SlideShare ist ein Scribd-Unternehmen logo

Using a Network Model to Address SANS Critical Controls 10 and 11

Als PPTX, PDF herunterladen
Skybox Security
Skybox Security

Skybox Security joins SANS to address using a network model to gain insight into your attack surface and how to address SANS Critical Controls 10 and 11

Technologie
1 von 31
1 Strategies to Address SANS Critical Controls 10 and 11 - Secure Configurations and Control of Network Devices John Pescatore, SANS Michelle Johnson Cobb, Skybox Security Brian Kelly, Skybox Security
2 Making Security Advances During Turbulent Times  Prevent more, detect faster, respond more effectively  Third party connections are increasingly targeted  How to implement security zones without impacting business?  Misconfigured security controls worse than no controls at all
3 Disrupting the Breach Chain Source: SecurityIntelligence.com
4 Target Breach Lessons Learned • Why could HVAC contractors see POS systems/servers? ○ Zoning • Why could PoS system malware talk to server? ○ Application control policies • Why could internal file server talk to external world? ○ All of the above • Usual reasons: ○ Segmentation broke apps or sys admin ○ Policy was changed “temporarily”
5 The Critical Security Controls History • 2008 – NSA “Consensus Audit Guidelines” • 2009 – Center for Strategic and International Studies publishes the “20 Critical Security Controls” • 2011 – SANS takes over stewardship • 2013 – Council on Cybersecurity formed • 2015 – Critical Security Controls and Council become part of the Center for Internet Security (MS-ISAC)
6 Critical Security Controls 6 1 2 3 4 5 6 7 8 9 1011 12 13 14 15 16 17 18 19 20 1) Inventory of Authorized and Unauthorized Devices 11) Limitation and Control of Network Ports, Protocols and Services 2) Inventory of Authorized and Unauthorized Software 3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4) Continuous Vulnerability Assessment and Remediation 5) Malware Defense 6) Application Software Security 7) Wireless Access Control 8) Data Recovery Capability 9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configuration of Devices such as Firewalls, Routers, and Switches 20) Penetration Tests and Red Team Exercises 19) Secure Network Engineering 18) Incident Response Capability 17) Data Protection 15) Controlled Access Based on Need to Know 14) Maintenance, Monitoring and Analysis of Audit Logs 13) Boundary Defense 12) Controlled Use of Administrative Privileges 16) Account Monitoring and Control
7 Critical Security Controls V6 Draft Critical Security Controls Version 5.1 Critical Security Controls Draft 6.0 1 Inventory of Auth/Unauth Devices Inventory of Auth/Unauth Devices 2 Inventory of Auth/Unauth Software Inventory of Auth/Unauth Software 3 Secure Configurations for HW/SW Secure Configurations for HW/SW 4 Continuous Vulnerability Assessment Continuous Vulnerability Assessment 5 Malware Defenses Controlled Use of Admin Privileges 6 Application/Software Security Maint, Monitor, Analysis of Audit Logs 7 Wireless Access Control Email/Browser Security (new) 8 Data Recovery Malware Defenses 9 Security Skills Limitation/Control of Ports 10 Secure Configurations for Network HW Data Recovery
8 Critical Security Controls V6 Draft Critical Security Controls Version 5.1 Critical Security Controls Draft 6.0 11 Limitation/Control of Ports Secure Configurations for Network HW 12 Controlled Use of Admin Privileges Boundary Defenses 13 Boundary Defenses Data Protection 14 Maint, Monitor, Analysis of Audit Logs Controlled Access/Need to Know 15 Controlled Access/Need to Know Wireless Access Control 16 Account Monitoring and Control Account Monitoring and Control 17 Data Protection Security Skills 18 Incident Response and Management Application and Software Security 19 Secure Network Engineering Incident Response and Management 20 Penetration Test/Red Team Exercises Penetration Test/Red Team Exercises
9 Continuous Processes Shield Eliminate Root Cause Monitor/ Report Policy Assess Risk Baseline Vuln Assessment/Pen Test Secure Configuration Mitigate • FW/IPS • Anti-malware • NAC • Patch Management • Config Management • Change Management • Software Vuln Test • Training • Network Arch • Privilege Mgmt Discovery/Inventory • SIEM • Security Analytics • Incident Response Threats Regulations Requirements OTT Dictates
