ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Similar documents
What a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

NERC CIP VERSION 5 COMPLIANCE

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Sample Vulnerability Management Policy

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

YOUR NETWORK SECURITY WITH PROACTIVE SECURITY INTELLIGENCE

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Concierge SIEM Reporting Overview

Vulnerability Management

Payment Card Industry (PCI) Data Security Standard

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

The Importance of Cybersecurity Monitoring for Utilities

IBM Security QRadar Risk Manager

Extreme Networks Security Analytics G2 Vulnerability Manager

IBM Security QRadar Vulnerability Manager

Scalability in Log Management

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

CONTENTS. PCI DSS Compliance Guide

1 Introduction Product Description Strengths and Challenges Copyright... 5

Vulnerability management lifecycle: defining vulnerability management

CDM Vulnerability Management (VUL) Capability

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

FIREMON SECURITY MANAGER

SANS Top 20 Critical Controls for Effective Cyber Defense

SECURITY POLICY MANAGEMENT ACROSS THE NEXT GENERATION DATA CENTER

How To Test For Security On A Network Without Being Hacked

IBM Security QRadar Risk Manager

March

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

White Paper The Dynamic Nature of Virtualization Security

How To Protect Your Network From Attack From A Network Security Threat

Breaking down silos of protection: An integrated approach to managing application security

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

Optimizing Network Vulnerability

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

THE TOP 4 CONTROLS.

Payment Card Industry Data Security Standard

End-user Security Analytics Strengthens Protection with ArcSight

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for Vulnerability Management

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

The Cisco ASA 5500 as a Superior Firewall Solution

Architecture Overview

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Using Skybox Solutions to Achieve PCI Compliance

Analyzing HTTP/HTTPS Traffic Logs

PCI Security Scan Procedures. Version 1.0 December 2004

Guideline on Auditing and Log Management

Application Security in the Software Development Lifecycle

Current IBAT Endorsed Services

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

How To Monitor Your Entire It Environment

Reining in the Effects of Uncontrolled Change

Making Database Security an IT Security Priority

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

Five Ways to Use Security Intelligence to Pass Your HIPAA Audit

What is Penetration Testing?

Overcoming PCI Compliance Challenges

Securing Remote Vendor Access with Privileged Account Security

Cisco Advanced Services for Network Security

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

8 Steps for Network Security Protection

Principles of Information Security, Fourth Edition. Chapter 12 Information Security Maintenance

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

8 Steps For Network Security Protection

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Software Vulnerability Assessment

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

PENETRATION TESTING GUIDE. 1

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Bridging the gap between COTS tool alerting and raw data analysis

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

OCCS Procedure. Vulnerability Scanning and Management Procedure Reference Number: Last updated: September 6, 2011

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Extreme Networks Security Analytics G2 Risk Manager

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

IBM Security IBM Corporation IBM Corporation

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Deploying Firewalls Throughout Your Organization

Reference Architecture: Enterprise Security For The Cloud

Transcription:

ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations cannot afford to neglect vulnerability management and still expect to maintain system availability and protect sensitive data. As part of a defense-in-depth security strategy, the best approach is proactive: Identify vulnerabilities and weaknesses before security issues arise. Most organizations utilize network vulnerability assessment scans that enable the security team to identify networked devices, applications, and vulnerabilities. This is accomplished by scanning the IP addresses of an organization s network segments to identify open network ports and the associated application and operating system. The scanner probes the open ports, determines the patch level and configuration of applications and operating systems and identifies vulnerabilities present. The end-product is a list of hosts and network devices reachable with the operating attributes, including running services, software and operating system version and vulnerabilities. While this identifies the network vulnerabilities present, the raw data is overwhelming. Key challenges remain: How to prioritize meaningful remediation efforts. The raw data generated by scanners creates a phone book listing of up to tens of thousands of vulnerabilities. Organizations can filter by host attribute such as OS version level, or by application type such as SQLNet, or by vulnerability attribute such as severity. Still, looking at a filtered list makes it hard to demonstrate how addressing those vulnerabilities are actually improving security. Limited remediation options. Scan results are host-centric. They don t correlate or understand the relationships between assets. So the only option for remediation is to install a software patch or make a host configuration change. Patching is expensive. It requires the host to be taken off-line to apply the patch. Organizations are realizing that vulnerability assessment scanners provide only the view of the vulnerabilities accessible to them. Also, multiple scanners are often deployed throughout the network and network access policies are altered to grant the scanners wider access. This architecture makes it extremely difficult to understand how a given vulnerability may be exposed to a threat source or, if deeper within the network, may be exposed to other attackable hosts. However, there are products that (a) identify which network vulnerabilities pose a threat to the enterprise, (b) efficiently prioritize remediation efforts, and (c) present a choice of multiple remediation options. 1

