Scanless Vulnerability Assessment. A Next-Generation Approach to Vulnerability Management

Transcription

1 Scanless Vulnerability Assessment A Next-Generation Approach to Vulnerability Management

2 WHITEPAPER Overview Vulnerability scanning, or the process of identifying a list of known security gaps in the network environment, is the focal point for most enterprise vulnerability management programs. Before any action can be taken to assess risks or prioritize vulnerabilities for remediation, you have to know the extent of your vulnerability challenge. The use of vulnerability scanners as security assessment tools is nearly ubiquitous in large organizations. Regular network scans are recommended by security industry best practices and required by numerous regulations. However, as network infrastructures have grown more complex and identified vulnerabilities have multiplied, the effectiveness of vulnerability scanning as a security management tool has declined. In a July 2015 Skybox Security survey, enterprise IT personnel reported several major challenges that limited their use of traditional active vulnerability scanning. Respondents indicated that even with one or more active scanners, they are not able to respond to new vulnerabilities and threats quickly. Most lack the ability to prioritize accurately based on their network context. Blind spots left by unscannable devices and zones leave open risks, and false positives waste valuable time. The sheer magnitude of the enterprise vulnerability problem is daunting. In today s enterprise networks, scanners may identify tens of thousands or hundreds of thousands of vulnerabilities at once. Review and remediation efforts may take weeks, while new vulnerabilities and threats are introduced daily. Simply put there is no way for most enterprises to examine, prioritize and remediate vulnerabilities frequently enough; and, over a large enough portion of the network infrastructure, to bring risk level down on time, before exploitation. A next-generation approach is needed.

3 WHITEPAPER Contents Overview Achieving Broad and Frequent Vulnerability Discovery 4 6 The Active Scanning Bottleneck Business Costs and Management Time The New Approach to Vulnerability Discovery Finding Vulnerabilities Without an Active Scan Vulnerability Discovery with Rule-Driven Profiling (RDP) Data Sources for Product Profiling Benefits of Scanless Vulnerability Assessment Mixing Scanless Assessment and Active Scanning Approaches Summary About Skybox Security

4 Achieving Broad and Frequent Vulnerability Discovery WHITEPAPER A new approach to vulnerability management starts with the way vulnerabilities are discovered in the first place. Vulnerability management programs are only effective at preventing attacks and data breaches if the organization can minimize both the risk exposure window (the amount of time between identifying a risk and resolving it) and the attack surface (all the ways in which an enterprise s IT systems are vulnerable to threats). To shrink the risk exposure window, the organization needs continuous visibility of attack vectors, and must drive mitigation of the most important risks before an attacker exploits them first. This makes the frequency of vulnerability scans and remediation efforts is highly important. To map out and then minimize the attack surface, the organization must have a comprehensive understanding of available attack vectors across the network, and identify those attack vectors that contribute most to the size of the attack surface. This makes the coverage of vulnerability scans is important as well. And with enterprise networks continuing to grow at an exponential pace, 50 percent scan coverage today might mean 0.5 percent coverage two years from now. How effective is your scan approach? Assume that you live in a huge home with dozens of doors and hundreds of windows. Break-ins are common, and you want to reduce the chance of theft. To protect against intruders, you check half of the doors on Wednesday, the other half on Friday, and the windows every other week. Sound effective? Of course not. Yet this is sadly similar to the round robin scheduling approach used for network vulnerability scans in many organizations. The message is clear: the next-generation of vulnerability management must include a discovery approach that keeps pace with new vulnerabilities, threat updates and daily network changes and covers as much of the network as possible. The Active Scanning Bottleneck In vulnerability management, there exists a scanning conundrum. If up-to-date scanning that covers more systems is so important to understanding and responding to vulnerabilities, why don t organizations just run more scans? The answer, of course, is that active scanning produces several bottlenecks in the vulnerability management process that are extremely difficult and costly to resolve. On a large scale, active scanning processes become unmanageable. POTENTIAL DISRUPTION A network vulnerability scanner, as the name implies, scans every host in the target network against thousands of scan signatures. A signature is typically a script that tests for the existence of one or a few vulnerabilities, by probing the host for information that would reveal whether this host is vulnerable to a certain attack. Sometimes the method of probing the host is essentially the same as an attack, testing the host directly to see if exploitation is truly possible. This can lead to serious disruption of critical business services. To minimize the potential disruption, dangerous attack signatures that could lead to disruption are avoided, often in the most critical parts of production networks where 100 percent uptime is of supreme importance. The organization becomes 4

