GETTING STARTED WITH THE ISCAN ONLINE DATA BREACH PREVENTION LIFECYCLE iscan Online 5600 Tennyson Parkway Suite 343 Plano, Tx 75024
Table of Contents Overview... 3 Data Breach Prevention... 4 Choosing a Deployment Methodology... 7 Discovering Data... 9 Perform a Data Discovery Scan... 10 Detecting Security Threats... 17 Perform a Security Scan... 18 Prioritizing... 25 Generate Data Breach Risk Report... 26 Generate Security Threat Report... 31 Summary... 34 Conclusions... 35
Overview Getting Started With the iscan Online Data Breach Prevention Page 3
Data Breach Prevention In today's world of cyber attacks and data breaches, it's important to understand the goals and motivations of attackers as well as how attacks happen. Every day, businesses are at risk to becoming the next victim of a data breach. These breaches continue to happen because organizations never had the ability to visualize the combined intelligence exposing security threats and unprotected data at rest. iscan Online provides a powerful patented data breach prevention platform that delivers the combined intelligence necessary for organizations to understand, and act upon, their risk exposure to a data breach attack. Getting Started With the iscan Online Data Breach Prevention Page 4
Data Breach Prevention Defined The security of corporate sensitive data is now under relentless attack. Fighting the war on digital data loss has reached the status of a global epidemic. The vast majority of data breaches are caused by unprotected data at rest residing on vulnerable endpoints resulting in an easy entry point for attackers. iscan Online recognizes today's cyber security challenges and enables organizations to protect themselves by continuously assessing their environments using proven technology that follows the Data Breach Prevention. Discover - Unprotected sensitive data at rest exposing your organization to risk. Detect - Security threats providing vulnerable entry points for attackers to access your data. Getting Started With the iscan Online Data Breach Prevention Page 5
Prioritize - At risk assets by leveraging the combined intelligence of security threat and data intelligence. Remediate - Security threats by applying patches, mitigating solutions and encrypting or removing unprotected data. Manage - The entire lifecycle process through a single scalable cloud deployed console. In this getting started guide, we will walk through implementing the iscan Online Data Breach Prevention using the iscan Online Data Breach Prevention Platform. We will cover how to effectively deploy the solution to discover data and vulnerabilities as well as generate data breach risk reports to help prioritize activities for remediation. We will conclude with a reflection on the entire process and how it can help prevent a data breach in your organization before it occurs. Getting Started With the iscan Online Data Breach Prevention Page 6
Choosing a Deployment Methodology The iscan Online Data Breach Prevention Platform utilizes a host based scanning methodology to discover unprotected data at rest as well as discover the security threats and vulnerabilities that exist on the endpoints where data is stored. The host based scans can be delivered in various ways depending upon the target userbase, network topologies involved and device types. Currently iscan Online supports three primary scan delivery methods described below. Browser Plugin The iscan Online Browser Plugin for Mac and Windows provides a simple way for users to self assess their own devices. It can be integrated into network access points with captive portals, offered as a self service scan option on intranets or public facing web pages, and even integrated into web single sign on providers. This powerful and flexible solution can help solve one of the biggest challenges for enterprises by providing opportunistic assessment of devices which typically go undetected by traditional scan methodologies. CLI (Command Line) Scan The iscan Online CLI Scanner for Mac, Windows and Linux is the most versatile scan delivery method. Its non-persistent design allows scans to be launched from the command line, or integrated with a variety of systems management tools as well as other script based endpoint management solutions. Other common deployment scenarios include scanning remote users via VPN using the on connect script functionality. The CLI scanner does not require installation on the endpoint and can be launched from a network share. Mobile Apps For scanning Android and Apple ios devices, iscan Online provides native mobile apps available via the Google Play store or from the itunes App Store. These native mobile apps provide data discovery and vulnerability scanning as well as lite MDM (Mobile Device Management) functionality such as locate, lock, and wipe. Getting Started With the iscan Online Data Breach Prevention Page 7