This paper: Examines the current state of vulnerability management, how it has evolved and how new products are improving the security landscape. Introduces a powerful and cost-effective tool to identify and remediate the most important vulnerabilities in your network. Shows you why analyzing vulnerabilities in the context of your network is necessary to prioritize vulnerability remediation and determine all options beyond patching and configuration changes. Explains how to choose the optimal security decision-whether patching, changing configurations, deploying compensating controls, altering network access policies or even re-architecting the network. IDENTIFYING THE MOST IMPORTANT VULNERABILITIES TO REMEDIATE To ensure that your remediation efforts do the most to improve security, it is best to start with the vulnerabilities posing the greatest threat. Suppose 1,000 hosts were scanned and an average of five vulnerabilities were found on each. You would have 5,000 vulnerabilities to review and evaluate to identify the best action you can take to reduce any potential business impact. And, you have to decide which to fix first, prioritizing vulnerabilities by the risk to your business-not to the device or host. Many organizations take a host-centric approach to prioritizing vulnerabilities. Often the vulnerabilities are sorted by severity. Using the example of 5,000 vulnerabilities, suppose the scan found 1,000 high-, 1,500 medium-, and 2,500 low-severity vulnerabilities. Additional filtering or grouping can be done based on application, operating system, or even business unit. Once these vulnerabilities have been sorted, you review the list to determine which vulnerabilities to fix. Considerations may include: Severity of the vulnerability: Is the severity of the vulnerability so high that it needs to be patched immediately? Is it worth taking the server down or spending the time to implement the patch? Can the vulnerability be easily exploited? Could an attacker easily gain administrator-access to the server? Regulatory implications: Is the host under regulatory requirements with regard to security? Is there an explicit regulatory requirement to patch the vulnerability? Business impact: If exploited, would the vulnerability affect system availability or performance? 2

While this approach seems logical, it reveals little insight into what will actually improve security because it looks at the problem using limited data. It does not consider the enterprise as a whole, nor does it evaluate how the hosts are interconnected and what is reachable from untrusted networks. In other words, more questions need answers: Is the vulnerable host exposed to an untrusted network? Should the host be exposed to the untrusted network? Is the vulnerable host reachable from a weak upstream host? Should the host be protected by a firewall? Bottom-line: the enterprise network is the sum of its parts. And it requires a view beyond individual devices. PROTECTING HOSTS EXPOSED TO UNTRUSTED NETWORKS Most important to your network s security are the hosts exposed to untrusted networks. To attackers, they are the doors to your network. The most important and often overlooked step of vulnerability management is to determine if the host should be exposed in the first place. Often due to configuration drift, network changes, bringing up hosts/services and shutting them down, hosts are inadvertently exposed to the untrusted network. A second problem is that scanning the public IP address space of an enterprise only identifies the hosts directly exposed to the lnternet which is just one of many untrusted networks today. Others to consider: Extranet: Most enterprises today have connections to a variety of business partners- outsourcing, supply chain and codevelopment to name a few. Since these connections provide a pathway into your network and are controlled by a third-party, it is essential to secure any exposed host. Internal end-user networks: In the last few years much focus has been placed on insider threats to sensitive data. Malicious employees, contractors and malware are legitimate threats. Indeed, any network where end users actively operate is a possible source of attack. Wireless networks: Simply based on the lack of physical control inherent in wireless networks, it is important to consider the possibility of an attacker gaining access via these networks. PCI specifically calls out the need to segment valuable assets from wireless networks. VPN networks: Remote end-users often connect to enterprises using some form of VPN technology (IPSec, SSL, etc.). Usually the user is utilizing a third-party network such as a home Internet connection or hotel wireless network to initiate their VPN connection. A third-party network cannot be considered trusted. 3