5 blind to these attack vectors, or runs the more disruptive tests in very distinct test windows. Due to the changes in the IT infrastructure and the publication of many new vulnerabilities every WHITEPAPER day, the value of vulnerability knowledge decays quickly over time, making infrequent vulnerability testing ineffective. 100% Gaining vulnerability knowledge while scanning Decay of vulnerability knowledge post-scanning 50% Time Month 1 Month 2 Month 3 FIGURE 1: THE VALUE OF VULNERABILITY KNOWLEDGE DECAYS OVER TIME Skybox Security ACCESS ISSUES Sometimes, network access policies make it impossible to do a scan with access credentials. Non- authenticated network scanning (i.e., attempting to probe the host without access credentials) is much less accurate. Non-authenticated scans result in a lot of false positives and false negatives, as less information about the host and potentially vulnerable services is available from the outside. Firewalls themselves can also pose a challenge to active scanners. If an active scan must pass through a firewall, the stateful inspection of the firewall might interfere with the scan. This can lead to disruption of the firewall operation or partial scan results. NETWORK TRAFFIC IMPACT Now, let s consider the scale of the enterprise scanning job. For example, a single planned scan period targeting 1,000 hosts, to verify 1,000 vulnerability types may result in hundreds of thousands of individual tests. In a really large network with 100,000 hosts, testing against these 1,000 signatures would result in 100 million tests. More tests mean more active network sessions, adding to the traffic load. Therefore active scanning can t done too intensively, or it can bog down network performance to unacceptable levels. 5

6 WHITEPAPER HOSTS TESTING SCRIPTS VULNERABILITY SCANNER VULNERABILITY REPORT FIGURE 2: VULNERABILITY DISCOVERY WITH ACTIVE SCANNING ENGINE Skybox Security NON-SCANNABLE HOSTS Many hosts can t be scanned at all for the following reasons: > > Mission critical hosts can never be touched by an active scan > > Industrial controllers, smart grid controllers and other systems where standard scanning techniques are either not applicable, not available or not wanted because of those systems sensitivity > > Mobile devices (BYOD) changing IP address and topological location make them a moving target and difficult to scan > > Organizations may have limited rights to scan virtual machines hosted in a public cloud Business Costs and Management Time Last but not least, the active scanning infrastructure required to have complete coverage of the enterprise network may require a large footprint of scanners, which is costly to purchase, implement and manage. Even if the technology costs are addressed or absorbed by the organization, active scanners produce huge amounts of data with little context for accurate prioritization. Typical reports from an enterprise-level active scanning program may take a team of security analysts days or weeks to evaluate and determine appropriate response. Adding more people to evaluate more data from more active scans is not a scalable solution. 6

7 WHITEPAPER 2015 Enterprise Vulnerability Management Trends Report The Skybox Vulnerability Management Trends Report polled nearly 1000 IT decision makers including C-level executives, security managers and network and systems engineers involved in vulnerability management processes. The companies surveyed ranged in size from less than 100 to more than 100,000 employees. The survey revealed: > > The two highest ranking potential vulnerability program improvements organizations seek are responding quickly to new threats and prioritizing risks more accurately based on network context > > Less than half of all CISOs reported that they were satisfied with their current vulnerability management program > > Most organizations currently scan monthly or less often, but ideally would like to scan weekly or even daily > > 36 percent of SMB respondents (1 99 employees) scan quarterly or less often. By contrast, 17 percent of enterprises with 5,000 and more employees scan quarterly or less frequently. The New Approach to Vulnerability Discovery Finding Vulnerabilities Without an Active Scan Most of the vulnerabilities in operating systems, middleware and commercial applications covered by active scanners, can be deduced very accurately if there is detailed knowledge available of the systems and applications in use. For example, critical remote code execution vulnerability CVE has been found to occur on all Windows hosts with Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier. It s easy to determine if this vulnerability exists if you know the detailed information about installed software. No need to actively probe with test signatures. In a recent analysis of corporate network vulnerability data, Skybox found that in organizations that are heavily reliant on Microsoft and Linux infrastructure for server and endpoints, substantially all of the vulnerability instances in the assessed networks were concentrated on few hundred software products/platforms. Furthermore, more than 90 percent of the vulnerabilities were ones that could be accurately derived from granular knowledge of the operating system (including edition, patches, hardware, etc.) and details about all software products installed (including product version, patch level, special editions, etc.). In other words, if we have detailed knowledge of all products installed on the hosts in the network, then more than 90 percent of the vulnerabilities can be accurately discovered without an active scan. This realization is nothing new. There have been previous attempts at scanless vulnerability discovery based on one-to-one mapping of product information to vulnerabilities. Oneto-one mapping is too simplistic and fails as an approach because: > > Vulnerability deduction requires very detailed product information that includes edition, major and minor versions and patch level 7

