AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

Transcription

1 AUTOMATING THE 20 CRITICAL SECURITY CONTROLS Wolfgang Kandek, CTO Qualys Session ID: Session Classification: SPO-T07 Intermediate

2 2012 the Year of Data Breaches

3 2013 continued in a similar Way

4 Background Open System Administration Channels Default and Weak Passwords End-user has Administrator Privileges Outdated Software Versions Non-hardened Configurations Flaws in System Administration

5 Solution 20 Critical Controls Owned by SANS with widespread industry expert input

6 Solution 20 Critical Controls Owned by SANS with widespread industry input

7 Solution 20 Critical Controls Owned by SANS with widespread industry expert input International participation

8 Solution 20 Critical Controls Owned by SANS with widespread industry input International participation

9 Solution 20 Critical Controls Owned by SANS with widespread industry input International participation

10 Solution 20 Critical Controls Owned by SANS with widespread industry input International participation Prioritized

11 Solution 20 Critical Controls Owned by SANS with widespread industry input International participation

12 Solution 20 Critical Controls Owned by SANS With widespread industry expert input International participation Prioritized Automation is critical to success

13 Solution 20 Critical Controls Owned by SANS with widespread industry input International participation Prioritized Automation is critical to success

14 Solution 20 Critical Controls Owned by SANS with widespread industry input International participation Prioritized Automation is critical to success 90 % Risk Reduction at US DoS 85 % Incident Reduction at DSD Australia

15 Solution

16 Qualys QualysGuard Vulnerability Management Policy Compliance Web Application Scanning PCI Malware Detection SaaS Solution Browser-based, Multi-tenant Public and Private Cloud Scanning, Reporting, Ticketing Extensive API

17 CC1: Hardware Inventory Asset Visibility Size of Network Machine Types Location

18 CC1: Hardware Inventory Asset Visibility Size of Network Machine Types Location

19 CC1: Hardware Inventory Asset Visibility Size of Network Machine Types Location

20 CC1: Hardware Inventory Asset Visibility Size of Network Machine Types Location New Equipment Detection Authorized Unauthorized

21 CC1: Hardware Inventory Asset Visibility Size of Network Machine Types Location New Equipment Detection Authorized Unauthorized

22 CC1: Hardware Inventory Automation Scans are scheduled Delta Reports are scheduled Reports can be ed Alerting on newly discovered hosts Via API Integration into Asset Management Systems Via API Coming: ticket generation on newly discovered hosts

23 CC2: Software Inventory Asset Visibility Operating Systems Applications Versions Patch Levels Blacklisting

24 CC2: Software Inventory Asset Visibility Operating Systems Applications Versions Patch Levels

25 CC2: Software Inventory Asset Visibility Operating Systems Applications Versions Patch Levels Blacklisting Whitelisting

26 CC2: Software Inventory Asset Visibility Operating Systems Applications Versions Patch Levels Blacklisting Whitelisting

27 CC2: Software Inventory Asset Visibility Operating Systems Applications Versions Patch Levels Blacklisting Whitelisting Interactive Search

28 CC2: Software Inventory Asset Visibility Operating Systems Applications Versions Patch Levels Blacklisting Whitelisting Interactive Search

29 CC2: Software Inventory Asset Visibility Operating Systems Applications Versions Patch Levels Blacklisting Whitelisting Interactive Search

30 CC2: Software Inventory Automation Scans are scheduled Reports are scheduled Reports can be ed Alerting on Exceptions Via API Integration into Asset Management Systems Via API Coming: Ticket generation on Exceptions

