.0 11 Limitation/Control of Ports Secure Configurations for Network HW 12 Controlled Use of Admin Privileges Boundary Defenses 13 Boundary Defenses Data Protection 14 Maint, Monitor, Analysis of Audit Logs Controlled Access/Need to Know 15 Controlled Access/Need to Know Wireless Access Control 16 Account Monitoring and Control Account Monitoring and Control 17 Data Protection Security Skills 18 Incident Response and Management Application and Software Security 19 Secure Network Engineering Incident Response and Management 20 Penetration Test/Red Team Exercises Penetration Test/Red Team Exercises
  • 9.
    9 Continuous Processes Shield Eliminate Root Cause Monitor/ Report Policy Assess Risk Baseline VulnAssessment/Pen Test Secure Configuration Mitigate • FW/IPS • Anti-malware • NAC • Patch Management • Config Management • Change Management • Software Vuln Test • Training • Network Arch • Privilege Mgmt Discovery/Inventory • SIEM • Security Analytics • Incident Response Threats Regulations Requirements OTT Dictates
  • 10.
    10 Bottom Line: AvoidingSelf Inflicted Wounds • Zoning or segmenting the network is Security 101 • Flat networks are usually the path of least resistance • Reducing attack apertures without impacting business flows requires ○ Next Generation Firewall/Application Aware Policies ○ Accurate and timely inventory ○ Rapid reaction to both change requests and alerts ○ Repeatable, scalable policy management processes and governance
  • 11.
    Michelle Johnson Cobb VP,Worldwide Marketing Using a Model of the Attack Surface to Address SANS Critical Controls 10 & 11
  • 12.
    © 2015 SkyboxSecurity Inc. 12 Skybox Security Overview  Powerful platform uses attack surface visibility and intelligence to address: – Firewall and change management – Network visibility and compliance – Vulnerability and threat management  Over 500 Global 2000 Customers Risk Analytics for Cyber Security
  • 13.
    © 2015 SkyboxSecurity Inc. 13 Challenges implementing Controls 10 & 11  Problem 1: Tons of Vendors  Problem 2: Complex Rulesets  Problem 3: Changes • 500 network devices • 25,000 FW rules • 1,000 IPS signatures • 55,000 nodes • 65 daily network changes • Infrastructure spanning three continents • Will a change introduce a new exposure? • Are IPS signatures up to date? • Impact of new vulnerabilities on network devices, hosts?
  • 14.
    © 2015 SkyboxSecurity Inc. 14 How do you analyze complex data? Meterology: Climate models Aerospace: Flight simulators Information Security
  • 15.
    © 2015 SkyboxSecurity Inc. 15 How do you analyze complex data? Meterology: Climate models Aerospace: Flight simulators Information Security: Attack surface model
  • 16.
    © 2015 SkyboxSecurity Inc. 16 Gain Visibility of the Attack Surface
  • 17.
    © 2015 SkyboxSecurity Inc. 17 Gain Visibility of the Attack Surface ASSETS • Servers • Workstations • Networks
  • 18.
    © 2015 SkyboxSecurity Inc. 18 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs ASSETS • Servers • Workstations • Networks
  • 19.
    © 2015 SkyboxSecurity Inc. 19 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks
  • 20.
    © 2015 SkyboxSecurity Inc. 20 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks VULNERABILITIES • Location • Criticality
  • 21.
    © 2015 SkyboxSecurity Inc. 21 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks VULNERABILITIES • Location • Criticality THREATS • Hackers • Insiders • Worms
  • 22.
    © 2015 SkyboxSecurity Inc. 22 Critical Security Control 10 “Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.”
  • 23.
    © 2015 SkyboxSecurity Inc. 23 Analytics to Maintain Secure Configurations  Firewall rule analysis  Platform configuration checks  Network compliance  Path visualization  Rule optimization  Change planning  Rule lifecycle management
  • 24.
    © 2015 SkyboxSecurity Inc. 24 Critical Security Control 11 “Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.”
  • 25.
    © 2015 SkyboxSecurity Inc. 25 Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Exploitable Vulnerabilities CVE-1234 CVE-0123 MS12074 CVE-4567 CVE-5678
  • 26.
    © 2015 SkyboxSecurity Inc. 26 Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Understand Controls Security Controls Access paths Policy violations Unauthorized changes
  • 27.
    © 2015 SkyboxSecurity Inc. 27 Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Understand Controls Identify Attack Vectors High-risk vector
  • 28.
    Brian Kelly Sales Engineer Demo:Security Policy Management with Skybox
  • 29.
  • 30.
    30 Resources • SANS :https://www.sans.org/webcasts/archive • Critical Security Controls – http://www.counciloncybersecurity.org/critical-controls/ • SANS Events: https://www.sans.org/security-training/by- location/all • Questions: q@sans.org • @John_Pescatore • Skybox Security - Best Practices for Network Security: http://www.skyboxsecurity.com/resources/best-practice-4-steps- more-automated-adaptable-network-security- management#.VgOgY8tVikp
  • 31.
