Network Security Best Practices - Reducing Your Attack Surface
•Als PPTX, PDF herunterladen•
1 gefällt mir•1,398 views
Delivered as a webinar, this slide deck provides best practices for gaining total visibility of your attack surface and ways to manage and reduce your risk, network vulnerabilities, and potential breaches
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Ähnlich wie Network Security Best Practices - Reducing Your Attack Surface
Ähnlich wie Network Security Best Practices - Reducing Your Attack Surface (20)
Mehr von Skybox Security
Mehr von Skybox Security (18)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Network Security Best Practices - Reducing Your Attack Surface
- 1. Skybox Security 14 October 2015 Best Practices for Reducing Your Attack Surface
- 2. © 2015 Skybox Security Inc. Speakers Michelle Cobb Skybox Security VP of Worldwide Marketing Alastair Williams Skybox Security Technical Director, EMEA
- 3. © 2015 Skybox Security Inc. Agenda Overview of How to Reduce Your Attack Surface -- Michelle Cobb, Skybox Security Demo: Skybox Overview -- Alastair Williams, Skybox Security
- 4. © 2015 Skybox Security Inc. Skybox Security Overview Powerful platform uses attack surface visibility and intelligence to address: – Firewall and change management – Network visibility and compliance – Vulnerability and threat management Over 500 Global 2000 Customers Risk Analytics for Cyber Security
- 5. © 2015 Skybox Security Inc. 5 ConsumerHealthcareTechnology Energy & Utilities Government & Defense Service Providers Different customers with common challenges Financial Services
- 6. © 2015 Skybox Security Inc. Most breaches are preventable No visibility of the environment Lack of actionable intelligence Disjointed security tools and data Lack of expertise 97% of breaches are avoidable through standard controls Organizations don’t understand their attack surface
- 7. © 2015 Skybox Security Inc. Step 1: Increase Your Understanding of Your Attack Surface It might not be as easy as you think.
- 8. © 2015 Skybox Security Inc. Your Attack Surface Has Many Layers
- 9. © 2015 Skybox Security Inc. Your Attack Surface Has Many Layers ASSETS • Servers • Workstations • Networks
- 10. © 2015 Skybox Security Inc. Your Attack Surface Has Many Layers SECURITY CONTROLS • Firewalls • IPS • VPNs ASSETS • Servers • Workstations • Networks
- 11. © 2015 Skybox Security Inc. Your Attack Surface Has Many Layers SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks
- 12. © 2015 Skybox Security Inc. Your Attack Surface Has Many Layers SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks VULNERABILITIES • Location • Criticality
- 13. © 2015 Skybox Security Inc. Your Attack Surface Has Many Layers SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks VULNERABILITIES • Location • Criticality THREATS • Hackers • Insiders • Worms Source: Skybox Security
- 14. © 2015 Skybox Security Inc. Traditional Means Are a Good Start Penetration testing – True test of network security – Performed infrequently at preplanned time Vulnerability scanning – Detect vulnerabilities on a regular basis – Lack network context Step 2: Evaluate Critical Threats to Your Network
- 15. © 2015 Skybox Security Inc. Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Exploitable Vulnerabilities CVE-1234 CVE-0123 MS12074 CVE-4567 CVE-5678
- 16. © 2015 Skybox Security Inc. Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Understand Controls Security Controls Access paths Policy violations Unauthorized changes
- 17. © 2015 Skybox Security Inc. Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Understand Controls Identify Attack Vectors High-risk vector
- 18. © 2015 Skybox Security Inc. Step 3: Stay on Top of New Threats Heartbleed, POODLE, Schannel, and Sandworm were all observed being exploited within a month of CVE publication date3 The Media is Playing a Role in Your Security
- 19. © 2015 Skybox Security Inc. Identify Critical Unremediated Vulnerabilities 99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published 3 Top Ten Most Exploited 1. CVE-2002-0012 2. CVE-2002-0013 3. CVE-1999-0517 4. CVE-2001-0540 5. CVE-2014-3566 6. CVE-2012-0152 7. CVE-2001-0680 8. CVE-2002-1054 9. CVE-2002-1931 10. CVE-2002-1932 Mitigation Options • Patching • Removal • Configuration • IPS • Firewall rules
- 20. © 2015 Skybox Security Inc. Scanless Vulnerability Detection: Identify Vulnerabilities Without a Scan Vulnerability Deduction Product Catalog (CPE) OS version & patch level Application versions Vulnerability List (CVE) Vulnerability Database ProductProfiling Asset / Patch Management Networking Devices Active Scanner
- 21. © 2015 Skybox Security Inc. Determine Impact of a New Threat in Hours Typical scanner Analytical Scan 250 hosts/hour 100,000 host/hour
- 22. © 2015 Skybox Security Inc. Step 4: Close Network Device Security Gaps
- 23. © 2015 Skybox Security Inc. Step 4: Close Network Device Security Gaps
- 24. © 2015 Skybox Security Inc. Monitor Firewalls and Network Devices for Security Gaps Complete visibility of – Hosts, devices, zones – Firewall rules (ACLs) – Routing, NAT, VPN Analysis – Risky access paths – Access policy compliance – Rule usage – Platform configuration Firewall allows port open from the internet