31 CC3: Secure Base Configurations Configuration Validation SCAP/FDCC

32 CC3: Secure Base Configurations Configuration Validation SCAP

33 CC3: Secure Base Configurations Configuration Validation SCAP/FDCC Cyberscope Reporting CIS

34 CC3: Secure Base Configurations Configuration Validation SCAP Cyberscope Reporting CIS

35 CC4: Continuous Vulnerability Assessment/Remediation Weekly/Daily Scheduled Vulnerability Scanning

36 CC4: Continuous Vulnerability Assessment/Remediation Weekly/Daily Scheduled Vulnerability Scanning

37 CC4: Continuous Vulnerability Assessment/Remediation Weekly/Daily Scheduled Vulnerability Scanning

38 CC4: Continuous Vulnerability Assessment/Remediation Weekly/Daily Scheduled Vulnerability Scanning

39 CC4: Continuous Vulnerability Assessment/Remediation Weekly/Daily Scheduled Vulnerability Scanning Authenticated Scanning

40 CC4: Continuous Vulnerability Assessment/Remediation Weekly/Daily Scheduled Vulnerability Scanning Authenticated Scanning

41 CC4: Continuous Vulnerability Assessment/Remediation Weekly/Daily Scheduled Vulnerability Scanning Authenticated Scanning

42 CC4: Continuous Vulnerability Assessment/Remediation Weekly/Daily Scheduled Vulnerability Scanning Authenticated Scanning Verify Patching

43 CC4: Continuous Vulnerability Assessment/Remediation Weekly/Daily Scheduled Vulnerability Scanning Authenticated Scanning Verify Patching

44 CC4: Continuous Vulnerability Assessment/Remediation Weekly/Daily Scheduled Vulnerability Scanning Authenticated Scanning Verify Patching Report on Unauthorized Services

45 CC4: Continuous Vulnerability Assessment/Remediation Weekly/Daily Scheduled Vulnerability Scanning Authenticated Scanning Verify Patching Report on Unauthorized Services

46 CC4: Continuous Vulnerability Assessment/Remediation Weekly/Daily Scheduled Vulnerability Scanning Authenticated Scanning Verify Patching Report on Unauthorized Services

47 CC4: Continuous Vulnerability Assessment/Remediation Weekly/Daily Scheduled Vulnerability Scanning Authenticated Scanning Verify Patching Report on Unauthorized Services

48 CC4: Continuous Vulnerability Assessment/Remediation Automation Scans are scheduled Reports are scheduled Reports are ed Alerting on Vulnerabilities Tickets for Vulnerabilities, Remediation SLA and Confirmation Integration into Asset Management Systems Via API

49 Other Critical Controls CC6: Application Software Security Automated Web Application Scans CC7: Wireless Device Controls Wireside Detection CC11: Control of Network Ports Scans and Reports for authorized and unauthorized Ports and Services CC16: Account Monitoring Controls for Admin accounts, password policies, account lockout settings

50 Policy Dynamics Ability to add tactical controls Example: Recent Internet Explorer Vulnerabilities CVE (Sep/12)/KB (Dec/12) Mitigated by use of EMET

51 Policy Dynamics Ability to add tactical controls Example: Recent Internet Explorer Vulnerabilities CVE (Sep/12)/KB (Dec/12) Mitigated by use of EMET

52 Policy Dynamics Ability to add tactical controls Example: Recent Internet Explorer Vulnerabilities CVE (Sep/12)/KB (Dec/12) Mitigated by use of EMET

53 Policy Dynamics Ability to add tactical controls Example: Recent Internet Explorer Vulnerabilities CVE (Sep/12)/KB (Dec/12) Mitigated by use of EMET

54 Policy Dynamics Ability to add tactical controls Example: Recent Internet Explorer Vulnerabilities CVE (Sep/12)/KB (Dec/12) Mitigated by use of EMET Audit the Deployment

55 Policy Dynamics Ability to add tactical controls Example: Recent Internet Explorer Vulnerabilities CVE Mitigated by use of EMET Audit the Deployment

56 Policy Dynamics Ability to add tactical controls Example: Recent Internet Explorer Vulnerabilities CVE (Sep/12)/KB (Dec/12) Mitigated by use of EMET Audit the Deployment User Defined Registry Check

57 Summary Functionality to assess Controls exist Automation available, but frequently API integrations is needed Offerings are improving with better workflow coming

58 Thank You Wolfgang