Summary As you plan your production deployment strategy, consider each of the scan deployment methods above as each provides valuable ways to scan devices. For the purpose of this getting started guide, we will focus primarily on the CLI scan and deploying using common systems management tools. As a reminder, the CLI scan can be deployed by a variety of systems management tools that can execute a scheduled task on a given endpoint. Getting Started With the iscan Online Data Breach Prevention Page 8
Discovering Data Getting Started With the iscan Online Data Breach Prevention Page 9
Perform a Data Discovery Scan As described in the Data Breach Prevention, the first step is to detect unprotected sensitive data at rest on endpoints in your organization. In this getting started guide, we will walk through how to perform a data discovery scan on various endpoints using the CLI scanner. 1. Click on Scan Other Computers After logging onto the iscan Online Console, click on Scan Other Computers from the Side Nav menu. Getting Started With the iscan Online Data Breach Prevention Page 10
2. Choose the Organization to Scan In the iscan Online Console, "Organizations" are used to group devices and results by terms familiar to your company. For example an Organization might be defined as an office location, particular type of devices (servers vs workstations) or whatever is meaningful to you. To change from the currently displayed organization to a different, click the Change button then select the desired organization. 3. Choose a Data Discovery Scan Type The iscan Online solution provides two pre-defined data discovery scan types: Getting Started With the iscan Online Data Breach Prevention Page 11
PAN Scan PAN stands for Primary Account Number, which is the 16 digits printed on the front of most major credit cards. This scan will detect primary account numbers stored unprotected on the system being scanned. PII / HIPAA Scan The PII / HIPAA scan will scan the system and detect unprotected credit card numbers, as well as drivers license, social security, and date of birth information. For the purpose of this walkthrough, click either the PII / HIPAA scan or the PAN Scan to discover sensitive data on your devices. A Note About Scan Short Codes In the screen shot above, notice the column titled Short Code. A scan Short Code defines a particular scan type and configuration for the organization. These short codes are created automatically by the system when accounts and organizations are created. Short Codes can be used as command line arguments to the CLI scanner as described in the next step. Getting Started With the iscan Online Data Breach Prevention Page 12
4. Choose Scan Delivery Method In this getting started guide we will be using the CLI scan to perform data discovery scans. From the Choose Scan Delivery Method combo box select Command Line Executable. This displays the various download links for the CLI scanner for the appropriate platforms. Click on the link to download the CLI scan for the desired host type you wish to scan. 5. CLI Scanner Command Line Arguments Command Line Arguments for Scan Type Once you've downloaded the CLI Scanner it will be named iscanruntime_xxxxxx_.exe Getting Started With the iscan Online Data Breach Prevention Page 13
Where XXXXXX is the short code for the scan type you selected. The file is named this as a matter of convenience so that command line switches are not required. However, you could also rename the file to simply iscanruntime.exe and pass a command line argument with the desired short code. Example: C:>ren iscanruntime_xxxxxx.exe iscanruntime.exe Then C:> iscanruntime -k XXXXXX This allows you to store a single copy of the executable and pass the desired scan configuration short code. Command Line Arguments for Proxy If you will be scanning devices behind a proxy, iscan Online requires an internet connection and the ability to send HTTPS (443) traffic to https://app.iscanonline.com. The CLI scanner accepts as an argument the proxy server ip and port for authentication as shown below: C:> iscanruntime -k XXXXXX -x 192.168.1.2:8080 Getting Started With the iscan Online Data Breach Prevention Page 14
6. Running the Scan There are a variety of ways to distribute the CLI scan to endpoints in your organization. Since the CLI scanner does not require to be installed on the actual device being scanned, it can be located on a network share and then created as a scheduled task or a cron job on linux devices. Most common deployment scenarios leverage Microsoft Active Directory. iscan Online provides detailed step by step directions for running scans via active directory directly from the console. Simply choose Active Directory as the Scan Delivery Method and follow the steps. As mentioned previously, the CLI scan can be run by any endpoint management tool that can execute a command on an endpoint including but not limited to: Microsoft System Center McAfee EPO Kaseya Labtech cron jobs Login script VPN on connect script Getting Started With the iscan Online Data Breach Prevention Page 15
