5 steps to reduce your window of vulnerability

Michelle CobbVice President, Worldwide Marketing

Best Practices for Reducing Your Attack Surface: 5 Steps to Shrinking Your Window of Vulnerability

© 2015 Skybox Security Inc.

There Are No Silver Bullets in Security

96% of breaches avoidable through standard controls1


SANS 20 Critical Security Controls

1: Inventory of Devices

2: Inventory of Software

3: Secure Configurations for Hardware and Software on Computers

4: Continuous Vulnerability Assessment and Remediation

5: Malware Defenses

6: Application Software Security

7: Wireless Access Control

8: Data Recovery Capability

9: Security Skills Assessment and Training

10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

11: Limitation and Control of Network Ports, Protocols, and Services

12: Controlled Use of Administrative Privileges

13: Boundary Defense

14: Maintenance, Monitoring, and Analysis of Audit Logs

15: Control Access Based on Need to Know

16: Account Monitoring and Control

17: Data Protection

18: Incident Response and Management

19: Secure Network Engineering

20: Penetration Testing


Step 1: Increase Your Understanding of Your Attack Surface

“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

- Sun Tzu, The Art of War

Sans Critical Controls1: Inventory of Devices 2: Inventory of Software


Your Attack Surface Has Many Layers



Security ControlsFirewalls

IPSVPNs




IPSVPNs

Network TopologyRouters

Load BalancersSwitches




IPSVPNs



AssetsServers

WorkstationsNetworks




IPSVPNs



AssetsServers


VulnerabilitiesLocationCriticality




IPSVPNs



AssetsServers


VulnerabilitiesLocationCriticality

ThreatsHackersInsidersWorms


Provide a Straight-Forward Representation

192.170.33.1Prod FW

192.169.1.1Main FW

200.160.1.3Partner 1 FW

200.160.3.0 / 24Partner 1 VPN

192.170.1.65Finance FW

192.170.1.64IPS

192.170.8.1Main Router

192.170.8.4Core Router

192.170.27.1Core Router

192.170.27.254BigIP Load Balancer

200.160.1.0 / 24Partner 1

0.0.0.0 / 0Internet

200.160.2.0 / 24Partner 2

192.170.34.0 / 24db

192.170.33.0 / 24dmz

192.170.35.0 / 24app0

192.170.36.0 / 24app1

192.170.8.0 / 24Backbone

192.169.1.0 / 28GatewayEastA

192.170.1.64 / 28GatewayNorth

192.170.1.80 / 28GatewaySouth

192.170.25.0 / 24financeWindows

192.170.27.0 / 24financeServers

192.170.26.0 / 24financeUnix

Automatically created and maintained, interactive, normalized model of your network


It Might Not be as Easy as You Think


Step 2: Evaluate Critical Threats to Your Network

Sans Critical Controls20: Penetration Testing


Penetration testing– True test of network

security– Performed infrequently at

preplanned time

Vulnerability scanning– Detect vulnerabilities on a

regular basis– Lack network context

Traditional Means Are a Good Start


Virtual Penetration Testing


VulnerabilitiesCVE 2014-0160CVE 2014-0515CVE 2014-1776



Internet Hacker

Compromised Partner

Rogue AdminVulnerabilitiesCVE 2014-0160CVE 2014-0515CVE 2014-1776



Internet Hacker

Compromised Partner

Attack Vectors

Rogue AdminVulnerabilitiesCVE 2014-0160CVE 2014-0515CVE 2014-1776



Poll Question

Is your organization still dealing with the Heartbleed vulnerability? – Yes– No


Step 3: Stay on Top of New Threats

2

Sans Critical Controls4: Continuous Vulnerability Assessment and Remediation


The Media is Playing a Role in Your Security

Heartbleed, POODLE, Schannel, and Sandworm were all observed being

exploited within a month of CVE publication date3


Everyone Needs to Know the Answer Faster4

1. Scan more

2. Scan differently


Scanless Vulnerability Detection:Identify Vulnerabilities Without a Scan

Vulnerability Deduction

Product Catalog(CPE)

OS version & patch levelApplication versions

Vulnerability List

(CVE)

VulnerabilityDatabase

Prod

uct P

rofil

ing

Asset / PatchManagement

NetworkingDevices

Active Scanner


Determine Impact of a New Threat in Hours

Typical scanner Analytical Scan

250 hosts/hour

100,000host/hour


Poll Question

How mature is your process for maintaining effective security controls (firewalls, IPSs, patching vulnerabilities)– We have a formal document and audited process to which we

strictly adhere– We have an undocumented informal process– Process? Huh?