It would be extremely difficult and burdensome to the network to perform a vulnerability scan from every possible entry or untrusted network access point. An ideal vulnerability management solution can dynamically identify untrusted network segments and reveal hosts exposed to those networks. The host vulnerability data can be prioritized according to what is exposed to the untrusted networks. Exposed hosts are determined by analyzing the various network access policies controlling traffic between untrusted and trusted networks. Here, computer automation is invaluable. Once you identify the directly exposed hosts, you need to answer a series of questions to further prioritize remediation efforts. First, determine if there is a business or technical requirement for the host to be exposed incorrectly. Most often an incorrectly exposed host is the result of a misconfigured access policy on a router or firewall or because access was opened to troubleshoot an issue and the administrator forgot to go back and close access. The final step is to analyze the network to determine the access the directly exposed hosts have to other hosts and vulnerabilities deeper in the network. This analysis helps you understand how much of a threat one exposed host is compared to another. For example, suppose you analyzed the access of two exposed hosts, A and B, to the untrusted network. Exposed host A has a vulnerability that enables an attacker to jump to another host deeper in the network. Host A also has a vulnerability that would enable an attacker to leapfrog to a regulated database deep in the network, which contains sensitive customer data. The other exposed host B has the same vulnerability, but its leapfrog target is an internal test server with no business impact. A may be part of a legacy network and is no longer used, but it is directly exposed to the untrusted network and has a leapfrog vulnerability that can reach a critical, regulated data repository. Clearly, host A presents a higher risk to the business than host B does. Now you know which host to remediate first. FIND THE MOST EFFECTIVE AND REALISTIC WAY TO REMEDIATE THE VULNERABILITY Vulnerability assessment may identify numerous vulnerabilities but remediating some of them may conflict with other IT priorities. For example, a scan may identify a severe vulnerability in a primary database utilized by customers or vendors. Patching the vulnerability may necessitate taking the database offline for installation and testing, which may conflict with operational priorities driven by service level agreements with specific availability requirements. The administrator managing the database may be reluctant to remediate the vulnerability, rationalizing that the database sits deep within the network, behind one or more firewalls, thus reducing the chances of the vulnerability being exploited. Because the security team doesn t take the network into consideration when prioritizing vulnerabilities, the database administrator may be correct that there is a low chance of the vulnerability being exploited. But what if the security team could demonstrate the magnitude of the threat and how exploitable the vulnerability actually is? What if the team could prove that, despite the database being deep within the network, an upstream host with a pivotable vulnerability could be compromised by exposure to an untrusted 4

network? Perhaps due to a misconfiguration on the network, the database got exposed to an untrusted network. Here, the security team is correct that the database is at risk but they may not understand that the exposure could be mitigated by patching the host exposed to the untrusted network (or by filtering traffic between the data base and the upstream host if the current network access is deemed unnecessary for business). The above example reveals two major challenges faced by security teams when trying to remediate vulnerabilities: (1) understanding and communicating how much of a threat a vulnerability is to the organization and (2) recognizing all possible remediation options. Without an understanding of the network it is impossible to initiate action and identify the most appropriate remediation steps. By analyzing vulnerabilities in the context of the network, security teams can be much more effective at communicating the level of risk that a vulnerability poses and make more informed decisions about appropriate remediation. Inadequate network understanding leaves security teams with two options for remediation: (1) install a software patch that addresses the vulnerability or (2) simply disable the vulnerable service on the host. These options are extremely host-centric, and the latter requires costly downtime. Compare that to the additional remediation options available with comprehensive network understanding: Network ACL Change: There are cases where vulnerable hosts are incorrectly exposed. In that case, remediation may be as simple as having the network team make a change to an ACL on the router allowing the traffic. Compensating Controls: The team can deploy a security solution to remediate the threat such as a firewall to block the traffic, an intrusion prevention system, an application-level firewall, or an inline patching system. Remediate an Upstream Host: When dealing with hosts not directly exposed to an untrusted network, upstream-host remediation may be a viable option. Analyzing vulnerabilities in the context of the network enables security teams to communicate the risk posed to the enterprise and to identify the most appropriate remediation action to boost security. 5