Refer to your management solution documentation for instructions on how to execute a scheduled task on the desired endpoints. Getting Started With the iscan Online Data Breach Prevention Page 16
Detecting Security Threats Getting Started With the iscan Online Data Breach Prevention Page 17
Perform a Security Scan As described in the Data Breach Prevention, the second step is to detect security threats on endpoints in your organization. In this getting started guide, we will walk through how to perform a security discovery on various endpoints using the CLI scanner. 1. Click on Scan Other Computers After logging onto the iscan Online Console, click on Scan Other Computers from the Side Nav menu. Getting Started With the iscan Online Data Breach Prevention Page 18
2. Choose the Organization to Scan In the iscan Online Console, "Organizations" are used to group devices and results by terms familiar to your company. For example an Organization might be defined as an office location, particular type of devices (servers vs workstations) or whatever is meaningful to you. To change from the currently displayed organization to a different, click the Change button then select the desired organization. Getting Started With the iscan Online Data Breach Prevention Page 19
3. Choose Security Scan Click on the Security Scan type in the list. The Security Scan performs an inspection of the endpoint detecting known vulnerabilities in the operating system, and applications that are installed. It also detects open and listening ports configured on the device. A Note About Short Codes In the screen shot above, notice the column titled Short Code. A scan Short Code defines a particular scan type and configuration for the organization. These short codes are created automatically by the system when accounts and organizations are created. Short Codes can be used as command line arguments to the CLI scanner as described in the next step. Getting Started With the iscan Online Data Breach Prevention Page 20
4. Choose Scan Delivery Method In this getting started guide we will be using the CLI scan to perform security scans. From the Choose Scan Delivery Method combo box select Command Line Executable. This displays the various download links for the CLI scanner for the appropriate platforms. Click on the link to download the CLI scan for the desired host type you wish to scan. 5. CLI Scanner Command Line Arguments Command Line Arguments for Scan Type Once you've downloaded the CLI Scanner it will be named iscanruntime_xxxxxx_.exe Getting Started With the iscan Online Data Breach Prevention Page 21
Where XXXXXX is the short code for the scan type you selected. The file is named this as a matter of convenience so that command line switches are not required. However, you could also rename the file to simply iscanruntime.exe and pass a command line argument with the desired short code. Example: C:>ren iscanruntime_xxxxxx.exe iscanruntime.exe Then C:> iscanruntime -k XXXXXX This allows you to store a single copy of the executable and pass the desired scan configuration short code. Command Line Arguments for Proxy If you will be scanning devices behind a proxy, iscan Online requires an internet connection and the ability to send HTTPS (443) traffic to https://app.iscanonline.com. The CLI scanner accepts as an argument the proxy server ip and port for authentication as shown below: C:> iscanruntime -k XXXXXX -x 192.168.1.2:8080 Getting Started With the iscan Online Data Breach Prevention Page 22
6. Running the Scan There are a variety of ways to distribute the CLI scan to endpoints in your organization. Since the CLI scanner does not require to be installed on the actual device being scanned, it can be located on a network share and then created as a scheduled task or a cron job on linux devices. Most common deployment scenarios leverage Microsoft Active Directory. iscan Online provides detailed step by step directions for running scans via active directory directly from the console. Simply choose Active Directory as the Scan Delivery Method and follow the steps. As mentioned previously, the CLI scan can be run by any endpoint management tool that can execute a command on an endpoint including but not limited to: Microsoft System Center McAfee EPO Kaseya Labtech cron jobs Login script VPN on connect script Getting Started With the iscan Online Data Breach Prevention Page 23
