What a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options

Transcription

1 White paper What a Vulnerability Assessment Scanner Can t Tell You Leveraging Network Context to Prioritize Remediation Efforts and Identify Options november 2011 WHITE PAPER RedSeal Networks, Inc Freedom Circle, Suite 800, Santa Clara, Tel (408) Toll Free (888)

2 2 WHITE PAPER What a Vulnerability Assessment Scanner Can t Tell You Contents introduction: 3 Vulnerability Management Requirements 4 The RedSeal Networks Approach 8 Determine Which Actions Provide Greatest Security Improvement 10 Conclusion: 12

3 What a Vulnerability Assessment Scanner Can t Tell You WHITE PAPER 3 What a Vulnerability Assessment Scanner Can t Tell You Leveraging Network Context to Prioritize Remediation Efforts and Identify Options Introduction Vulnerability management is crucial to network security and its importance will continue to grow. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations cannot afford to neglect vulnerability management and still expect to maintain system availability and protect sensitive data. As part of a defense-in-depth security strategy, you must take a proactive approach: Vulnerabilities and weaknesses must be identified and addressed before security issues arise. Most organizations deploy network vulnerability assessment scans that enable the security team to identify networked devices, applications, and vulnerabilities. This is accomplished by scanning the IP addresses of an organization s network segments to identify open network ports and the associated application and operating system. The scanner probes the open ports, determines the patch level and configuration of applications and operating systems and identifies vulnerabilities present. The end-product is a list of hosts and network devices reachable with the operating attributes, including running services, software and operating system version and vulnerabilities. While this identifies the network vulnerabilities present, the raw data is limited. Key challenges remain: difficulty to prioritize meaningful remediation efforts. The raw data generated by scanners creates a phone book listing of up to tens of thousands of vulnerabilities. Organizations can filter by host attribute such as OS version level, or by application type such as SQLNet, or by vulnerability attribute such as severity. Still, looking at a filtered list makes it hard to demonstrate how addressing those vulnerabilities are actually improving security. Limited remediation options. Scan results are host-centric. They don t correlate or understand the relationships between assets. So the only option for remediation is to install a software patch or make a host configuration change. Patching is expensive. It requires the host to be taken off-line to apply the patch. What s more, if the host can t be patched or the configuration change can t be made, little else can actually be done.

4 4 WHITE PAPER What a Vulnerability Assessment Scanner Can t Tell You Organizations are realizing that vulnerability assessment scanners provide only the view of the vulnerabilities accessible to them. Also, multiple scanners are often deployed throughout the network and network access policies are altered to grant the scanners wider access. This architecture makes it extremely difficult to understand how a given vulnerability may be exposed to a threat source or, if deeper within the network, may be exposed to other attackable hosts. There are, however, products that (a) enable the identification of which network vulnerabilities pose a threat to the enterprise, (b) efficiently prioritize remediation efforts, and (c) represent a choice of multiple remediation options. This paper examines the current state of vulnerability management, how it has evolved and how the addition of key concepts are improving the security and business landscape. It will explain how the correct solution can be a powerful and cost-effective tool to preemptively identify and remediate the most important vulnerabilities in the network. Further, it will show: Why analyzing vulnerabilities in the context of the network is necessary for prioritizing vulnerability remediation and determining all options beyond patching and configuration changes. how to determine the optimum security decision whether patching, configuration change, deploying compensating controls, altering the network access policies or even re-architecting the network. Vulnerability Management Requirements Identifying the most important vulnerabilities to remediate To ensure that your remediation efforts do the most to improve security, you must first identify the vulnerabilities posing the greatest threat. Suppose 1,000 hosts were scanned and an average of five vulnerabilities were found on each. A total of 5,000 vulnerabilities need to be reviewed and the best action to reduce the risk of impact to the business must be identified. Since it is unrealistic to remediate all 5,000, it is essential to accurately prioritize the vulnerabilities by the risk to your business not to the device/host. Many organizations take a host-centric approach to prioritizing vulnerabilities. Often the vulnerabilities are sorted by severity. Using the example of 5,000 vulnerabilities, suppose the scan found 1,000 high-, 1,500 medium-, and 2,500 low-severity vulnerabilities. Additional filtering or grouping can be done based on application, operating system, or even business unit. Once these vulnerabilities have been sorted, you review the list to determine which vulnerabilities to fix. Considerations may include: severity of the vulnerability: Is the severity of the vulnerability so high that it needs to be patched immediately? Is it worth taking the server down or spending the time to implement the patch? Can the vulnerability be easily exploited? Could an attacker easily gain administrator-access to the server?

