How To Manage A Network Security Risk

Transcription

1 Scanless Vulnerability Assessment: Skybox Security whitepaper July

2 Overview Vulnerability scanning, or the process of identifying a list of known security gaps in the network environment, is the focal point for most enterprise vulnerability management programs. Before any action can be taken to assess risks or prioritize vulnerabilities for remediation you have to know the extent of your vulnerability challenge. The use of vulnerability scanners as security assessment tools is nearly ubiquitous in large organizations. Regular network scans are recommended by security industry best practices and required by vulnerabilities have multiplied, the effectiveness of vulnerability scanning as a security management tool has declined. In a June 2012 Skybox Security survey, enterprise IT personnel reported several major challenges that limited their use of traditional active vulnerability scanning. Respondents indicated that there were concerns about disrupting critical business services due to the active probing of hosts; some hosts were not scannable due to their system characteristics or other factors; and security teams were often unable to keep up with the amount of analysis and remediation work necessary to resolve found issues. The sheer magnitude of the enterprise vulnerability problem is daunting. In today s enterprise-scale networks, scanners may identify tens of thousands or hundreds of thousands of vulnerabilities at once. Review and remediation efforts may take weeks. New vulnerabilities and threats are introduced daily. Simply put there is no way for most enterprises to examine, prioritize, and remediate vulnerabilities frequently enough, and over a large enough portion of the network infrastructure to bring risk level down on time, before exploitation. A next-generation approach is needed. A new approach to vulnerability management starts with the way vulnerabilities are discovered in the breaches if the organization can minimize both the risk exposure window, the amount of time between identifying a risk and resolving it, and the attack surface, the scope of all available attack vectors. To shrink the risk exposure window, the organization needs continuous visibility of risky attack vectors, frequency of vulnerability scans and remediation efforts is highly important. 2

3 To map out and then minimize the attack surface, the organization must have a comprehensive understanding of available attack vectors across the network, and identify those attack vectors that represent the greatest contribution to the size of the attack surface. So the coverage of vulnerability scans is important as well. And with the size of the extended enterprise network continuing to grow at an exponential pace, 50% scan coverage today might mean 0.5% coverage two years from now. The message is clear. The next-generation vulnerability management solution must include a discovery approach that supports frequent cycles to identify vulnerabilities, covering as much of the network as possible. Assume that you live in a huge home with dozens of doors and hundreds of windows. Break-ins are common, and you want to reduce the chance of theft. To protect against intruders, you check half of the doors on Wednesday, the other half on Friday, and the windows every other week. Sound effective? Of course not. Yet this is sadly similar to the round robin scheduling approach used for network vulnerability scans in many organizations. If frequency and coverage of scanning are so important to understanding and addressing vulnerabilities, why don t organizations just increase the amount of scanning they conduct, using the network vulnerability scanners already in place? The answer is that active scanning produces several bottlenecks in processes become unmanageable at large scale. A network vulnerability scanner, as the name implies, scans every host in the target network against thousands of scan signatures. A signature is typically a script that tests for the existence of one or a few vulnerabilities, by probing the host for information that would reveal whether this host is vulnerable to a certain attack. Sometimes the method of probing the host is essentially the same as an attack, testing the host directly to see if exploitation is truly possible. This can lead to serious disruption of critical business services. 3

4 To minimize the potential disruption, dangerous attack signatures that could lead to disruption are avoided, often in the most critical parts of production networks where 100% uptime is of supreme importance. The organization becomes blind to these attack vectors, or runs the more disruptive tests in very distinct test windows. Since the value of vulnerability knowledge decays quickly over time, due to the changes in the IT infrastructure, and the publication of many new vulnerabilities every day, infrequent testing for vulnerabilities is ineffective. 100% Gaining vulnerability knowledge while scanning Decay of vulnerability knowledge post scanning 50% Month 1 Month 2 Month 3 Time Figure 1 The value of vulnerability knowledge decays over time Sometimes, network access policies make it impossible to do a scan with access credentials. Nonauthenticated network scanning, i.e. attempting to probe the host without access credentials, is a lot less accurate. Non-authenticated scans result in a lot of false positives and false negatives, as less information about the host and potentially vulnerable services is available from the outside. 4

5 Now, let s consider the scale of the enterprise scanning job. For example, a single planned scan period targeting 1,000 hosts, to verify 1,000 vulnerability types may result in hundreds of thousands of individual tests. In a really large network with 100,000 hosts, testing against these 1,000 signatures would result in Therefore active scanning cannot be done too intensively or it can bog down network performance to unacceptable levels. Hosts Thousands of tests per host Testing Scripts Vulnerability Scanner Vulnerability Report 100K-1M x Figure 2 Vulnerability discovery with active scanning engine Many hosts cannot be scanned at all. The following are typical reasons: Hosts which are mission critical and can never be touched by an active scan Industrial controllers, smart grid controllers and other systems where standard scanning techniques are either not applicable, not available or not wanted due to sensitivity of those systems Mobile devices (BYOD) may come and go, so their IP address and topological location make them a Organizations may have limited rights to scan virtual machines hosted in a public cloud 5

