This document discusses many challenges facing security teams, including lack of visibility into all IT systems and assets ("shadow IT"), numerous vulnerabilities being discovered regularly, inability to identify attack paths, and poor communication between security and business teams. It advocates adopting a continuous monitoring approach that automates asset discovery, vulnerability assessments, log analysis and security metrics to improve visibility, prioritize risks, and demonstrate security's value to the business.
2. New Threats Discovered Every Day
90M
network devices vulnerable
HEARTBLEED
70%
SHELLSHOCK
of all Internet-facing
machines exposed
Almost every Linux system
vulnerable due to glibc flaw
GHOST SCADA
Numerous remote code execution
vulnerabilities discovered
WINDOWS
Numerous remote code execution
vulnerabilities discovered
Multiple zero days leveraged by
exploit kits
FLASH
Billion
Android devices possibly affected by
major flaw in Media Library
STAGEFRIGHT
5. Many Old Issues Still Linger
Lack of visibility due to large compound
annual growth rates
CAGR
SHAKESPEARE
Given a few tries, a chimp banging on a
keyboard would guess your password
Inability to identify attack path to defend
against breach
INVADER
Communication failure between security
staff and the business
STUTTER ROT26
Data is not encrypted… Why is the data not
encrypted?!
A a
Buying expensive bandaids for massive
bullet holes
BANDIT
8. SHADOW ITSHADOW IT
Dictionary
Shadow IT |ˈʃadəʊ it| noun
IT systems and solutions used by employees without explicit
approval by operations or security.
Systems not known to the organisation through lack of visibility.
9. It only takes a few seconds for a new
virtual machine to spin up but days,
weeks or months to detect it
10.
11. of workers in the US are using
personal smartphones
for work purposes
90%
12.
13. *According to 400 respondents to the Tenable “State of Security” survey 2015
Compound annual growth rate of infrastructure*
14. Using a 20th Century approach to
address a 21st Century problem
16. ASSET DISCOVERY
Deploy an automated asset inventory discovery
tool and use it to build a preliminary asset inventory
of systems connected to an organization's public and
private network(s). Both active tools that scan
through network address ranges and passive tools
that identify hosts based on analysing their traffic
should be employed.
SANS CRITICAL SECURITY CONTROL #1
17. Takes a 21st Century Approach
NESSUS®
CLOUD
NESSUS®
VULNERABILITY SCANNER
PVS™
PASSIVE VULNERABILITY SCANNER
LCE™
LOG CORRELATION ENGINE
SECURITYCENTER™
PVS
N
SC
NC
LCE
CONTINUOUS VIEW
NESSUS®
AGENTS
NA
21. Example Attack Path
Foothold
Found
via phishing or vulnerability
Evade
Hide forensic
footprints
Explore
Find data and
systems of
interest
Profit
Sell data to other
3rd parties
Exfiltrate
Extract customer
data or IP
Establish
Install code for
permanence
38. IN REAL-TIME
Category-Defining
Continuous Network
Monitoring Enables Rapid
Asset and Vulnerability
Discovery
Metrics That Matter to the
Business, Easily Surfaced
and Visualised.
Demonstrate Value.
All of your devices. All of your applications. On-premise, or in the cloud
WE MONITOR YOUR SECURITY
Prioritise What Needs to be
Fixed First. Integrate into
Third Party Processes to
Communicate Needs.
Hinweis der Redaktion
When heart bleed hit, CEO’s and senior staff started to ask simple questions like “are we vulnerable to this?” and “How quickly will it be addressed?” The replies they got were often lacking.
When heart bleed hit, CEO’s and senior staff started to ask simple questions like “are we vulnerable to this?” and “How quickly will it be addressed?” The replies they got were often lacking.
You wouldn’t use a polaroid camera as a CCTV camera, so why do people still take the approach of snapshots in time to see how things change.
And when security people are sitting in the room with senior management, they often go to their safe place and talk technology rather than higher level business goals and enabling the business to be successful.
Key Points
Because if you can’t measure IT then you can’t:Control it
Improve it
Report on it
Key Points
Because if you can’t measure IT then you can’t:Control it
Improve it
Report on it
Key Points
In order to improve your security, risk and compliance posture you need to focus on the critical few.
It is sort of like exercise – if you tried to manage and monitor everything about your everyday fitness you’d suffer from data fatigue and it would be difficult to know if you were make improvements first.
Which is why so many tools are out there to help us simplify and get better control of our life – diet plans, eat the 5 basic food groups, an apple a day keeps the doctor away, and technology advancements (wearables, iHealth, etc)
{transition} let’s take Fitbit® for example….