5 What a Vulnerability Assessment Scanner Can t Tell You WHITE PAPER 5 regulatory implications: Is the host under regulatory requirements with regard to security? Is there an explicit regulatory requirement to patch the vulnerability? business impact: If exploited, would the vulnerability affect system availability or performance? While this approach seems logical, it reveals little insight into what will actually improve security because it looks at the problem using limited data. It does not see the enterprise as a whole. Insufficient consideration is given to how the hosts are interconnected and what is reachable from untrusted networks. In other words, more questions need answers: Is the vulnerable host exposed to an untrusted network? Should the host be exposed to the untrusted network? Is the vulnerable host reachable from a weak upstream host? Should the host be protected by a firewall? Bottom-line: you must see the enterprise network as the sum of its parts. And it requires a view beyond individual devices. Protecting hosts exposed to untrusted networks The top priority: Secure hosts exposed to untrusted networks because, to attackers, they are nothing but doors to your network. The most important but often the most overlooked step of vulnerability management is to determine if the host should be exposed in the first place. Often due to configuration drift, network changes, bringing up hosts/services and shutting them down, hosts are inadvertently exposed to the untrusted network. A second problem is that scanning the public IP address space of an enterprise only identifies the hosts directly exposed to the Internet which is just one of many untrusted networks today. Others to consider: extranet networks: Most enterprises today have multiple connections to a variety of business partners outsourcing, supply chain and co-development to name a few. Since these connections provide a pathway into your network and are controlled by a third-party, it is essential to secure any exposed host. internal end-user networks: In the last few years much focus has been placed on insider threats to sensitive data. Malicious employees, contractors and malware constitute legitimate threats today. Indeed, any network where endusers actively operate is a possible source of attack. wireless networks: Simply based on the lack of physical control inherent in wireless networks, it is important to consider the possibility of an attacker gaining access via these networks. Even PCI specifically calls out the need to segment valuable assets from wireless networks.

6 6 WHITE PAPER What a Vulnerability Assessment Scanner Can t Tell You vpn networks: Remote end-users often connect to enterprises using some form of VPN technology (IPSec, SSL, etc.). Usually the user is utilizing a third-party network such as a home Internet connection or hotel wireless network to initiate their VPN connection. A third-party network cannot be considered trusted. It would be extremely difficult and burdensome to the network to perform a vulnerability scan from every possible entry or untrusted network access point. The ideal vulnerability management solution: one that dynamically identifies untrusted network segments and reveals hosts exposed to those networks. The host vulnerability data can then be prioritized according to what is exposed to the untrusted networks. Exposed hosts can be determined by analyzing the various network access policies controlling traffic between untrusted and trusted networks. Here, computer automation is invaluable. Once you identify the directly exposed hosts, a series of questions must be answered to further prioritize remediation efforts. First, determine if there is no business or technical requirement for the host to be exposed incorrectly. Most often an incorrectly exposed host is the result of misconfigured access policy on a router or firewall or access was opened to troubleshoot an issue and the administrator forgot to go back and close access. The final step is to analyze the network to determine the level of access the directly exposed hosts have to other hosts and vulnerabilities deeper in the network. This analysis is important, as it enables understanding how much of a threat an exposed host is compared to another exposed host. For example, suppose you analyzed the access of two exposed hosts, A and B, to the untrusted network. Exposed host A has a vulnerability that enables an attacker to jump to another host deeper in the network. Host A also has a vulnerability that would enable an attacker to leapfrog to a regulated database deep in the network, which contains sensitive customer data. The other exposed host B has the same vulnerability, but its leapfrog target is an internal test server and has no consequence to the business. Perhaps A is part of a legacy network and is no longer used, but it is directly exposed to the untrusted network and has a leapfrog vulnerability and can reach a critical, regulated data repository. Clearly, host A presents a higher risk to the business than host B does. Now you know which host to remediate first. Find the most effective and realistic way to remediate the vulnerability Vulnerability assessment may begin with good intentions but the fact is that little remediation work occurs after a scan of the network. Even when a vulnerability is identified, remediation is rare. For example, the security team might scan some of the company s most valuable assets, sort the results by severity and review the vulnerabilities. They find a severe vulnerability on the company s primary database where the most sensitive of information such as credit card numbers or intellectual property is stored. If this vulnerability is exploited, the attacker would gain administrator access to the data. The security team quickly alerts the database