10 Bottom Line: Avoiding Self Inflicted Wounds • Zoning or segmenting the network is Security 101 • Flat networks are usually the path of least resistance • Reducing attack apertures without impacting business flows requires ○ Next Generation Firewall/Application Aware Policies ○ Accurate and timely inventory ○ Rapid reaction to both change requests and alerts ○ Repeatable, scalable policy management processes and governance
Michelle Johnson Cobb VP, Worldwide Marketing Using a Model of the Attack Surface to Address SANS Critical Controls 10 & 11
© 2015 Skybox Security Inc. 12 Skybox Security Overview  Powerful platform uses attack surface visibility and intelligence to address: – Firewall and change management – Network visibility and compliance – Vulnerability and threat management  Over 500 Global 2000 Customers Risk Analytics for Cyber Security
© 2015 Skybox Security Inc. 13 Challenges implementing Controls 10 & 11  Problem 1: Tons of Vendors  Problem 2: Complex Rulesets  Problem 3: Changes • 500 network devices • 25,000 FW rules • 1,000 IPS signatures • 55,000 nodes • 65 daily network changes • Infrastructure spanning three continents • Will a change introduce a new exposure? • Are IPS signatures up to date? • Impact of new vulnerabilities on network devices, hosts?
© 2015 Skybox Security Inc. 14 How do you analyze complex data? Meterology: Climate models Aerospace: Flight simulators Information Security
© 2015 Skybox Security Inc. 15 How do you analyze complex data? Meterology: Climate models Aerospace: Flight simulators Information Security: Attack surface model
© 2015 Skybox Security Inc. 16 Gain Visibility of the Attack Surface
© 2015 Skybox Security Inc. 17 Gain Visibility of the Attack Surface ASSETS • Servers • Workstations • Networks
© 2015 Skybox Security Inc. 18 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs ASSETS • Servers • Workstations • Networks
© 2015 Skybox Security Inc. 19 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks
© 2015 Skybox Security Inc. 20 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks VULNERABILITIES • Location • Criticality
© 2015 Skybox Security Inc. 21 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks VULNERABILITIES • Location • Criticality THREATS • Hackers • Insiders • Worms
© 2015 Skybox Security Inc. 22 Critical Security Control 10 “Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.”
© 2015 Skybox Security Inc. 23 Analytics to Maintain Secure Configurations  Firewall rule analysis  Platform configuration checks  Network compliance  Path visualization  Rule optimization  Change planning  Rule lifecycle management
© 2015 Skybox Security Inc. 24 Critical Security Control 11 “Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.”
© 2015 Skybox Security Inc. 25 Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Exploitable Vulnerabilities CVE-1234 CVE-0123 MS12074 CVE-4567 CVE-5678
© 2015 Skybox Security Inc. 26 Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Understand Controls Security Controls Access paths Policy violations Unauthorized changes
© 2015 Skybox Security Inc. 27 Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Understand Controls Identify Attack Vectors High-risk vector
Brian Kelly Sales Engineer Demo: Security Policy Management with Skybox
29
30 Resources • SANS : https://www.sans.org/webcasts/archive • Critical Security Controls – http://www.counciloncybersecurity.org/critical-controls/ • SANS Events: https://www.sans.org/security-training/by- location/all • Questions: q@sans.org • @John_Pescatore • Skybox Security - Best Practices for Network Security: http://www.skyboxsecurity.com/resources/best-practice-4-steps- more-automated-adaptable-network-security- management#.VgOgY8tVikp
31 Acknowledgements Thanks to our sponsor: And to our attendees: Thank you for joining us today

Empfohlen

What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItWhat's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix It
Skybox Security
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Skybox Security
 
Network Security Trends for 2016: Taking Security to the Next Level
Network Security Trends for 2016: Taking Security to the Next LevelNetwork Security Trends for 2016: Taking Security to the Next Level
Network Security Trends for 2016: Taking Security to the Next Level
Skybox Security
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
Risk Analysis Consultants, s.r.o.
 
