continuous monitoring with the 20 critical security controls
DESCRIPTION
Continuous Monitoring with the 20 Critical Security Controls . SPO1-W02. Wolfgang Kandek CTO. We called 2013 the year of the data breach…. …but 2014 started in much the same spirit…. Background. Open System Administration Channels Default and Weak Passwords End-user has Admin Privileges - PowerPoint PPT PresentationTRANSCRIPT
SESSION ID:
Continuous Monitoring with the 20 Critical Security Controls
SPO1-W02
Wolfgang KandekCTO
#RSAC
2
We called 2013 the year of the data breach…
#RSAC
3
…but 2014 started in much the same spirit…
#RSAC
Background
Open System Administration Channels Default and Weak Passwords End-user has Admin Privileges Outdated Software Versions
4
#RSAC
Outdated Software Versions
5
EDB+MSP
Metasploit
Exploit DB
CVSS 10
Random
0% 5% 10% 15% 20% 25% 30% 35%
Vulnerability Breach Use Probability
#RSAC
Background
Open System Administration Channels Default and Weak Passwords End-user has Admin Privileges Outdated Software Versions Non-Hardened Configurations
=> Flaws in System Administration
6
#RSAC
Solution
20 Critical Security Controls What works in Security?
7
#RSAC
Solution
20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity
With widespread industry expert input
8
#RSAC
Solution
20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity
With widespread industryexpert input
9
#RSAC
Solution
20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity
With widespread industry expert input International Participation
10
#RSAC
Solution
20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity
With widespread industry expert input International Participation
11
#RSAC
Solution
20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity
With widespread industryexpert input International Participation
12
#RSAC
Solution
20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity
With widespread industryexpert input International Participation
13
#RSAC
Solution
20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity
With widespread industry expert input International Participation
5 Tenets
14
#RSAC
5 Tenets 20 CSC
Offense informs Defense Prioritization Metrics Continuous Diagnostics and Mitigation Automation
15
#RSAC
5 Tenets 20 CSC
Offense informs Defense Prioritization Metrics Continuous Diagnostics and Mitigation Automation
16
#RSAC
Solution
20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity
With widespread industry expert input International Participation
5 Tenets Prioritized
17
#RSAC
Solution
20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity
With widespread industry expert input International Participation
5 Tenets Prioritized
18
#RSAC
Solution
20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity
With widespread industry expert input International Participation
5 Tenets Prioritized Implementation Guidelines
19
#RSAC
Solution
20 Critical Security Controls What works in Security? Owned by the Council on Cybersecurity
With widespread industry expert input International Participation
5 Tenets Prioritized Implementation Guidelines = Quick Wins, Visibility/Attribution,
Configuration/Hygiene, Advanced20
#RSAC
Implementation Guidelines
21
#RSAC
Implementation Guidelines
Quick Win 1 - Control 1 – HW Inventory Implement an automated discovery engine (active/passive)
Quick Win 3 – Control 2 – SW Inventory Scan for Deviations from Approved List
Quick Win 3 – Control 3 – Secure Configurations Limit Admin privileges
Quick Win 10 – Control 4 – Vulnerability Scanning Risk rate by groups
22
#RSAC
Implementation Guidelines
Measure Success Control 1: Detect new machines in 24 hours Control 1: How many unauthorized machines on network? Control 2: How many unauthorized software packages installed? Control 3: Percentage of machines that do not run an approved image ? Control 4: Percentage of machines not scanned recently (3d)?
23
#RSAC
Implementing Quick Wins - Prototype
QualysGuard, API, PERL, Splunk Daily Authenticated Scan of Network Scripted API Access and Load
24
#RSAC
Implementing Quick Wins - Prototype
25
#RSAC
Implementing Quick Wins - Prototype
Logins - user, date, type Scans - user, date, type, target, duration Reports - user, date, type, duration, size Hosts – machine, date, active, fixed, severity counts, scores Vulnerabilities – id, severity, cvss, age Software – name, publisher Certificates – subject, validdate, signer, self-signed Ports – date, ports
26
#RSAC
Implementing Quick Wins - Prototype
Logins - user, date, type Scans - user, date, type, target, duration Reports - user, date, type, duration, size Hosts – machine, date, active, fixed, severity counts, scores Vulnerabilities – id, severity, cvss, age Software – name, publisher Certificates – subject, validdate, signer, self-signed Ports – date, ports
27
#RSAC
Implementing Quick Wins - Prototype
QualysGuard, API, PERL, Splunk Daily Authenticated Scan of Network Scripted API Access and Load Data Transformation in Scripts
Scoring – Dept. State CVSS based Data Promotion
Software, Patches, MAC address
Splunk for Reports and Graphing
28
#RSAC
CSC1 – HW Inventory - Quick Win 1
Deploy Asset Inventory Discovery Tool (active/passive) Goal: Discover new machines within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Machines
~ where the earliest scandate is within the last day
29
#RSAC
CSC1 – HW Inventory - Quick Win 1
Asset Inventory Discovery Tool (active/passive) Discover new machines within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Machines
30
#RSAC
CSC2 – SW Inventory - Quick Win 3
Discover Unauthorized Software Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Server Ports
~ where the earliest scandate is within the last day
31
#RSAC
CSC2 – SW Inventory - Quick Win 3
Discover Unauthorized Software Goal: Within 24 hours Daily Active Scan of the Network -> Splunk
32
#RSAC
CSC2 – SW Inventory - Quick Win 3
Discover Unauthorized Software Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Software
~ where the earliest scandate is within the last day
33
#RSAC
CSC2 – SW Inventory - Quick Win 3
Discover Unauthorized Software Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Server Ports
~ where the earliest scandate is within the last day Query Splunk for new Software
34
#RSAC
CSC2 – SW Inventory - Quick Win 3
Discover Unauthorized Software Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for new Software
~ where the earliest scandate is within the last day Can be Alerted On
35
#RSAC
CSC3 – Secure Configuration
Automation: Discover Non Standard Setups Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for certain SoftwareMarker
Here: “Qualys Desktop Build” – which is a custom SW packagethat identifies our IT standard builds
36
#RSAC
CSC3 – Secure Configuration
Automation: Discover Non Standard Setups Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for certain SoftwareMarker
Here: “Qualys Desktop Build” – which is a custom SW packagthat identifies out IT standard builds
37
#RSAC
CSC3 – Secure Configuration
Automation: Discover Non Standard Setups Goal: Within 24 hours Daily Active Scan of the Network -> Splunk Query Splunk for certain Software Marker
Here: “Qualys Desktop Build” – which is a custom SW package that identifies out IT standard builds
Can be Alerted On
38
#RSAC
Further Uses and Projects
Plot Progress for a Machine
39
#RSAC
Further Uses and Projects
Plot Progress for a Machine
40
#RSAC
Further Uses and Projects
Plot Progress for a Machine Plot Progress for a Network
41
#RSAC
Further Uses and Projects
Plot Progress for a Machine
42
#RSAC
Other Operational Reports
Usage Reporting User Logins API Logins Reports Anomaly Detection
GeoIP
43
#RSAC
Other Operational Reports
Usage Reporting User Logins API Logins Reports Anomaly Detection
GeoIP
44
#RSAC
Beyond Prototyping
Continuous Monitoring Alert on Additions & Changes
Machines Vulnerabilities Ports Certificates
Simple Configuration
45