7 What a Vulnerability Assessment Scanner Can t Tell You WHITE PAPER 7 administrator of its presence. At this point, remediation comes to a halt. Why? Because the database administrator s top priority is to maintain availability of the database. Since remediation often involves installing a patch and incurring downtime, it is directly contradictory to the administrator s number-one priority. The company loses money every minute the database is unavailable. There may even be service level agreements in place that require a specific level of availability. Given the position that the database administrator is in, reluctance to remediate is understandable. A common reason to dismiss the vulnerability is that the database sits deep within the network, behind one or more firewalls, reducing the chances of the vulnerability being exploited. This all amounts to a case of insufficient information for understanding the implications of the vulnerability and the threat it poses. But what if the security team could demonstrate the magnitude of the threat and how exploitable the vulnerability actually is? What if the team could prove that, despite the database being deep within the network, an upstream host with a pivoitable vulnerability could be compromised by exposure to an untrusted network? Because the security team doesn t take the network into consideration when prioritizing vulnerabilities, perhaps the database administrator is correct and there is a low chance of the vulnerability being exploited. Perhaps due to a misconfiguration or the network changing over time, the database got exposed to an untrusted network. In this case, the security team is correct in identifying the database as being at risk but still fails to understand that the exposure could be mitigated by patching the host exposed to the untrusted network (or by filtering traffic between the database and the upstream host if the current network access is deemed unnecessary for business). The above example reveals two major challenges faced by security teams when trying to remediate vulnerabilities: (1) an inability to understand and communicate how much of a threat a vulnerability is to the organization and (2) an inability to recognize all possible remediation options. Without an understanding of the network it is impossible to initiate action and identify the most appropriate remediation steps. By analyzing vulnerabilities in the context of the network, security teams can be much more effective at communicating the level of risk that a vulnerability poses and make more informed decisions about proper remediation. Inadequate understanding of the network leaves security teams with two options for remediation: (1) install a software patch that addresses the vulnerability or (2) simply disable the vulnerable service on the host. These options are extremely host-centric with the latter requiring costly downtime. Compare that to the additional remediation options available with comprehensive network understanding: network ACL Change: There are cases where vulnerable hosts are incorrectly exposed. In that case, remediation may be as simple as having the network team make a change to an ACL on the router allowing the traffic. Compensating Controls: The team can deploy a security solution to remediate the threat such as a firewall to block the traffic, an intrusion prevention system, an application-level firewall, or an inline patching system.