Issa symc la 5min mr
Issa symc la 5min mrIssa symc la 5min mr
Issa symc la 5min mr
ISSA LA
 
Best Practices for Network Security Management
Best Practices for Network Security Management Best Practices for Network Security Management
Best Practices for Network Security Management
Skybox Security
 
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Qualys
 

Empfohlen

What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItWhat's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix It
Skybox Security
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.
 
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security ChallengesInfosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Infosec 2014: Risk Analytics: Using Your Data to Solve Security Challenges
Skybox Security
 
Network Security Trends for 2016: Taking Security to the Next Level
Network Security Trends for 2016: Taking Security to the Next LevelNetwork Security Trends for 2016: Taking Security to the Next Level
Network Security Trends for 2016: Taking Security to the Next Level
Skybox Security
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
Risk Analysis Consultants, s.r.o.
 
Issa symc la 5min mr
Issa symc la 5min mrIssa symc la 5min mr
Issa symc la 5min mr
ISSA LA
 
Best Practices for Network Security Management
Best Practices for Network Security Management Best Practices for Network Security Management
Best Practices for Network Security Management
Skybox Security
 
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Webcast Series #1: Continuous Security and Compliance Monitoring for Global I...
Qualys
 
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveySecurity Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Qualys
 
Managing risk and vulnerabilities in a business context
Managing risk and vulnerabilities in a business contextManaging risk and vulnerabilities in a business context
Managing risk and vulnerabilities in a business context
AlgoSec
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
Cam Fulton
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Priyanka Aash
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
Qualys
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
Qualys Corporate Brochure
Qualys Corporate BrochureQualys Corporate Brochure
Qualys Corporate Brochure
Qualys
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
BSides Delhi
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
Qualys
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Panda Security - Adaptive Defense
Panda Security - Adaptive DefensePanda Security - Adaptive Defense
Panda Security - Adaptive Defense
Panda Security
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
Digital Bond
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
Digital Bond
 
Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016
Alert Logic
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
Shah Sheikh
 
Managed Security Services from Symantec
Managed Security Services from SymantecManaged Security Services from Symantec
Managed Security Services from Symantec
Arrow ECS UK
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the Cloud
NetStandard
 
5 Steps to Reduce Your Window of Vulnerability
5 Steps to Reduce Your Window of Vulnerability5 Steps to Reduce Your Window of Vulnerability
5 Steps to Reduce Your Window of Vulnerability
Skybox Security
 
Data Center Server security
Data Center Server securityData Center Server security
Data Center Server security
xband
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveySecurity Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Qualys
 
Managing risk and vulnerabilities in a business context
Managing risk and vulnerabilities in a business contextManaging risk and vulnerabilities in a business context
Managing risk and vulnerabilities in a business context
AlgoSec
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
Qualys
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
BSides Delhi
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
Qualys
 

Was ist angesagt? (20)

Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape SurveySecurity Whack-a-Mole: SANS 2017 Threat Landscape Survey
Security Whack-a-Mole: SANS 2017 Threat Landscape Survey
 
Managing risk and vulnerabilities in a business context
Managing risk and vulnerabilities in a business contextManaging risk and vulnerabilities in a business context
Managing risk and vulnerabilities in a business context
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Automating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and ComplianceAutomating Critical Security Controls for Threat Remediation and Compliance
Automating Critical Security Controls for Threat Remediation and Compliance
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
 
Qualys Corporate Brochure
Qualys Corporate BrochureQualys Corporate Brochure
Qualys Corporate Brochure
 
