Protect Critical Assets with Virtual Patching

Transcription

1 Protect Critical Assets with Virtual Patching Closing the vulnerability window using predictive threat protection

2 Table of Contents Vulnerabilities Lead to Risk Exposure and Downtime Out-of-band patching....3 Change Management Approaches....4 Reactive change management....4 Proactive change management....4 Virtual patching...4 The McAfee Virtual Patching Solution: Layered Security Risk Management....5 McAfee Network Security Platform McAfee Vulnerability Manager....5 McAfee epolicy Orchestrator....6 McAfee Enterprise Security Manager....6 Deployment options....7 Improved protection through McAfee Global Threat Intelligence (McAfee GTI)...7 Virtual Patching (A Step-by-Step Guide)....8 Step 1: Deploy McAfee Network Security Platform...8 Step 2: Scan your entire network for vulnerabilities...8 Step 3: Assess your organization s risk posture based on vulnerability scans and deployed countermeasures...8 Step 4: Enable additional vulnerability protections in McAfee Security Platform...9 Trust Intel Security...10 Protect Critical Assets with Virtual Patching 2

3 IT organizations have grown accustomed to underfunded budgets, low staffing levels, and lack of IT security expertise. Unfortunately, they have also grown accustomed to unpatched vulnerabilities, compromised security, and the higher risks and costs that result. Virtual patching using predictive threat coverage, automated vulnerability scanning, and risk visualization is a scalable and cost-effective approach to protecting critical assets. It enhances your patch and change-management processes while significantly reducing security administration costs. Vulnerabilities Lead to Risk Exposure and Downtime. As long as there is software, there will be software vulnerabilities. Each year, IT organizations face thousands of common vulnerabilities and exposures (CVEs) across hundreds of servers and thousands of clients. Microsoft alone announced 488 CVEs in 2014, of which 391 (80%) were classified as highest severity. Wherever you find vulnerabilities occurring at this scale, you will also find malware and criminal exploits. Cybercriminals are introducing new spyware, viruses, Trojans, worms, and other malware at alarming rates. The total number of malware samples in the McAfee Labs zoo grew by 17% in Q4 2014, with more than six new threats appearing every second. While both vulnerabilities and malware are increasing, most IT organizations face ever-tightening IT budgets and limited staffing to combat these cybercrimes. Patching is a critical part of fighting malware and data theft, but it is also time-consuming, costly, and unpredictable. Vulnerability announcements and patch releases arrive constantly, creating inevitable gaps between unscheduled revelations and scheduled patch processes. When the interval from discovery to patch deployment lengthens, a window of opportunity opens with a panoramic exposure to risk, exploitation, and loss. The roll call of organizations that have paid the high price of delayed patch distribution grows longer every month, with new victims from every industry sector: retail, healthcare, financial services, entertainment, and government. Out-of-band patching To address critical vulnerabilities, IT organizations must frequently deploy patches out of band. This is disruptive and carries its own risks, including unplanned downtime, service interruptions, lost productivity, overtime expense, and even system crashes due to insufficient testing. The operational costs and revenue loss can hit the organization s bottom line hard. For example, the Conficker worm alone had an economic impact of $9.1 billion according to ZDNet. 1 Neither the risks of unpatched systems nor the high costs of frequent, unscheduled patching operations are acceptable. IT organizations need a more efficient way to manage vulnerability-driven change. Protect Critical Assets with Virtual Patching 3