8 > > In many cases, vulnerability deduction requires consideration of more than one product to conclude the existence of a single vulnerability instance. In the example above using CVE , deducing whether this WHITEPAPER vulnerability exists requires consideration of both the operating system and the product installed Vulnerability Discovery with Rule-Driven Profiling (RDP) Both flaws of the old techniques can be overcome by utilizing a rule-driven profiling approach, which is the core of the Skybox Vulnerability Detector feature included in Skybox Vulnerability Control. Rule-driven profiling is a two-step process that converts the product configuration and description information stored in system and security management repositories into a detailed and accurate product catalog, and then accurately deduces a list of vulnerabilities present in the network environment. HOSTS EXTRACTION RULES LIBRARY VULNERABILITY DETECTION RULES LIBRARY SYSTEM, ASSET OR PATCH MANAGEMENT SYSTEM PRODUCT PROFILING PRODUCT CATALOG VULNERABILITY PROFILING VULNERABILITY LIST FIGURE 2: VULNERABILITY DISCOVERY WITH RULE-DRIVEN PROFILING The first phase is called product profiling, which involves collecting, merging, and normalizing product configuration information into a comprehensive list of the systems and products installed in the network environment. The raw data is collected automatically from multiple data sources such as Microsoft SCCM, WSUS, RedHat Satellite, results from previous authorized scans and patch management systems. Thousands of information extraction rules are then applied to translate strings such as Microsoft Windows 7 Enterprise with MDOP 2011 R2 into a normalized Common Platform Enumeration (CPE), which Skybox Security represents installed products, version information, patch level and more. The second phase is called vulnerability profiling, which converts this CPE into accurate vulnerability data. We utilize a proprietary library of tens of thousands of logical rules contained in the Skybox Vulnerability Database (updated daily) to test the product catalog to determine if a set of pre-conditions for the existence of a vulnerability are met. The rules take multiple factors into account to deduce if a vulnerability truly exists in the environment. For example, a particular vulnerability 8

9 may exist on a certain product, version and patch level of Adobe Reader, but only when running in a particular operating system environment and in the presence or absence of other products or factors. This results in a comprehensive and highly accurate product catalog and list of found vulnerabilities compatible with MITRE s CPE and CVE standards that can be updated automatically and continuously without requiring an active scan. WHITEPAPER The accuracy of the RDP technique depends on the granularity of the product profiling and the vulnerability deduction rules. The Skybox Vulnerability Lab team has developed an extensive library containing tens of thousands of vulnerability profiling rules, and continuous updates to this content library ensure a very accurate vulnerability discovery process. Data Sources for Product Profiling Skybox leverages existing, authoritative network and host configuration data repositories to extract vulnerability information in a non-disruptive and highly accurate manner. The data is retrieved from operational products that are already deployed and used by IT and security organizations such as: > > Microsoft Active Directory > > Microsoft System Center Configuration Manager (SCCM) > > Microsoft Windows Server Update Service (WSUS) > > Configuration management databases (CMDB) > > Red Hat Satellite > > Previous authorized scan information > > Network devices > > Anti-virus software See a full list of products supported by Skybox Vulnerability Detector. These management tools, already deployed in most enterprises, synchronize information about the network hosts and installed software products frequently, and therefore own an up-todate picture of much of the typical network environment. That picture includes information on the operating system, the installed products and their versions, installed patches and missing patches. Skybox merges the information from multiple sources into a consolidated product catalog representing that organization s unique environments. Benefits of Scanless Vulnerability Assessment The use of scanless assessment to identify vulnerabilities has many benefits. This scanless vulnerability discovery technique minimizes network disruptions; can provide up-to-date vulnerability information quickly to respond to new threats; and can meet the levels of vulnerability identification frequency and coverage needed to understand the attack surface. When combined with other automated analytical capabilities in Skybox Vulnerability Control, organizations can effectively minimize the window of exposure and effectively mitigate the most critical vulnerabilities before they can be exploited. 9