Effective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security ControlsEffective Cyber Defense Using CIS Critical Security Controls
Effective Cyber Defense Using CIS Critical Security Controls
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Securing Your Public Cloud Infrastructure
Securing Your Public Cloud InfrastructureSecuring Your Public Cloud Infrastructure
Securing Your Public Cloud Infrastructure
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Panda Security - Adaptive Defense
Panda Security - Adaptive DefensePanda Security - Adaptive Defense
Panda Security - Adaptive Defense
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016 Top 5 Cloud Security Predictions for 2016
Top 5 Cloud Security Predictions for 2016
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
 
Managed Security Services from Symantec
Managed Security Services from SymantecManaged Security Services from Symantec
Managed Security Services from Symantec
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
20 Security Controls for the Cloud
20 Security Controls for the Cloud20 Security Controls for the Cloud
20 Security Controls for the Cloud
 

Ähnlich wie Using a Network Model to Address SANS Critical Controls 10 and 11

Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
SolarWinds
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
CloudPassage
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 

Ähnlich wie Using a Network Model to Address SANS Critical Controls 10 and 11 (20)

5 Steps to Reduce Your Window of Vulnerability
5 Steps to Reduce Your Window of Vulnerability5 Steps to Reduce Your Window of Vulnerability
5 Steps to Reduce Your Window of Vulnerability
 
Data Center Server security
Data Center Server securityData Center Server security
Data Center Server security
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
 
VMware-vShield-Presentation-pp-en-Dec10.pptx
VMware-vShield-Presentation-pp-en-Dec10.pptxVMware-vShield-Presentation-pp-en-Dec10.pptx
VMware-vShield-Presentation-pp-en-Dec10.pptx
 
Network Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack SurfaceNetwork Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack Surface
 
MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_EN
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risks
 
Unified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud InfrastructureUnified Protection for Multi-Cloud Infrastructure
Unified Protection for Multi-Cloud Infrastructure
 
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management ToolsFederal Webinar: Security Compliance with SolarWinds Network Management Tools
Federal Webinar: Security Compliance with SolarWinds Network Management Tools
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controls
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud Infrastructure
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...Regulated Reactive - Security Considerations for Building Reactive Systems in...
Regulated Reactive - Security Considerations for Building Reactive Systems in...
 
SDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinSDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same Coin
 
Fortinet
FortinetFortinet
Fortinet
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Key Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation FirewallsKey Policy Considerations When Implementing Next-Generation Firewalls
Key Policy Considerations When Implementing Next-Generation Firewalls
 
Sophos XG Firewall
Sophos XG FirewallSophos XG Firewall
Sophos XG Firewall
 
Secure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataSecure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your Data
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
 

Mehr von Skybox Security

Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Skybox Security
 
Infosec 2014: Finding and Understanding the Risk Impact of Firewall Changes
Infosec 2014: Finding and Understanding the Risk Impact of Firewall ChangesInfosec 2014: Finding and Understanding the Risk Impact of Firewall Changes
Infosec 2014: Finding and Understanding the Risk Impact of Firewall Changes
Skybox Security
 
Infosec 2014: Capita Customer Management: Network Visibility to Manage Firewa...
Infosec 2014: Capita Customer Management: Network Visibility to Manage Firewa...Infosec 2014: Capita Customer Management: Network Visibility to Manage Firewa...
Infosec 2014: Capita Customer Management: Network Visibility to Manage Firewa...
Skybox Security
 
Infosec 2014: Intelligence as a Service: The Future of Frontline Security
Infosec 2014: Intelligence as a Service: The Future of Frontline SecurityInfosec 2014: Intelligence as a Service: The Future of Frontline Security
Infosec 2014: Intelligence as a Service: The Future of Frontline Security
Skybox Security
 
RSA 2014: Firewall Change Management: Automate, Secure & Comply
RSA 2014: Firewall Change Management: Automate, Secure & Comply RSA 2014: Firewall Change Management: Automate, Secure & Comply
RSA 2014: Firewall Change Management: Automate, Secure & Comply
Skybox Security
 