4 How to Deal with the Culture of No in Patching Practice Gartner analysts Andrew Lerner and Jeremy D Hoinne describe a dozen widespread worst practices that often reduce network availability, increase risks and costs, and alienate end users. Number two in their dirty dozen is something they call the culture of no. It s an elitist, dictatorial approach to security implementation and enforcement that ignores legitimate business needs. As an example, the authors cite patch processes that force immediate system reboots with no option for users to defer or postpone the interruption of their work. Too often, this results in a subculture of security bypass that increases the organization s overall risk. 2 Change Management Approaches The available approaches to managing change in vulnerable systems fall into three categories: reactive, proactive, and virtual. Reactive change management Reactive change management is essentially the failure to plan for change and impose order on the change process. Patches are tested and applied whenever vendors release them. Some call it the patching fire drill. Companies that operate this way waste considerable time, effort, and money and they leave themselves open to attack. They have no concept of out-of-band patching, as nothing ever seems to be patched according to a regular cycle. They also have no comprehensive way to prioritize patches, relying almost exclusively on operating system (OS) and application vendors patch releases to dictate patch schedules. As a result, critical CVEs are given immediate priority, as the IT department has little or no visibility into its actual vulnerabilities or the threats that target its network. Proactive change management In contrast to the reactive, after-the-fact fire drill way of patching, proactive change management puts processes in place ahead of time and sticks to a predictive patch cycle based on typical vendor patch release schedules. Organizations in this category typically schedule patch deployment when it s most beneficial for the business (after hours or on weekends, when critical system use and network traffic are typically low). Client systems are often patched on a weekly or bi-weekly basis, application servers on a monthly basis, and critical database infrastructure on a quarterly basis. Even with proactive change management, these organizations rarely have a consolidated view into the number and severity of system vulnerabilities, and any connection between network vulnerabilities and looming threats is the result of manual correlation efforts. Organizations with proactive change management processes are still exposed to the risks and operational perils of out-of-band patching, and typically don t have the means to increase scheduled patching intervals. Virtual patching The third way to handle change management is virtual patching a complement to proactive change management. Virtual patching uses proven security technologies to protect you from emerging threats until you can actually patch the targeted vulnerabilities through normal processes. It reduces the fire drill mentality of patch management, streamlining operations and reducing costs. Virtual patching is particularly useful in reducing the need for frequent, out-ofband patch cycles. Technologies that help assist virtual patching include the following: Vulnerability scanning that discovers vulnerabilities on every device, application, operating system, IP address, and URL associated with your network. Risk assessment tools that combine threat, vulnerability, and countermeasure information to pinpoint assets that are truly at risk and prioritize security activities. Network intrusion prevention systems (IPSs) that monitor network traffic and block malicious activity. Enterprise security consoles that cull all the data from the above systems to provide a real-time view of network security and allow integrated operation of these interrelated systems from one centralized point. Protect Critical Assets with Virtual Patching 4

5 Reactive Change Management Proactive Change Management Virtual Patching + Proactive Change Management Efficiency Inefficient; lots of wasted effort More efficient Highly efficient On-cycle patching Not practiced Yes Yes Out-of-band patching N/A Required for critical updates Eliminated, reducing costs Quantifiable risk exposure No No Yes Effect on risk posture Limited Better, but companies still face enormous risk Best, risk is greatly reduced Window of exposure to critical vulnerabilities Wide open Days or even weeks Hours Overall risk mitigation strategy Keep fingers crossed Actively try to safeguard IT infrastructure Table 1. Implications of the three change-management methods. Close vulnerability window by employing multilayer security and systematic patching The McAfee Virtual Patching Solution: Layered Security Risk Management Virtual patching is more than a temporary fix; it s a fundamentally sound approach to ensuring security by enhancing your patch and change-management processes while reducing system exposure. The virtual patching solution from McAfee, a part of Intel Security, provides a layered approach to security risk management while adding the ability to apply a virtual patching strategy to your existing change-management process. It combines proven defenses and security insight with realtime threat intelligence to help close the vulnerability window until patching can occur through your regular change-management processes. McAfee virtual patching integrates McAfee Network Security Platform, McAfee Vulnerability Manager, and McAfee Enterprise Security Manager to provide comprehensive risk assessment and rapid remediation for vulnerable systems. McAfee Network Security Platform McAfee Network Security Platform provides integrated network and systems security, including industry-leading intrusion detection and prevention. Its predictive security engine combines anomaly detection and cloud-based threat intelligence with more traditional signature-based defenses that allow you to prevent attacks on vulnerable systems. McAfee Network Security Platform not only detects suspicious network intrusions, it also blocks malicious attacks before they can inflict harm through the use of vulnerability-based signatures and real-time threat information with McAfee Global Threat Intelligence. To further facilitate virtual patching, McAfee Network Security Platform allows you to quarantine suspect or vulnerable systems, protecting other network resources until patches can be created, tested, and deployed during your regular patch cycle. McAfee Vulnerability Manager McAfee Vulnerability Manager scans all your network assets for vulnerabilities and identifies risk exposures and policy violations. By prioritizing vulnerabilities, McAfee Vulnerability Manager improves IT efficiency, providing an attractive ROI while accelerating critical patch deployment. Once vulnerabilities are identified, McAfee Vulnerability Manager helps you identify the most critical remediation and patching needs quickly and accurately. Through standards-based scoring, you can run targeted scans on critical assets and determine whether appropriate protection is in place. Protect Critical Assets with Virtual Patching 5