THE REDSEAL APPROACH RedSeal lets you see your network as it actually is. It verifies that your network is designed to allow only authorized access, that your devices are configured to meet industry-standard best practices, and that your changes make your network more secure. And, it prioritizes fixes based on the value and accessibility of your asset as well as the severity of the vulnerability MODEL Understanding the interconnectedness of an enterprise s assets is fundamental to vulnerability management. RedSeal examines your device configurations along with your cloud and virtualized networks and builds an accurate model of your as built network. It calculates all access paths from any point to any other point in the network and highlights problem access. TEST RedSeal then collects host data from vulnerability assessment scanners and current threat lists from the National Vulnerability Database (NVD), including CVE IDs and CVSS scores. It combines this information with the detailed network model and identifies security risks based on network exposure. PRIORITIZE and REMEDIATE From the host data collected above, RedSeal assigns an asset value based on the primary service available on that host (e.g. database, email, web server, etc.) It then calculates a risk score for each vulnerability and host based on asset value, vulnerability severity and, importantly, network exposure either direct exposure or downstream risk. You get a prioritized list of security issues to remediate and all the information you need to make the necessary changes. You can review all threats that originate from untrusted networks, including leapfrog exposure to points further into the network. You can identify and prioritize directly exposed hosts. The metric is based on the severity of the vulnerabilities present and the network access allowed from high risk hosts to other points in the network. Graphical view of all access allowed to a network and the details including source, destination, port and protocol 6

DETERMINE ACTIONS THAT PROVIDE GREATEST SECURITY IMPROVEMENT In addition to helping organizations prioritize their remediation efforts, RedSeal provides all the information needed to make needed changes. Security teams can consider the best remediation option patching, preventing access or disabling the exposed service. To help security teams identify the best actions to take, RedSeal enables users to review all traffic between any two points in the network. Users specify source and destination in the network and RedSeal returns the traffic allowed between the source and destination. Graphical view of all access allowed to a network and the details including source, destination, port and protocol RedSeal enables security teams to review all threats to any host in the network, especially threats from untrusted networks. This enables security teams to consider a number of remediation options for a host, including changing the access policies on an upstream network device or identifying other hosts that, if remediated, would eliminate the exposure. RedSeal enables organizations to overcome the challenges discussed in this whitepaper. While some of the approaches to overcoming these challenges could be performed manually, the complexity warrants the need for an automated software solution. Graphical view of all threat vectors to a subnet and the details of each threat including source, destination and vulnerability information. 7

CONCLUSION Network vulnerability assessment scanners are excellent for identifying existing vulnerabilities, but the results often leave organizations with more data than they can effectively handle. By themselves, scan results are difficult to prioritize since scanners are unable to identify which hosts are exposed to untrusted networks. What s more, the host-centric nature of scan results makes it difficult to understand or communicate the true urgency for remediation or provide any more remediation options besides installing a software patch or making a configuration change to the host. The optimal way to overcome these challenges is to analyze the results of a vulnerability scan in the context of the network. In this context you can analyze the relationships between hosts and untrusted networks by understanding the network architecture and access policies that define the relationships. By including the network context in the analysis of vulnerability data, security teams can easily identify the vulnerabilities that present the greatest threat to the enterprise, communicate the urgency to remediate these threats, and identify the remediation steps that will provide the greatest impact to business security. RedSeal s platform enables organizations to overcome these challenges and protect their most valuable assets. ABOUT REDSEAL (redseal.co) RedSeal provides a cybersecurity analytics platform to Global 2000 organizations that certifies their evolving networks are secure and accelerates compliance initiatives. RedSeal s advanced analytics engine creates functioning network models, tests networks to identify security risks, prioritizes needed actions, and provides critical information to quickly remediate issues. The result: reduced cybersecurity risk and lower incident response and maintenance costs. With operations in North America, Europe, and Asia, RedSeal customers include leaders in finance, retail, technology, utilities, service providers, and government, all served by RedSeal s channel partner network. 8 REDSEAL 888.845.8169 redseal.co/federal 940 Stewart Dr., Sunnyvale, CA 94085

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information