Infographic: Are You Keeping Pace with Security Risks?
Infographic: Are You Keeping Pace with Security Risks?Infographic: Are You Keeping Pace with Security Risks?
Infographic: Are You Keeping Pace with Security Risks?
Skybox Security
 
Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?
Skybox Security
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ... Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Skybox Security
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Skybox Security
 
Security at the Breaking Point: Rethink Security in 2013
Security at the Breaking Point: Rethink Security in 2013 Security at the Breaking Point: Rethink Security in 2013
Security at the Breaking Point: Rethink Security in 2013
Skybox Security
 
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
Skybox Security
 

Mehr von Skybox Security (20)

CAPITA - Network Visibility to Manage Firewall Changes & Reduce Risk
CAPITA - Network Visibility to Manage Firewall Changes & Reduce RiskCAPITA - Network Visibility to Manage Firewall Changes & Reduce Risk
CAPITA - Network Visibility to Manage Firewall Changes & Reduce Risk
 
Secure Data GI - Delivering Contextual Intelligence
Secure Data GI - Delivering Contextual IntelligenceSecure Data GI - Delivering Contextual Intelligence
Secure Data GI - Delivering Contextual Intelligence
 
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
A Call to Arms: Using a Working Model of the Attack Surface to Improve Incide...
 
Risk Analytics: One Intelligent View
Risk Analytics: One Intelligent ViewRisk Analytics: One Intelligent View
Risk Analytics: One Intelligent View
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
 
Infosec 2014: Who Is Skybox Security?
Infosec 2014: Who Is Skybox Security? Infosec 2014: Who Is Skybox Security?
Infosec 2014: Who Is Skybox Security?
 
Infosec 2014: Tech Talk - Firewall Change Management
Infosec 2014: Tech Talk - Firewall Change ManagementInfosec 2014: Tech Talk - Firewall Change Management
Infosec 2014: Tech Talk - Firewall Change Management
 
Infosec 2014: Tech Talk - Non-Disruptive Vulnerability Discovery
Infosec 2014: Tech Talk - Non-Disruptive Vulnerability DiscoveryInfosec 2014: Tech Talk - Non-Disruptive Vulnerability Discovery
Infosec 2014: Tech Talk - Non-Disruptive Vulnerability Discovery
 
Infosec 2014: Finding and Understanding the Risk Impact of Firewall Changes
Infosec 2014: Finding and Understanding the Risk Impact of Firewall ChangesInfosec 2014: Finding and Understanding the Risk Impact of Firewall Changes
Infosec 2014: Finding and Understanding the Risk Impact of Firewall Changes
 
Infosec 2014: Capita Customer Management: Network Visibility to Manage Firewa...
Infosec 2014: Capita Customer Management: Network Visibility to Manage Firewa...Infosec 2014: Capita Customer Management: Network Visibility to Manage Firewa...
Infosec 2014: Capita Customer Management: Network Visibility to Manage Firewa...
 
Infosec 2014: Intelligence as a Service: The Future of Frontline Security
Infosec 2014: Intelligence as a Service: The Future of Frontline SecurityInfosec 2014: Intelligence as a Service: The Future of Frontline Security
Infosec 2014: Intelligence as a Service: The Future of Frontline Security
 
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your NetworkRSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
 
RSA 2014: Firewall Change Management: Automate, Secure & Comply
RSA 2014: Firewall Change Management: Automate, Secure & Comply RSA 2014: Firewall Change Management: Automate, Secure & Comply
RSA 2014: Firewall Change Management: Automate, Secure & Comply
 
RSA 2014: Skybox Security Risk Analytics Overview
RSA 2014: Skybox Security Risk Analytics OverviewRSA 2014: Skybox Security Risk Analytics Overview
RSA 2014: Skybox Security Risk Analytics Overview
 
Infographic: Are You Keeping Pace with Security Risks?
Infographic: Are You Keeping Pace with Security Risks?Infographic: Are You Keeping Pace with Security Risks?
Infographic: Are You Keeping Pace with Security Risks?
 
Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?Is Your Vulnerability Management Program Keeping Pace With Risks?
Is Your Vulnerability Management Program Keeping Pace With Risks?
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ... Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
 
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
Out With the Old, In With the New – Reinvent and Justify Your 2013 Security S...
 
Security at the Breaking Point: Rethink Security in 2013
Security at the Breaking Point: Rethink Security in 2013 Security at the Breaking Point: Rethink Security in 2013
Security at the Breaking Point: Rethink Security in 2013
 
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
Transitioning to Next-Generation Firewall Management - 3 Ways to Accelerate t...
 

Kürzlich hochgeladen

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Kürzlich hochgeladen (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Using a Network Model to Address SANS Critical Controls 10 and 11

  • 1. 1 Strategies to Address SANS Critical Controls 10 and 11 - Secure Configurations and Control of Network Devices John Pescatore, SANS Michelle Johnson Cobb, Skybox Security Brian Kelly, Skybox Security
  • 2. 2 Making Security Advances During Turbulent Times  Prevent more, detect faster, respond more effectively  Third party connections are increasingly targeted  How to implement security zones without impacting business?  Misconfigured security controls worse than no controls at all
  • 3. 3 Disrupting the Breach Chain Source: SecurityIntelligence.com
  • 4. 4 Target Breach Lessons Learned • Why could HVAC contractors see POS systems/servers? ○ Zoning • Why could PoS system malware talk to server? ○ Application control policies • Why could internal file server talk to external world? ○ All of the above • Usual reasons: ○ Segmentation broke apps or sys admin ○ Policy was changed “temporarily”
  • 5. 5 The Critical Security Controls History • 2008 – NSA “Consensus Audit Guidelines” • 2009 – Center for Strategic and International Studies publishes the “20 Critical Security Controls” • 2011 – SANS takes over stewardship • 2013 – Council on Cybersecurity formed • 2015 – Critical Security Controls and Council become part of the Center for Internet Security (MS-ISAC)
  • 6. 6 Critical Security Controls 6 1 2 3 4 5 6 7 8 9 1011 12 13 14 15 16 17 18 19 20 1) Inventory of Authorized and Unauthorized Devices 11) Limitation and Control of Network Ports, Protocols and Services 2) Inventory of Authorized and Unauthorized Software 3) Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4) Continuous Vulnerability Assessment and Remediation 5) Malware Defense 6) Application Software Security 7) Wireless Access Control 8) Data Recovery Capability 9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configuration of Devices such as Firewalls, Routers, and Switches 20) Penetration Tests and Red Team Exercises 19) Secure Network Engineering 18) Incident Response Capability 17) Data Protection 15) Controlled Access Based on Need to Know 14) Maintenance, Monitoring and Analysis of Audit Logs 13) Boundary Defense 12) Controlled Use of Administrative Privileges 16) Account Monitoring and Control
  • 7. 7 Critical Security Controls V6 Draft Critical Security Controls Version 5.1 Critical Security Controls Draft 6.0 1 Inventory of Auth/Unauth Devices Inventory of Auth/Unauth Devices 2 Inventory of Auth/Unauth Software Inventory of Auth/Unauth Software 3 Secure Configurations for HW/SW Secure Configurations for HW/SW 4 Continuous Vulnerability Assessment Continuous Vulnerability Assessment 5 Malware Defenses Controlled Use of Admin Privileges 6 Application/Software Security Maint, Monitor, Analysis of Audit Logs 7 Wireless Access Control Email/Browser Security (new) 8 Data Recovery Malware Defenses 9 Security Skills Limitation/Control of Ports 10 Secure Configurations for Network HW Data Recovery
  • 8. 8 Critical Security Controls V6 Draft Critical Security Controls Version 5.1 Critical Security Controls Draft 6.0 11 Limitation/Control of Ports Secure Configurations for Network HW 12 Controlled Use of Admin Privileges Boundary Defenses 13 Boundary Defenses Data Protection 14 Maint, Monitor, Analysis of Audit Logs Controlled Access/Need to Know 15 Controlled Access/Need to Know Wireless Access Control 16 Account Monitoring and Control Account Monitoring and Control 17 Data Protection Security Skills 18 Incident Response and Management Application and Software Security 19 Secure Network Engineering Incident Response and Management 20 Penetration Test/Red Team Exercises Penetration Test/Red Team Exercises