6 McAfee Global Threat Intelligence (McAfee GTI) McAfee GTI is based on: More than 100 million nodes deployed around the globe. 112 reputation servers in seven data centers. More than 100 billion queries each month from all threat vectors: file, web, message, and network. The most comprehensive set of threat intelligence services in the market file reputation, web reputation, web categorization, message reputation, and network connection reputation. McAfee epolicy Orchestrator The McAfee epolicy Orchestrator (McAfee epo ) platform is a centralized security management solution that unifies security policy and execution across endpoints, networks, data, and compliance solutions from McAfee and third-party software providers. It provides a dashboard view of the security environment with drill-down views that reveal granular details of threats and compliance issues as they relate to specific assets. It collects host information via multiple discovery techniques and provides automated system management and configuration control to streamline threat remediation. McAfee Enterprise Security Manager McAfee Enterprise Security Manager is a revolutionary security information and event management (SIEM) solution that delivers actionable insight into the security state of a network and all the systems, applications, networking components, and security controls that reside on it. McAfee Enterprise Security Manager collects and correlates billions of log events and flow data in a highly tuned database, keeping years of information available for ad hoc queries, forensic analysis, rules validation, and compliance reporting. Results are delivered in seconds or minutes, not hours, providing real-time situational awareness at the speed and scale necessary to detect critical events, direct intelligent response, and enable continuous compliance. Beginning with version 9.5, McAfee Enterprise Security Manager includes a new threat management module that incorporates much of the functionality previously developed within McAfee Risk Manager. This module serves as the nerve center of our virtual patching solution. When activated and configured, the threat management module collects vulnerability information (CVEs) from McAfee Vulnerability Manager (and many third-party vulnerability scanners), as well as real-time threat feeds from McAfee Global Threat Intelligence. It correlates open CVEs and emerging threats against inventories of current assets and available security countermeasures, which it acquires from McAfee epo software. The module then calculates the risk posed by each threat and vulnerability, and prioritizes the available countermeasures for deployment. Figure 2. The threat management module in McAfee Enterprise Security Manager collects, correlates, prioritizes, and displays threat and vulnerability information.. Protect Critical Assets with Virtual Patching 6