8 8 WHITE PAPER What a Vulnerability Assessment Scanner Can t Tell You remediate an Upstream Host: Especially when dealing with hosts not directly exposed to an untrusted network, upstream-host remediation if exposed to an untrusted network is a viable option. Analyzing vulnerabilities in the context of the network enables security teams to communicate the risk posed to the enterprise and to identify the most appropriate remediation action to boost security. The RedSeal Networks Approach RedSeal s proactive security intelligence solution represents a vulnerabilitymanagement innovation and arms you with the ability to overcome all the challenges described thus far. Wielding RedSeal s advanced security analytics engine, you can quickly prioritize the results of a network vulnerability assessment scan, identify the hosts that are exposed to all untrusted networks and determine the remediation steps that will do the most to safeguard security. The security analytics engine engine has two major components. The Network Map Analysis, which analyzes all possible network traffic that is allowed and denied between all known points in the network. The Threat Map Analysis which correlates host and vulnerability data with network access to determine all of the possible attack (threat) paths from untrusted networks to anywhere in the network. Analyze Vulnerabilities in the Context of the Network Network Map Analysis Understanding the interconnectedness of an enterprise s assets is fundamental to vulnerability management. Analyzing the network access policies across the network provides the context that enables effective vulnerability prioritization. The Network Map Analysis engine analyzes configuration data from network devices to determine what traffic is allowed between any two points in the network. It iterates on each and every node in the network to build a complete network map that includes trusted and untrusted networks: 1) redseal automatically collects the configuration data of network devices either directly from the network device or from a centralized repository or management system, then builds a network topology diagram (or map). 2) the Network Map Analysis computes all known paths between all points in the network. 3) This can be repeated for any network change or at regular intervals. The results of the Network Map Analysis are recorded and end-users can query it to understand how their network is architected and determine what traffic is allowed between any two points. This can be done on-demand or at regular intervals.

9 What a Vulnerability Assessment Scanner Can t Tell You WHITE PAPER 9 Threat Map Analysis Threat Map Analysis helps security teams tackle the first challenge of vulnerability management: determining which hosts are directly exposed to untrusted networks. By utilizing the results from Network Map Analysis, Threat Map Analysis can correlate the network accesss with host and vulnerability data from your network vulnerability assessment scanner: 1) redseal automatically collects host and vulnerability data from vulnerability assessment scanners. 2) threat Map Analysis computes every possible threat vectors between every host and their vulnerabilities across the entire network. This analysis identifies the hosts directly exposed to untrusted networks. 3) as Threat Map Analysis runs it calculates a series of metrics that include the asset value, the vulnerability severity and the exposure of the host to the rest of the network. These metrics provide end-users with a simple way for prioritizing the hosts and vulnerabilities that present the highest threat to the enterprise. The results of the Threat Map Analysis are recorded and end-users can choose any point in their network to review all threat vectors to or from that source. Prioritize Remediation by Identifying Hosts Directly Exposed to Untrusted Networks Identifying the hosts directly exposed to untrusted networks is the most important step in prioritizing remediation efforts. There are two approaches: end-users can query the RedSeal Threat Map (see diagram below) to review all threats that originate from all of their untrusted networks. Using our earlier example where two servers are exposed to the untrusted network, one of the exposed hosts (A) has a vulnerability that would allow an attacker to leapfrog or jump to another host deeper in the network, while the other exposed host (B) has the same vulnerability but its leapfrog target is a internal test server having no consequence to the business. A security team would use the Threat Map to identify both host A and host B as directly exposed to untrusted networks with threat paths deeper into the network. Threat Map displays all of the threat vectors from untrusted networks to directly exposed hosts