    31 Acknowledgements Thanks to oursponsor: And to our attendees: Thank you for joining us today

Editor's Notes

  • #10 Gartner's vulnerability management life cycle defines the operational processes and technologies that are needed to discover and remediate security weaknesses before they are exploited. Policies that define a secure IT infrastructure are used as the reference for a baseline to discover vulnerabilities and security configuration policy compliance issues. Security weaknesses should be assessed with respect to the vulnerability, the current threat environment and the business use of the asset to to prioritize the shielding and remediation tasks that follow. Remediation is facilitated through cross-organizational processes and workflow. Remediation activity is also driven through monitoring of privileged user access, of compliance with technical controls and for new vulnerabilities. Vulnerability management operationally implements a subset of the controls that are defined within a security program. The life cycle implements many of the basic security controls that auditors seek when evaluating compliance. Organizations that take the extra step of mapping the policies that are implemented by vulnerability management to control standards and best practices can strengthen their posture with auditors and reduce the cost of compliance reporting through automation. Action Item: Link vulnerability management and compliance projects to ensure that compliance spending results in lower security operations costs and a more secure environment. Action Item: IT security organizations must work with IT operations to develop and implement the operational processes that are needed for effective vulnerability mitigation.
  • #13 Skybox Security has a software platform that uses analytics to give you comprehensive information about your organization’s attack surface. That knowledge is crucial to solving everyday security problems in an accurate and actionable manner. Our solutions are used for firewall management, network compliance, vulnerability management, and more. We believe that Continuous visibility of attack surface is critical That to get this visibility you have to Combine a lot of data about your network and endpoint, sometimes from dozens of vendor systems That analytics are a must to solve complex information security challenges And once you have the intelligence, you need to work it into regular security processes, automating security management at every step in order to stay ahead of attacks
  • #14 Safe to say, that if implementing the Critical Controls were easy, we wouldn’t be having this webcast. First, you need to make sure all of your devices are configured – according to security best practices, according to vendor recommended configurations. And you have lots of vendors. Devices that speak different languages, or require the Cisco expert, or the Juniper expert to be on hand to deciper what’s what. Even if the device configurations are maintained to meet Control 10, the sheer size or complexity, or both, of most enterprise networks makes analysis of device configurations, rules, and changes a complex nightmare. And you need to keep up with changes – changes that may impact compliance with policy, or interfere with intended protection. Logical checks on a device by device basis aren’t enough, because it’s a complex system we are talking about. A necessary firewall rule can be shadowed by other rules, an improperly configured device can render your segmentation strategy ineffective.
  • #15 So what are your options for automating this kind of data analysis challenge? This is not a trivial issue. But it’s one that has been solved in other industries. When you are looking for a systems that handles heavy-duty analysis of interactions of complex variables, you might think of climate models, flight simulation, maybe the Google self-driving car. All deal with visualization and gleaning intelligence from complex data. In information security, the comparable model is an attack surface model. If you can create an effective model of your attack surface – of all of the attack vectors facing your organization, you can use that knowledge to answer a lot of questions. “Is there an attack vector caused by this misconfiguration”? If not, I might not care about it. I could consider whether the size of the attack surface grows over time, showing we are getting worse at controlling network security risks.
  • #16 So what are your options for automating this kind of data analysis challenge? This is not a trivial issue. But it’s one that has been solved in other industries. When you are looking for a systems that handles heavy-duty analysis of interactions of complex variables, you might think of climate models, flight simulation, maybe the Google self-driving car. All deal with visualization and gleaning intelligence from complex data. In information security, the comparable model is an attack surface model. If you can create an effective model of your attack surface – of all of the attack vectors facing your organization, you can use that knowledge to answer a lot of questions. “Is there an attack vector caused by this misconfiguration”? If not, I might not care about it. I could consider whether the size of the attack surface grows over time, showing we are getting worse at controlling network security risks.
  • #17 Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
  • #18 Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
  • #19 Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
  • #20 Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
  • #21 Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
  • #22 Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
  • #23 The part of the Skybox security suite that I’ll be discussing today fits squarely in Critical Security Control 4.
  • #24 Benefit – topology intelligence and network context – use knowledge of what the firewall is protecting, use knowledge of paths, of available security controls Rule analysis – normalized data for more consistent checks Platform config checks – is there an issue with the device itself, like the operating system of the router or switch missing a patch Network compliance – access, zones, regulatory Path visualization – step by step understanding of accessible or blocked paths, final all ACL’s, routing rules. Pay attention to NAT, dynamic routing, authenticated rules Rule optimization – Normalize data Automate all tasks – data collection, analysis, reporting Policy compliance analysis Access analysis and troubleshooting Find unused rules Eliminates potential attack scenarios Optimize the rulebase Improves firewall performance Produce reports Demonstrate compliance on-demand Documenting changes
  • #25 Ongoing operational use – which means a one-time pen test is not enough. But a model and simulation allows you to check ongoing operational use very well – just re-run the model when you want to update the assessment.
  • #26 Script: (click through first 5 builds – last one is Threat Actors) Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack? Different version script: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing.   When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
  • #27 Script: (click through first 5 builds – last one is Threat Actors) Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack? Different version script: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing.   When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
  • #28 Script: (click through first 5 builds – last one is Threat Actors) Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack? Different version script: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing.   When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
  • #29 Skybox Security PPT Template May 2014