How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

Similar documents
Security Event Management. February 7, 2007 (Revision 5)

74% 96 Action Items. Compliance

Intrusion Detection Systems. Darren R. Davis Student Computing Labs

From Rivals to BFF: WAF & VA Unite OWASP The OWASP Foundation

How To Protect A Network From Attack From A Hacker (Hbss)

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

GFI White Paper PCI-DSS compliance and GFI Software products

How To Protect Your Network From Attack From Outside From Inside And Outside

CITY UNIVERSITY OF HONG KONG Network and Platform Security Standard

Protecting Critical Infrastructure

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Cloud Security:Threats & Mitgations

WHITEPAPER. Nessus Exploit Integration

SANS Top 20 Critical Controls for Effective Cyber Defense

Payment Card Industry (PCI) Data Security Standard

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Chapter 9 Firewalls and Intrusion Prevention Systems

AI Engine Rules June 2014

April 11, (Revision 2)

Real-Time Auditing for SANS Consensus Audit Guidelines

June 8, (Revision 1)

How To Monitor Your Entire It Environment

A Decision Maker s Guide to Securing an IT Infrastructure

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Breakthrough Cyber Security Strategies. Introducing Honeywell Risk Manager

PCI Security Scan Procedures. Version 1.0 December 2004

Network Defense Tools

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Automate PCI Compliance Monitoring, Investigation & Reporting

Network Security. Mike Trice, Network Engineer Richard Trice, Systems Specialist Alabama Supercomputer Authority

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

Top 5 Essential Log Reports

March

TRIPWIRE PURECLOUD. TRIPWIRE PureCloud USER GUIDE

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

EC-Council Certified Security Analyst / License Penetration Tester (ECSA/LPT) v4.0 Bootcamp

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

How To Manage Security On A Networked Computer System

IBM. Vulnerability scanning and best practices

Cisco IPS Tuning Overview

Ovation Security Center Data Sheet

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Using Nessus In Web Application Vulnerability Assessments

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Did you know your security solution can help with PCI compliance too?

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Host/Platform Security. Module 11

5 Steps to Advanced Threat Protection

Real-Time FISMA Compliance Monitoring

Secret Server Qualys Integration Guide

Defending Against Data Beaches: Internal Controls for Cybersecurity

SonicWALL PCI 1.1 Implementation Guide

Log Correlation Engine Best Practices

Recommended Practice Case Study: Cross-Site Scripting. February 2007

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Hackers: Detection and Prevention

Passive Vulnerability Scanning Introduction to NeVO

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

May 11, (Revision 10)

Nessus and Antivirus. January 31, 2014 (Revision 4)

Simple Steps to Securing Your SSL VPN

Passive Vulnerability Detection

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Critical Infrastructure Security: The Emerging Smart Grid. Cyber Security Lecture 5: Assurance, Evaluation, and Compliance Carl Hauser & Adam Hahn

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Concierge SIEM Reporting Overview

Global Partner Management Notice

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

Real-Time Compliance Monitoring

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

13 Ways Through A Firewall

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Computer Networks & Computer Security

Consensus Policy Resource Community. Lab Security Policy

FREQUENTLY ASKED QUESTIONS

CMPT 471 Networking II

Directory and File Transfer Services. Chapter 7

D. Best Practices D.2. Administration The 6 th A

Transcription:

How I Learned to Stop Worrying and Love Compliance Ron Gula, CEO Tenable Network Security

PART 1 - COMPLIANCE STANDARDS

PART 2 SECURITY IMPACT

THEMES BUILD A MODEL

THEMES MONITOR FOR FAILURE

THEMES DEMONSTRATE COMPLIANCE

WE ARE IN A GREAT CAREER FIELD

Amount of grey hair 90 s 2000 2010

Enterprise Vulnerability, Patch and Config Auditing Continuous PCI and FDCC System and event monitoring Agent and Agentless Log Aggregation and Search Network monitoring of Servers, Clients and Databases Continuous Web Application Security Assessments and Monitoring Database Activity Monitoring USB Device usage Botnet and Virus detection Software Enumeration Insider Threat detection Antivirus auditing 3D network and event graphs File integrity monitoring 24x7 discovery of systems and much more!

PART 1 - COMPLIANCE STANDARDS

Demonstrating compliance is just as difficult as understanding why Figuring out ways to enforce desired state isn t that easy either!

When we do get it right, we don t want to stray from the desired behavior

The USA Federal government has outpaced commercial and international standards

FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA CNA STIG XCCDF SCAP XCCDF FISMA

Current Configuration Standards

PCI is still criticized for not being tough enough or too difficult

What is PCI? Pass Quarterly Vuln Scans Demonstrate that your patching, AV, firewall, IDS, web apps, wireless, WAF, user access, configs and databases are secure.