- 25. © 2015 Skybox Security Inc. Step 5: Assess Risk of Planned Changes Change Management - Optimize Workflow Technical Details Change Request Risk Assessment Change Implementation Reconcile and Verify Automate the change management process Monitor changes Assess risk before change is made Identify devices involved Deliver access path information immediately Handle exceptions Reconcile changes
- 26. © 2015 Skybox Security Inc. Summary 1. Increase your understanding of your attack surface – Achieve a holistic understanding of your network 2. Evaluate critical threats to your network – Perform regular analysis to help prioritization 3. Stay on top of new threats – Use methods of quick detection 4. Close network device security gaps – Buy yourself time for future threats 5. Assess risk of proposed changes – Don’t introduce future problems
- 27. © 2015 Skybox Security Inc. 27 Demonstration www.skyboxsecurity.com
- 28. © 2015 Skybox Security Inc. 28 Questions? www.skyboxsecurity.com
- 29. © 2015 Skybox Security Inc. 29 References 1. Best Practices for Reducing Your Attack Surface 2. Best Practices for Vulnerability Management 3. 2015 Skybox Enterprise Vulnerability Management Trends Report 4. 2015 Verizon Data Breech Investigations Report
Hinweis der Redaktion
- Skybox Security PPT Template May 2014
- Skybox Security has a software platform that uses analytics to give you comprehensive information about your organization’s attack surface. That knowledge is crucial to solving everyday security problems in an accurate and actionable manner. Our solutions are used for firewall management, network compliance, vulnerability management, and more. We believe that Continuous visibility of attack surface is critical That to get this visibility you have to Combine a lot of data about your network and endpoint, sometimes from dozens of vendor systems That analytics are a must to solve complex information security challenges And once you have the intelligence, you need to work it into regular security processes, automating security management at every step in order to stay ahead of attacks
- Key points – Not focuses on a single vertical or region Pick a few and mention how the customer uses Skybox Competitive landmines – Proven support of large global organizations Examples – 7 of top 10 banks use Skybox Deployments as large as 700k nodes Orgs with complex security policies/rules
- Key Points – Link between avoiding breeches and attack surface Not understanding the attack surface prevents effective action regardless of controls Competitive landmines – Full understanding of the attack surface
- Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
- Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
- Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
- Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
- Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
- Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
- Script: (click through first 5 builds – last one is Threat Actors) Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack? Different version script: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing. When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry. Old script for attack simulation: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing. When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
- Script: (click through first 5 builds – last one is Threat Actors) Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack? Different version script: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing. When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
- Script: (click through first 5 builds – last one is Threat Actors) Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack? Different version script: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing. When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
- Sales version of slide- Continuously monitor change and minimize risks Link and automate security processes Huge time savings in delivering the path information Presentation Notes: Change management -- top of that continuum. Once you got the network in compliance, you want to keep it there. Skybox has a change management API where the customer can use their own third party ticketing system to plug in to our analysis engine or we can supply that interface. Either way we can help out with all of the common phases that a workflow process will go through. Two of the big areas where we can get a return on investment: 1. Path Analysis – huge time savings. For a given request, Skybox can show you exactly which firewalls need to be changed in seconds, without this kind of automation they can take anywhere from a couple of hours to couple of days to do this research, to figure out for a given the request what are the firewalls between point A and point B, which ones currently allow the access, and which ones need to be updated to allow that access, so we can do that in seconds, takes you long time if you do it on your own. 2. Risk Analysis – ensure security and compliance. For a given request, Skybox shows if it is going to violate security policy or expose the vulnerability to a new part of the network. To do that on your own, you would be digging through documents, which is time-consuming and error-prone.