Refer to your management solution documentation for instructions on how to execute a scheduled task on the desired endpoints. 7. Combining Scans In Batch It is important to note that the CLI scanner does not support multiple scans being run at the same time on the same device. For example you cant run a security scan and a data discovery scan at the same time on the same device. You should avoid scheduling scans at the same time when utilizing the system management tool of choice. One way to avoid running two scans at the same time is to utilize dependency features found in some system management tools. ie. don't start Task B until Task A completes. The other solution is to create a batch, script or cmd file that runs the scans syncrhonously. Example Windows BAT/CMD file: @echo off REM Run Data Scan First iscanruntime -k XDATAX REM Run Security Scan Next iscanruntime -k XSECUX In the example above, it runs the data detection scan followed by the security scan avoiding multiple simultaneous scans. Using this solution schedule the bat file to run on the desired schedule instead of the iscanruntime.exe directly Getting Started With the iscan Online Data Breach Prevention Page 24
Prioritizing Getting Started With the iscan Online Data Breach Prevention Page 25
Generate Data Breach Risk Report Now that a data discovery scan and a security scan has been run on one or more devices, it is possible to generate the Data Breach Liability Report. 1. Navigate To Reports After logging into the iscan Online Cloud Console click on Reports from the Side Nav menu. Getting Started With the iscan Online Data Breach Prevention Page 26
2. Run Data Breach Risk Report Click on Data Breach Risk from the report grid. Getting Started With the iscan Online Data Breach Prevention Page 27
3. View Report The Data Breach risk report is displayed. Note that this is an active report view that allows filtering, grouping and analysis of data. Hovering over the graph data allows the viewing of details associated with the selected data point. Clicking on the graph legend allows the inclusion / exclusion of the data type from the graph. In the column filters expressions can be included such as < > = to scope numeric filters. For example typing: > 200 in the credit card filter would show matches with greater than 200 credit card data found. Getting Started With the iscan Online Data Breach Prevention Page 28
4. Report Sharing iscan Online has implemented a unique report sharing function that allows you to distribute reports without generating PDF files. This allows the report recipient to have the same powerful filtering and analytics capability, but without requiring direct access to the iscan Online console. To share a report, click on the Share button found at the top right of the report. Enable Sharing Click on Share this Report. Getting Started With the iscan Online Data Breach Prevention Page 29
Copy URL Once shared, the dialog will display the public shared URL for the report. Copy this URL into an email and share it with the appropriate personnel in your organization. Getting Started With the iscan Online Data Breach Prevention Page 30
Generate Security Threat Report The security scan report is valuable for performing analysis and prioritization of assets to be remediated for security threats. 1. Navigate to Reports After logging into the iscan Online Cloud Console click on Reports from the Side Nav menu. Getting Started With the iscan Online Data Breach Prevention Page 31
2. Run Vulnerable Hosts Report Click on Vulnerable Hosts from the report grid. Getting Started With the iscan Online Data Breach Prevention Page 32
3. View Report The vulnerability report is displayed. Note that this is an active report view that allows filtering, grouping and analysis of data. Hovering over the graph data allows the viewing of details associated with the selected data point. Clicking on the graph legend allows the inclusion / exclusion of the data type from the graph. In the column filters expressions can be included such as < > = to scope numeric filters. For example typing: > 10 in the high severity filter would show hosts with greater than 10 high severity vulnerabilities Getting Started With the iscan Online Data Breach Prevention Page 33
Summary Getting Started With the iscan Online Data Breach Prevention Page 34
Conclusions In this walk through, we defined the iscan Online Data Breach Prevention lifecycle and walked through how to apply the Data Breach Prevention Platform to fulfill the following requirements: Discover unprotected sensitive data Detect Security Threats Prioritize Remediation based on threats and liability score We hope this guide was beneficial to guiding you in understanding the platform, and hope you continue to explore the iscan Online Data Breach Prevention Platform. Getting Started With the iscan Online Data Breach Prevention Page 35