PCI IS GOOD BUT IT POINTS FINGERS

Government Single standard with enforcement Trying to make agency communication work Moving towards continuous monitoring Commercial Many standards and no enforcement Trying to make department communication work Figuring our that anti virus isn t working

Current Configuration Standards

Predictions for the future of compliance

Their numbers add up, but they aren t XCCDF compliant!

Did you do the penetration test this week? I sorted it out with a ruby script

PART 2 SECURITY IMPACT

Administrative tools -> Local Security Policy Go to Software Restriction Policies Action -> New Additional Rules New Path Rule Create rules to ALLOW execution from : %sytemroot% %programfilesdir% DENY execution from : %systemroot%\temp Go to Security Level Enable Default DENY This rule basically prevents programs other than those in C:\Windows and C:\Program Files from being executed at all. This is a bit intrusive but prevents viruses, since Outlook attachments and other viruses get installed under C:\ or in the user's Outlook temp directory.

WHITE HOUSE CONFERENCE ON FDCC CYBER COMPLIANCE The White House audits 100 more items beyond NIST.

Which target would you rather hit? Of course if you have a lot of the same targets

You have a monoculture!

SIMPLE EXAMPLE HTTP SERVER Use IPS/Proxy to stop 0-days Monitor with NIDS/NBAD Look for outbound denied firewalls No DNS. Web server jailed. Watch for denies SSH client attacks Port 80 in. Nothing allowed out System errors Illegal Commands Unauthorized changes File integrity Port 22 in. Nothing allowed out

SIMPLE EXAMPLE HTTP SERVER Boundary Desired Model Real World Monitoring Trigger Internet No vulnerabilities Daily scanning Any high vuln DMZ No system vulnerabilities Weekly patch audits Any security patches older than 15 days DMZ Correct configuration Weekly config audit Any configuration issues older than 15 days Internet No successful internet attacks Use NIDS, web logs and NBAD to monitor sessions Trend events. Alert on anomalies. Alert on long web sessions. Internet No Outbound network connections Log all firewall logs Alert on any denied outbound firewall event DMZ No unauthorized system changes Log all admin and user actions Alert on any new changes including file integrity DMZ System is error free Log all system and application errors Trend and alert on anomalies in error records. Corp LAN No Internal connections Log all firewall logs Alert on any denied internal firewall event Corp LAN All clients secure Weekly patch audits Any security patches older than 7 days

Your network is a Rube Goldberg machine

You must understand technology limitations

YOU CAN AUDIT IN MANY WAYS I scan my DMZ to list open ports To slow. I sniff in real time. Screw you guys. I track config changes. Scanner Jockey Packet Monkey Change Control Freak

HOW WOULD YOU DETECT CHANGE?

UNAUTHORIZED

snort[1578]: [1:2002910:4] ET SCAN Potential VNC Scan 5800-5820 [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.20.24:36493 -> 192.168.20.16:5800 snort[1578]: [1:2001743:8] ET TROJAN HackerDefender Root Kit Remote Connection Attempt Detected [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 192.168.20.24:45379 -> 192.168.20.16:1025 snort[1578]: [1:1551:6] WEB-MISC /CVS/Entries access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 192.168.20.24:45896 -> 192.168.20.21:80 snort[1578]: [1:469:4] AUTHORIZED PENETRATION TEST [Classification: OK To Ignore, But Tell Your Boss] [Priority: 2]: {TCP} 192.168.20.24 -> 192.168.20.92

EXPECT TO BE COMPROMISED Make them work harder to leverage any compromised target Exploits work, but we re leveraging that the attacker does not know our defenses Need to have a process to investigate false positives

MAKE THEM JUMP THROUGH HOOPS Make them work harder to leverage any compromised target Most IT organizations are OK with proxies and packet shapers Are they hooked up to your SIM or NBAD and part of your monitoring?

MAKE ATTACKERS REQUIRE DIFFERENT EXPLOITS Force them to think and less likely be a botnet Web Apache attack SQL attack to Unix DB Client side SSH exploit IMAP Exchange Exploit Are you looking for these exploits to begin with? Does your SIM chain together these types of attacks?

Impact on Security Posture Events Before control After control Should simplify NIDS, firewall, SIM and other types of monitoring.

Impact on Security Posture Events Before control After control Should make detecting anomalies much easier

Let s talk about RISK METRICS in closing

Does RISK X ASSET VALUE really help?

How do you handle inheritance?

Does risk scoring help out in triage?

Thanks for your attention! rgula@tenable.com YouTube Videos Discussions Forum Security Webinars

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information