  • 9. 9 Continuous Processes Shield Eliminate Root Cause Monitor/ Report Policy Assess Risk Baseline Vuln Assessment/Pen Test Secure Configuration Mitigate • FW/IPS • Anti-malware • NAC • Patch Management • Config Management • Change Management • Software Vuln Test • Training • Network Arch • Privilege Mgmt Discovery/Inventory • SIEM • Security Analytics • Incident Response Threats Regulations Requirements OTT Dictates
  • 10. 10 Bottom Line: Avoiding Self Inflicted Wounds • Zoning or segmenting the network is Security 101 • Flat networks are usually the path of least resistance • Reducing attack apertures without impacting business flows requires ○ Next Generation Firewall/Application Aware Policies ○ Accurate and timely inventory ○ Rapid reaction to both change requests and alerts ○ Repeatable, scalable policy management processes and governance
  • 11. Michelle Johnson Cobb VP, Worldwide Marketing Using a Model of the Attack Surface to Address SANS Critical Controls 10 & 11
  • 12. © 2015 Skybox Security Inc. 12 Skybox Security Overview  Powerful platform uses attack surface visibility and intelligence to address: – Firewall and change management – Network visibility and compliance – Vulnerability and threat management  Over 500 Global 2000 Customers Risk Analytics for Cyber Security
  • 13. © 2015 Skybox Security Inc. 13 Challenges implementing Controls 10 & 11  Problem 1: Tons of Vendors  Problem 2: Complex Rulesets  Problem 3: Changes • 500 network devices • 25,000 FW rules • 1,000 IPS signatures • 55,000 nodes • 65 daily network changes • Infrastructure spanning three continents • Will a change introduce a new exposure? • Are IPS signatures up to date? • Impact of new vulnerabilities on network devices, hosts?
  • 14. © 2015 Skybox Security Inc. 14 How do you analyze complex data? Meterology: Climate models Aerospace: Flight simulators Information Security
  • 15. © 2015 Skybox Security Inc. 15 How do you analyze complex data? Meterology: Climate models Aerospace: Flight simulators Information Security: Attack surface model
  • 16. © 2015 Skybox Security Inc. 16 Gain Visibility of the Attack Surface
  • 17. © 2015 Skybox Security Inc. 17 Gain Visibility of the Attack Surface ASSETS • Servers • Workstations • Networks
  • 18. © 2015 Skybox Security Inc. 18 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs ASSETS • Servers • Workstations • Networks
  • 19. © 2015 Skybox Security Inc. 19 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks
  • 20. © 2015 Skybox Security Inc. 20 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks VULNERABILITIES • Location • Criticality
  • 21. © 2015 Skybox Security Inc. 21 Gain Visibility of the Attack Surface SECURITY CONTROLS • Firewalls • IPS • VPNs NETWORK TOPOLOGY • Routers • Load Balancers • Switches ASSETS • Servers • Workstations • Networks VULNERABILITIES • Location • Criticality THREATS • Hackers • Insiders • Worms
  • 22. © 2015 Skybox Security Inc. 22 Critical Security Control 10 “Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.”
  • 23. © 2015 Skybox Security Inc. 23 Analytics to Maintain Secure Configurations  Firewall rule analysis  Platform configuration checks  Network compliance  Path visualization  Rule optimization  Change planning  Rule lifecycle management
  • 24. © 2015 Skybox Security Inc. 24 Critical Security Control 11 “Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.”
  • 25. © 2015 Skybox Security Inc. 25 Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Exploitable Vulnerabilities CVE-1234 CVE-0123 MS12074 CVE-4567 CVE-5678
  • 26. © 2015 Skybox Security Inc. 26 Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Understand Controls Security Controls Access paths Policy violations Unauthorized changes
  • 27. © 2015 Skybox Security Inc. 27 Attack Simulation to Find and Minimize Risks Visualize Correlate, Prioritize Understand Controls Identify Attack Vectors High-risk vector
  • 28. Brian Kelly Sales Engineer Demo: Security Policy Management with Skybox
  • 29. 29
  • 30. 30 Resources • SANS : https://www.sans.org/webcasts/archive • Critical Security Controls – http://www.counciloncybersecurity.org/critical-controls/ • SANS Events: https://www.sans.org/security-training/by- location/all • Questions: q@sans.org • @John_Pescatore • Skybox Security - Best Practices for Network Security: http://www.skyboxsecurity.com/resources/best-practice-4-steps- more-automated-adaptable-network-security- management#.VgOgY8tVikp
  • 31. 31 Acknowledgements Thanks to our sponsor: And to our attendees: Thank you for joining us today