10 10 WHITE PAPER What a Vulnerability Assessment Scanner Can t Tell You end-users can use the RedSeal Downstream Risk metric to identify and prioritize the directly exposed hosts. The hosts with the greatest downstream risk present the greatest risk to the enterprise based on the severity of the vulnerabilities present and the network access allowed from the high-risk host to other hosts within the network. From our example, both hosts A and B would have downstream risk scores. Host A s score would be higher than B s because it exposes a regulated database deep in the network that contains customer data. Host B exposes an internal test server only and has low consequence to the business. Determine Which Actions Provide Greatest Security Improvement. Once security teams have used RedSeal to prioritize their remediation they can use a variety of features available to determine the best remediation effort. They can also clearly communicate the urgency to remediate. These features enable security teams to consider other remediation options besides just patching or disabling the exposed service. RedSeal s Network Path Explorer and Threat Map both enable security teams to identify the best actions. The Network Path Explorer enables users to review all traffic between any two points in the network. Users specify source and destination in the network and the Network Path Explorer returns the traffic allowed between the source and destination. The results are returned as a 5-tuple: protocol, source IP address, source port, destination IP address, and destination port. This powerful tool can help a security team consider a variety of remediation options and also identify huge security architectural flaws in the network. By reviewing the allowed network traffic, security teams can determine whether the access granted exceeds their business needs. Using our earlier example, the security team could use the Network Path Explorer to discover all traffic allowed from untrusted networks to the network where host A resides. With this information the security team can determine if only host A is incorrectly exposed or if there are additional exposed areas. In addition, the Network Path Explorer can assist with determining how best to deploy security solutions that can serve as compensating controls for remediating vulnerabilities. For example, the Network Path Explorer can report all traffic allowed to a destination, which can help a security team determine where to deploy an IPS or application-level firewall.

11 What a Vulnerability Assessment Scanner Can t Tell You WHITE PAPER 11 Graphical view of all access allowed to a network and the details including source, destination, port and protocol The Threat Map enables security teams to review all threats to any host in the network including threats from untrusted networks. This feature enables security teams to consider a number of remediation options for a host including changing the access policies on an upstream network device or identifying other hosts that if remediated would eliminate the exposure. Graphical view of all threat vectors to a subnet and the details of each threat including source, destination and vulnerability information. The combination of Network Path Explorer and Threat Map enable organizations to overcome the challenges discussed in this whitepaper. While some of the approaches to overcoming these challenges could be performed manually, clearly the complexity warrants the need for an automated software solution.

12 12 WHITE PAPER What a Vulnerability Assessment Scanner Can t Tell You Conclusion Network vulnerability assessment scanners are excellent for identifying vulnerabilities present but the results often leave organizations with more data than they can effectively handle. And results of these scans alone are difficult to prioritize since scanners are unable to identify which hosts are exposed to untrusted networks. What s more, the host-centric nature of scan results makes it extremely difficult to understand or communicate the true urgency for remediation or provide any more remediation options besides installing a software patch or making a configuration change to the host. The optimal way to overcome these challenges is to analyze the results of a vulnerability scan in the context of the network. In this context you can analyze the relationships between hosts and untrusted networks by understanding the network architecture and access policies that define the relationships. By including the network context in the analysis of vulnerability data, security teams can easily identify the vulnerabilities that present the greatest threat to the enterprise, communicate the urgency to remediate these threats, and identify the remediation steps that will provide the greatest impact to the security of the business. RedSeal Networks has developed a vulnerability management solution, Vulnerability Advisor, which enables organizations to overcome these challenges and protect your most valuable assets. Capabilities include Network architecture and access policy analysis identification of threat paths into the network, by correlating network and vulnerability data Features like the Network Path Explorer, and Threat Map for identifying remediation options, and determining which approach will provide the greatest increase in security See for yourself in a trial of RedSeal technology how you can spot your most critical vulnerabilities and make more informed decisions on what to do about them. About RedSeal: RedSeal Networks develops proactive security intelligence software that enterprise organizations depend on to visualize their security effectiveness, maintain continuous compliance with regulations and protect their most critical assets and data. Unlike systems that measure the impact of attacks once they already occur, RedSeal isolates gaps in security infrastructure before they are discovered by hackers analyzing the cumulative ability of security devices to control access and vulnerability exposure across the entire enterprise and providing critical metrics necessary for optimal management of real-world IT risk and exposure. For more information on RedSeal products please visit the company s web site at or contact RedSeal representatives directly at (888)

13 What a Vulnerability Assessment Scanner Can t Tell You WHITE PAPER 13

14 WHITE PAPER RedSeal Networks, Inc Freedom Circle, Suite 800, Santa Clara, Tel (408) Toll Free (888) Copyright 2011 RedSeal Networks, Inc. All rights reserved. RedSeal and the RedSeal logo are trademarks of RedSeal Networks, Inc.