7 Reducing Malware Risk for the City of Chicago The City of Chicago s new Information Security Office (ISO) recently implemented an integrated set of Intel Security solutions, including McAfee Vulnerability Manager, to secure the city s critical IT infrastructure. With the improvements in patch management and validation provided by McAfee Vulnerability Manager, the tuning we ve done to [McAfee] VirusScan on the endpoints, and improvements to our scanning schedule, I can say that we ve been able to reduce identified malware in our environment by more than 2,000%, says Chief Information Security Officer Arlen McMillan. With McAfee Vulnerability Manager checking that patches were deployed effectively, in addition to the ad hoc and pinpointed vulnerability checks it performs against critical systems, we ve been able to reduce malware incidents from tens of thousands to practically none. 3 Deployment options Deploying the complete virtual patching solution set provides the highest levels of visibility, value, automation, and protection. We recommend a complete solution deployment as a best practice. Some customers, however, may choose to build their virtual patching solution in incremental steps: McAfee Network Security Platform, with its award-winning intrusion protection system, provides essential baseline coverage for all vulnerable systems on a network segment Adding McAfee Vulnerability Manager improves your risk posture and operational efficiency by directing your patching and security efforts at those systems with the most risk Completing the solution with McAfee Enterprise Security Manager and McAfee epo software technology takes the guesswork completely out of the equation, allowing you to identify exactly which systems need coverage and which defense mechanisms to put in place Improved protection through McAfee Global Threat Intelligence (McAfee GTI) In addition to signature-based defenses, McAfee Network Security Platform also includes realtime, reputation-based protection. McAfee GTI helps protect users against malware that is often downloaded by unsuspecting users when they visit compromised websites. With real-time protection through McAfee GTI, McAfee Network Security Platform protects your networks against more than 300 million malware samples. Simply turn on McAfee GTI in the McAfee Network Security Manager console to unlock the power of cloud-based security. McAfee GTI offers the industry s most comprehensive, real-time protection against both known and emerging threats across all key threat vectors file, web, , and network. This cloud-based threat intelligence service spans the Internet, using millions of sensors to continually gather realworld threat information. McAfee GTI understands the reputation of a file, website, IP address, and sender over time and correlates this reputation-based information with advanced threat protection techniques for accurate, real-time insight of both known and emerging electronic threats. This superior threat intelligence is delivered via the complete suite of Intel Security products, effectively compressing customers protection gaps from days to seconds and often protecting them in a predictive manner. Comprehensive protection reduces incident probability, lowers costs associated with incident remediation, and ensures a better security posture. Real-time collection, analysis, and distribution of threat intelligence compress the protection window from days and hours to seconds and milliseconds, and, in many cases, provide predictive protection. Integration into our products reduces administration overhead while providing complete, consistent coverage. By delivering real-time threat insight and superior protection, McAfee GTI allows companies to adopt innovative patch management strategies such as virtual patching. Protect Critical Assets with Virtual Patching 7

8 Virtual Patching (A Step-by-Step Guide) The following process assumes all products in the previous scenario have been deployed. Step 1: Deploy McAfee Network Security Platform As stated earlier in this paper, virtual patching hinges on the intrusion prevention capabilities of the McAfee Network Security Platform. The first step is to strategically deploy network security to protect critical assets in relevant network segments. Start with network perimeters, data center edges, and between security enclaves and zones within the data center. This provides baseline coverage against attacks launched both from external sources as well as within the network. Additionally, McAfee Network Security Platform supports next-generation network architectures, including virtualization capabilities that provide flexibility to cover both physical and virtual network segments with unique policies. Step 2: Scan your entire network for vulnerabilities McAfee Vulnerability Manager installs on your physical or virtualized hardware and is also available as a hardened appliance. Delivering unrivaled scalability, McAfee Vulnerability Manager canvasses everything on your network smartphones, printers, rogue devices, forgotten VMware hosts, and everything in between including applications, operating systems, and version numbers. If it has an IP address, McAfee Vulnerability Manager can discover and scan it. For instance, on Patch Tuesdays, you can quickly decide which machines might be affected by a new Microsoft Windows or Adobe vulnerability. In minutes, without rescanning your entire network, McAfee Vulnerability Manager visualizes and ranks the risk potential of new threats based on existing configuration data and risk scores. In addition to standards-based scoring, patented McAfee Foundscore risk assessment technology uses a unique algorithm to calculate risk. It takes into account asset criticality, risk rating for discovered vulnerabilities, resource type, and other variables to deliver a usable risk grading. You can then select assets based on criticality. Just right-click to run an instant targeted scan on each system. While the scans run, McAfee Vulnerability Manager shows you every system s software configuration and confirms whether or not appropriate intrusion prevention is in place. Conclusive evidence such as expected and actual scan results, any systems not scanned, and any failed scans documents that specific systems are not vulnerable, which is an increasingly common audit requirement these days. Step 3: Assess your organization s risk posture based on vulnerability scans and deployed countermeasures The threat management module in McAfee Enterprise Security Manager correlates threat feeds from McAfee GTI with your vulnerability and countermeasure information. By doing so, it delivers an immediate assessment of the assets that are at risk within your organization as well as recommended remediation and subsequent patching steps. You instantly get details about a threat, its severity, and the risk it presents, allowing you to prioritize your remediation efforts according to an asset s value. McAfee Enterprise Security Manager also delivers a quantifiable risk score, allowing an organization to determine and chart the level of risk over time. It enables you to chart your vulnerability profile and pinpoint where to focus your security efforts. It displays At risk and Not at risk summaries, then allows you to drill into specific details. Once all vulnerabilities, threats, and countermeasures have been identified and prioritized, the McAfee epo console can be used to push out any required.dat or other files to out-of-date systems. Protect Critical Assets with Virtual Patching 8