Step 4: Close Network Device Security Gaps

Sans Critical Controls10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches


Step 4: Close Network Device Security Gaps


Monitor Firewalls and Network Devices for Security Gaps

Complete visibility of– Hosts, devices, zones– Firewall rules (ACLs)– Routing, NAT, VPN

Analysis– Risky access paths– Access policy compliance– Rule usage– Platform configuration

Firewall allows port open from the internet


Improved Success Through Automation

Old Process Automated Solution

Full firewall analysis 2 - 4 days Less than 1 hour

Per change analysis speed 2 hours 5 minutes

Analysis accuracy 70% 99%

Compliance audits Annual, and VERY stressful

Daily or on-demand, automated, easy

Employee burnout Measured in weeks! None

Window of exposure Days/months Minutes/hoursCompliance process

costs Expensive 80%+ reduction


Identify Critical Unremediated Vulnerabilities

99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published 3

Top Ten Most Exploited

1. CVE-2002-00122. CVE-2002-00133. CVE-1999-05174. CVE-2001-05405. CVE-2014-35666. CVE-2012-01527. CVE-2001-06808. CVE-2002-10549. CVE-2002-193110. CVE-2002-1932

Mitigation Options

• Patching• Removal• Configuration• IPS• Firewall rules


Step 5: Assess Risk of Planned ChangesChange Management - Optimize Workflow

Technical Details

Change Request

Risk Assessment

Change Implementation

Reconcile and Verify

Automate the change management process

Monitor changes Assess risk before change

is made Identify devices involvedDeliver access path

information immediatelyHandle exceptionsReconcile changes


Skybox Product Portfolio

Skybox Platform• Network model, security context,

visualization, predictive analytics, workflow, reporting, dashboards, API

• Vulnerability and threat intelligence

Solutions• Vulnerability & Threat Management

• Vulnerability assessment and prioritization• Threat impact analysis

• Security Policy Management– Firewall assessment and optimization– Network compliance monitoring– Network change management

Scalable, Context-Aware, Automated, Actionable

© 2015 Skybox Security Inc. 33

Financial Services Technology HealthcareGovernment

& Defense ConsumerService Providers

Energy & Utilities

Global 2000 Organizations Worldwide Choose Skybox Security

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=aAC499QQ8lL3tM&tbnid=lHSuSmN90Y6JzM:&ved=0CAUQjRw&url=http://www.bestlawyers.com/firms/deloitte-abogados/44343/ES/&ei=yLbEU9ScLYWqyATThYGYBw&bvm=bv.70810081,d.aWw&psig=AFQjCNGa3dw5Bnh5I4rbd0k2oTlUNsvcyg&ust=1405487168638710

http://www.svb.com/

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=kOT0t4JgcT6WDM&tbnid=9R00KmUPSIPtuM:&ved=0CAUQjRw&url=http://subseaworldnews.com/2014/01/24/omv-petrom-invites-tenders-for-diving-and-rov-services/&ei=lrnEU-nnGo6MyASXioDQBg&bvm=bv.70810081,d.aWw&psig=AFQjCNGzi-Mc5V2emtrdcZ3ycvP0pJ3s0Q&ust=1405487886091677

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=jabkPsOzexDQOM&tbnid=_bJG-Usw0GshEM:&ved=0CAUQjRw&url=http://www.buildingalifestyle.com/news-stories-press-releases/&ei=mLrEU--TKYKbyATblYK4CQ&bvm=bv.70810081,d.aWw&psig=AFQjCNGAGCzkqUDiM21p2_vLCRgrc4Ofnw&ust=1405488140712761

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=sXC-QkOmVsIbVM&tbnid=SGUg3_I77pR1FM:&ved=0CAUQjRw&url=http://news.hamlethub.com/bethel/publicsafety/40473-danbury-line-commuters-to-use-harlem-line&ei=Jr3EU-ruFoWXyATVu4LIBg&bvm=bv.70810081,d.aWw&psig=AFQjCNEawa0pN9ddbMSjrhunS07YNlTeKQ&ust=1405488801992361

http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=uIiw_FIBKRFyZM&tbnid=q63R5fHzxC9OlM:&ved=0CAUQjRw&url=http://cenytmercosur.blogspot.com/2008_02_01_archive.html&ei=WMTEU-DRNoalyATj8YHoBg&bvm=bv.70810081,d.aWw&psig=AFQjCNGBBasElvWlbX2rTgZZDU7fzfn1Gg&ust=1405490643213823

http://www.edison.com/home.html


Use CaseVulnerability and Patch Management

• 26 countries

• 46 regulations

• 100,000+ vulnerabilities• 1,000+ changes per day

Business Challenge

Skybox Solution

Network Assurance and Vulnerability Control Map and analyze infrastructure in minutes Patch critical vulnerabilities in 1 day Reduce risk exposure

Fragmented vulnerability and patch process Lack continuous monitoring and analysis


Use CaseFirewall Management and Compliance

Business Challenge

Skybox Solution

Maintain continuous firewall compliance Reduce compliance costs 70 firewalls, 40,000 active firewall rules Manual firewall management, weeks to analyze

Firewall Assurance Achieved daily compliance with ISO27001, SOX 20% productivity gain – security diagnosis in minutes Easy implementation of rule changes


Summary

1. Increase your understanding of your attack surface– Achieve a holistic understanding of your network

2. Evaluate critical threats to your network– Perform regular analysis to help prioritization

3. Stay on top of new threats– Use methods of quick detection

4. Close network device security gaps– Buy yourself time for future threats

5. Assess risk of proposed changes– Don’t introduce future problems


Questions?

www.skyboxsecurity.com


References

1. Best Practices for Reducing Your Attack Surface

2. 2015 Skybox Enterprise Vulnerability Management Trends Report

3. Best Practices for Vulnerability Management

4. 2015 Verizon Data Breech Investigations Report