6 Last but not least, the active scanning infrastructure required to have a complete coverage of the enterprise network may require a large footprint of scanners, which is costly to purchase, implement, and manage. This whitepaper refers to network vulnerability scanners, not application scanners. Application scanners use completely different techniques to identify vulnerabilities in software code. Even if the technology costs are addressed or absorbed by the organization, active scanners produce huge amounts of data with little context for accurate prioritization. Typical reports from an enterprise-level active scanning program may take a team of security analysts days or weeks to evaluate and determine appropriate response. Adding more people to evaluate more data from more active scans is not a scalable solution. Conducted in conjunction with Osterman Research, the Skybox Security Vulnerability Management Survey polled more than 100 IT decision makers including security managers, and network and systems engineers involved in vulnerability management processes. The companies surveyed ranged in size from 250 to 350,000 employees, with median size of 2,900 employees. Among the key takeaways: consider vulnerability management a priority 49 percent of companies have experienced a cyber attack leading to a service outage, unauthorized access to information, data breach, or damage over the past six months 40 percent of companies scan their DMZ monthly or less frequently Large organizations (more than 1,500 employees) tend to scan more frequently and with greater coverage of hosts compared to mid-size organizations (250-1,499 employees) Both large and mid-size organizations cite concerns about disruptions caused by active scanning and don t have the resources to analyze more frequent scan data as the top reasons for scanning less often than desired. Large organizations cite lack of patching resources and non-scannable hosts as 6

7 Most of the vulnerabilities in operating systems, middleware, and commercial applications covered by active scanners, can be deduced very accurately if there is detailed knowledge available of the systems and applications in use. For example, critical remote code execution vulnerability CVE has been found to occur on all Windows hosts with Java Runtime Environment (JRE) component in Oracle Java SE 6 Update 25 and earlier. It s easy to determine if this vulnerability exists if you know the detailed information about installed software. No need to actively probe with test signatures. In a recent analysis of corporate network vulnerability data, Skybox Security found that in organizations that are heavily reliant on Microsoft infrastructure for server and endpoints, substantially all of the vulnerability instances in the assessed networks were concentrated on few hundred software products/platforms. Furthermore, over 90% of the vulnerabilities were ones that could be accurately derived from granular knowledge of the operating system (including edition, patches, hardware, etc.), and details about all software products installed (including product version, patch level, special editions, etc.) In other words, if we have detailed knowledge of all products installed on the hosts in the network, then more than 90% of the vulnerabilities can be accurately discovered without an active scan. This is certainly not a new realization. There have been previous attempts at scanless vulnerability discovery, based on one-to-one mapping of product information to vulnerabilities. One-to-one mapping is too simplistic, and fails as an approach because: Vulnerability deduction requires very detailed product information that includes edition, major and minor versions, and patch level In many cases, vulnerability deduction requires consideration of more than one product to conclude the existence of a single vulnerability instance. In the example above using CVE , deducing whether this vulnerability exists requires consideration of both the operating system and the product installed the core of the Skybox s new Vulnerability Detector capability introduced in Skybox Vulnerability Control, formerly Risk Control. 7

8 information stored in system and security management repositories into a detailed and accurate product catalog, and then accurately deduces a list of vulnerabilities present in the network environment. Hosts Extraction Rules Library Vulnerability Deduction Rules Library System, Asset, or Patch Management 1. Product Profiling Product Catalog 2. Vulnerability Profiling Vulnerability List environment. The raw data is collected automatically from multiple data sources such as Microsoft Active Directory, Microsoft SCCM, WSUS, and patch management systems. Thousands of information extraction rules are then applied to translate strings, such as Microsoft Windows 7 Enterprise with MDOP 2011 R2, into a normalized product catalog which represents installed products, version information, patch level and more. accurate vulnerability data. We utilize a proprietary library of tens of thousands of logical rules, updated daily, to test the product catalog to determine if a set of pre-conditions for the existence of a vulnerability are met. The rules take multiple factors into account to deduce if a vulnerability truly exists in the environment. For example, a particular vulnerability may exist on a certain product, version, and patch level of Adobe Reader, but only when running in a particular operating system environment and in the presence or absence of other products or factors. 8

9 This results in a comprehensive and highly accurate product catalog and list of found vulnerabilities, compatible with MITRE s CPE and CVE standards, that can be updated automatically and continuously without requiring an active scan. ability deduction rules. The Skybox Security Content Labs team has developed an extensive library library ensure a very accurate vulnerability discovery process. vulnerability information in a non-disruptive and highly accurate manner. The data is retrieved from operational products that are already deployed and used by IT, such as: Microsoft Active Directory Microsoft Windows Server Update Service (WSUS) Network device managers Anti-virus software These management tools, already deployed in most enterprises, synchronize information about the network hosts and installed software products frequently, and therefore own an up-to-date picture of much of the typical network environment. That picture includes information on the operating system, the installed products and their version, installed patches, and missing patches. Skybox merges the information from multiple sources into a consolidated product catalog representing that organizations unique environments. A full list of supported products for Vulnerability Detector is available at supported-products-vulnerability-detector. 9