9 Figure 3. The threat management module in McAfee Enterprise Security Manager shows you exactly which assets in your environment are most at risk. Step 4: Enable additional vulnerability protections in McAfee Security Platform Out of the box, McAfee Network Security Platform offers better protection levels than most vendors tuned protection levels. In fact, in an NSS Labs Data Center IPS report, McAfee Network Security Platform blocked 99.2% of threats using its out-of-the-box Recommended policy settings, and 99.6% of threat after minimal tuning. 4 With the help of McAfee Vulnerability Manager and McAfee Enterprise Security Manager, organizations can easily and quickly identify any gaps in vulnerability coverage and recommend the appropriate countermeasures. For example, they can activate the appropriate vulnerability-based signatures to protect against the latest vulnerabilities and threats, and eliminate the risk exposure until IT can appropriately patch the systems during the next regularly scheduled patch cycle. By using McAfee Network Security Platform, organizations are typically covered within hours of (if not prior to) vulnerability announcements through predictive threat coverage and McAfee Labs rapid release of vulnerability signatures. To simplify this process, the threat management module in McAfee Enterprise Security Manager indicates which signatures are required to ensure protection and whether you have them in place. If you don t have a required signature, you can always download it through the McAfee Network Security Platform console with a simple right-click function. Note, however, that deploying every conceivable signature can reduce network performance and result in false positives (blocking legitimate network traffic). That s why it s best practice to only deploy the optimal collection of signatures, which McAfee Enterprise Security Manager helps you identify. Protect Critical Assets with Virtual Patching 9

10 Trust Intel Security Intel Security provides a robust portfolio of security products that work together via seamless integrations. As such, it offers the industry s most comprehensive security management platform, delivering proactive risk management, integration with business operations, and coordinated security defenses. When you deploy Intel Security solutions in your IT infrastructure, you gain: Situational awareness: Monitor, manage, and report on risk management metrics to reduce threat detection and response times, focus security efforts and investments, and reduce costs. Shared intelligence: Coordinate defenses across your security layers, so that endpoints, networks, , web, and data layers all work together to minimize or eliminate security attacks. Global heterogeneous protection: Manage security of any device, data, network, application, or database across hosted, cloud, SaaS, and on-premises as well as virtual or physical environments. Open platform: Integrate security into existing business processes by tying systems and change management frameworks into a centralized security operation. Ready for More? For more information on how the Intel Security products in this paper can improve your change management process, see the following product pages: McAfee Network Security Platform: Control your vulnerability risk by locking down the perimeter. Visit McAfee Vulnerability Manager: Get the visibility you need to find and prioritize endpoint vulnerability. Visit McAfee Enterprise Security Manager: Assess risk and threats across the organization with enterprise-wide correlation. Visit About Intel Security McAfee is now part of Intel Security. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence, Intel Security is intensely focused on developing proactive, proven security solutions and services that protect systems, networks, and mobile devices for business and personal use around the world. Intel Security combines the experience and expertise of McAfee with the innovation and proven performance of Intel to make security an essential ingredient in every architecture and on every computing platform. Intel Security s mission is to give everyone the confidence to live and work safely and securely in the digital world Source: 2. Source: Avoid these Dirty Dozen network security worst practices Source: McAfee. Part of Intel Security Mission College Boulevard Santa Clara, CA Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2014 McAfee, Inc wp_virtual-patching_0415