10 MINIMIZES DISRUPTIONS Since Vulnerability Detector collects all of the information about hosts from existing system management solutions no target host is ever probed or touched. This non-invasive vulnerability discovery technique does not disrupt the network or any business services or negatively impact network performance. EASILY DEPLOYED In addition, gaining access to a few centralized data repositories already deployed is significantly easier than deploying active scanners throughout a network and gaining approvals to scan business-critical areas. These differences mean that deployment of the Skybox vulnerability discovery approach can take days, where deployment of active scanning can take weeks or months in a large organization with a complex network. CONTINUOUS MONITORING Scanless assessment is an analytic vulnerability discovery technique, and up-to-date source data can be collected and analyzed at any time in a matter of seconds or minutes. Skybox Vulnerability Control can be used to identify, analyze and manage vulnerabilities on a daily basis, compared to a cycle of weeks or months to perform full scanning of an entire large enterprise network. FAST THREAT RESPONSE Another advantage of the scanless assessment technique is the availability of comprehensive, up-to-date product catalogs and vulnerability data to correlate against emerging threat WHITEPAPER Next Generation Approach to Patch Tuesday On Microsoft s monthly patch Tuesday, many new vulnerability types are published for Microsoft platforms and products. Active scanning for the new and sometimes critical vulnerabilities could cause significant delay possibly weeks or months due to limited approved scan windows. Patching everything is usually not an option for enterprise-size networks, due to operating system standards, software dependencies and more. With scanless assessment, finding all instances of the vulnerability types announced on Microsoft s Patch Tuesday can be done on the same Tuesday, without running any disruptive scans. intelligence. Early warning systems are most effective in identifying real hazards to the organization when they can assess the relevance of a new threat alert against accurate and timely data sources, without waiting for a full scan. Mixing Scanless Assessment and Active Scanning Approaches While the scanless assessment technique within Skybox Vulnerability Control can identify vulnerabilities at the high-levels of frequency and coverage required for effective vulnerability management, continued use of network vulnerability scanners can extend coverage even further. Network vulnerability scanners may be used to probe hosts for specific attack patterns that cannot be detected by scanless assessment. Because of this capability, using Skybox Vulnerability Control daily and a network vulnerability scanner occasionally will achieve continuous vulnerability management objectives covering 90 percent of vulnerabilities and near-100 percent coverage of all vulnerability types through regular combination with active scan data. 10

11 Summary For vulnerability management programs to succeed in lowering risk levels or preventing potential attacks, security teams need to reexamine the effectiveness of their vulnerability discovery approach. Identifying vulnerabilities on a frequent basis and responding quickly to new threats is critical to success, as is covering enough of the infrastructure to make a difference. Traditional active scanners may produce accurate results when applied, but may face challenges that limit their use in the network environment, such as access issues or disruption of critical services. Scanless assessment is a two-step process that does not rely on active scanning technologies, and, therefore, is not subject to the same concerns about disruption and access as a traditional vulnerability scanner. Scanless assessment converts the product configuration and description information stored in system and security management repositories into a detailed and accurate product catalog, and then accurately deduces a list of vulnerabilities present in the network environment. With this information, more than 90 percent of the vulnerabilities in a typical enterprise network can be accurately discovered without an active scan. When the high frequency of scanless assessment is combined with active scanning, scanless assessment can fill in the vulnerability information between monthly or quarterly active scans, and extend vulnerability coverage to previously unscannable systems. Skybox recommends using Vulnerability Control daily, either independently or in conjunction with a network vulnerability scanner, to reduce overall risk and have the intelligence needed to respond to new threats at any time. About Skybox Security Skybox arms security teams with a powerful set of security management solutions that extract insight from traditionally siloed data to give unprecedented visibility of the attack surface, including all Indicators of Exposure (IOEs). With Skybox, security leaders can quickly and accurately prioritize and address vulnerabilities and threat exposures. info@skyboxsecurity.com Copyright 2016 Skybox Security, Inc. All rights reserved. Skybox is a trademark of Skybox Security, Inc. All other registered or unregistered trademarks are the sole property of their respective owners.