10 discovery technique minimizes network disruptions, can provide up-to-date vulnerability information stand the attack surface. When combined with other automated analytical capabilities in Skybox Vulnerability Control, organizations can effectively minimize the risk exposure window and effectively mitigate the most critical vulnerabilities before they can be exploited. Since Vulnerability Detector collects all of the information about hosts from existing system management solutions, no target host is ever probed or touched. This non-invasive vulnerability discovery technique does not disrupt the network or any business services, and does not negatively impact network performance. In addition, gaining access to a few centralized data than deploying active scanners throughout a network and gaining approvals to scan business-critical areas. These differences mean that deployment of the Skybox vulnerability discovery approach can take days, where deployment of active scanning can take weeks or months in a large organization with a complex network. On Microsoft s monthly Patch Tuesday, many new vulnerability types are published for Microsoft platforms and products. Active scanning for the new and sometimes critical vulnerabilities could or months due to limited approved scan windows. Patching everything is usually not an option for enterprise size networks, due to operating system standards, software dependencies and more. With ability types announced on Microsoft s Patch Tuesday can be done on the same Tuesday, without running any disruptive scanning. RDP is an analytic vulnerability discovery technique, and up-to-date source data can be collected and analyzed at any time in a matter of seconds or minutes. Skybox Vulnerability Control can be used to identify, analyze, and manage vulnerabilities on a daily basis, compared to a cycle of weeks or months to perform full scanning of an entire large enterprise network. 10

11 Another advantage of the RDP technique is the availability of comprehensive and up-to-date product catalog and vulnerability data to correlate against emerging threat intelligence. Early warning systems are most effective in identifying real hazards to the organization when they can assess the relevance of a new threat alert against accurate and timely data sources, without waiting for a full scan. 100% Skybox s RDP enables constant vulnerability knowledge Vulnerability Scanners Knowledge Decay Curve 50% Month 1 Month 2 Month 3 Time high-levels of frequency and coverage required for effective vulnerability management, continued use of network vulnerability scanners can extend coverage even further. Since network vulnerability scanners Vulnerability Control daily, and a network vulnerability scanner occasionally will achieve daily vulnerability management objectives covering 90% of vulnerabilities, and near-100% coverage of all vulnerability types through regular combination with active scan data. 11

12 Skybox s RDP enables constant vulnerability knowledge 100% 50% Month 1 Month 2 Month 3 Time For vulnerability management programs to succeed in lowering risk levels or preventing potential attacks, security teams need to reexamine the effectiveness of their vulnerability discovery approach. Identifying vulnerabilities on a frequent basis is critical to success, as is covering enough of the infrastructure to make a difference. Traditional active scanners may produce accurate results when applied, but may face challenges that limit their use in the network environment, such as access issues or disruption of critical services. therefore is not subject to the same concerns about disruption and access as a traditional vulnerability scanner. security management repositories into a detailed and accurate product catalog, and then accurately deduces a list of vulnerabilities present in the network environment. With this information, more than 90% of the vulnerabilities in a typical enterprise network can be accurately discovered, without an active scan. can extend vulnerability coverage. Skybox recommends using Vulnerability Control daily, either independently or in conjunction with a network vulnerability scanner, to achieve the high frequency and coverage necessary to reduce overall risk. 12

13 Next Steps Skybox Security provides the most powerful risk analytics for cyber security, giving security management and operations the tools they need to eliminate attack vectors and safeguard business data and services. Skybox solutions provide a context-aware view of the network and risks that drives effective vulnerability and threat management, firewall management, and continuous compliance monitoring. To learn more about Skybox Security s solution for vulnerability management, download the free trial at /trial. Additionally, you can contact your local Skybox Security representative at /contactus or view our demos at demos-videos. About Skybox Security Established in 2002 and headquartered in San Jose, California, Skybox Security is a privately held company with worldwide sales and support teams that serve an international customer base of Global 2000 enterprises and large government agencies. Skybox Security customers are some of the most security-conscious organizations in the world, with mission-critical global networks and pressing regulatory compliance requirements. Today, six of the top 10 global banks and six of the 10 largest NATO members use Skybox Security for automated, integrated security management solutions that lower risk exposure and optimize security management processes. 13 Skybox Security, Inc +1 (866) (408) Gateway Place, Suite 450, San Jose, CA Copyright 2014 Skybox Security, Inc. All rights reserved. Skybox is a trademarks of Skybox Security, Inc. All other registered or unregistered trademarks are the sole property of their respective owners. WP_NGVM_EN_