Hinweis der Redaktion

  1. Gartner's vulnerability management life cycle defines the operational processes and technologies that are needed to discover and remediate security weaknesses before they are exploited. Policies that define a secure IT infrastructure are used as the reference for a baseline to discover vulnerabilities and security configuration policy compliance issues. Security weaknesses should be assessed with respect to the vulnerability, the current threat environment and the business use of the asset to to prioritize the shielding and remediation tasks that follow. Remediation is facilitated through cross-organizational processes and workflow. Remediation activity is also driven through monitoring of privileged user access, of compliance with technical controls and for new vulnerabilities. Vulnerability management operationally implements a subset of the controls that are defined within a security program. The life cycle implements many of the basic security controls that auditors seek when evaluating compliance. Organizations that take the extra step of mapping the policies that are implemented by vulnerability management to control standards and best practices can strengthen their posture with auditors and reduce the cost of compliance reporting through automation. Action Item: Link vulnerability management and compliance projects to ensure that compliance spending results in lower security operations costs and a more secure environment. Action Item: IT security organizations must work with IT operations to develop and implement the operational processes that are needed for effective vulnerability mitigation.
  2. Skybox Security has a software platform that uses analytics to give you comprehensive information about your organization’s attack surface. That knowledge is crucial to solving everyday security problems in an accurate and actionable manner. Our solutions are used for firewall management, network compliance, vulnerability management, and more. We believe that Continuous visibility of attack surface is critical That to get this visibility you have to Combine a lot of data about your network and endpoint, sometimes from dozens of vendor systems That analytics are a must to solve complex information security challenges And once you have the intelligence, you need to work it into regular security processes, automating security management at every step in order to stay ahead of attacks
  3. Safe to say, that if implementing the Critical Controls were easy, we wouldn’t be having this webcast. First, you need to make sure all of your devices are configured – according to security best practices, according to vendor recommended configurations. And you have lots of vendors. Devices that speak different languages, or require the Cisco expert, or the Juniper expert to be on hand to deciper what’s what. Even if the device configurations are maintained to meet Control 10, the sheer size or complexity, or both, of most enterprise networks makes analysis of device configurations, rules, and changes a complex nightmare. And you need to keep up with changes – changes that may impact compliance with policy, or interfere with intended protection. Logical checks on a device by device basis aren’t enough, because it’s a complex system we are talking about. A necessary firewall rule can be shadowed by other rules, an improperly configured device can render your segmentation strategy ineffective.
  4. So what are your options for automating this kind of data analysis challenge? This is not a trivial issue. But it’s one that has been solved in other industries. When you are looking for a systems that handles heavy-duty analysis of interactions of complex variables, you might think of climate models, flight simulation, maybe the Google self-driving car. All deal with visualization and gleaning intelligence from complex data. In information security, the comparable model is an attack surface model. If you can create an effective model of your attack surface – of all of the attack vectors facing your organization, you can use that knowledge to answer a lot of questions. “Is there an attack vector caused by this misconfiguration”? If not, I might not care about it. I could consider whether the size of the attack surface grows over time, showing we are getting worse at controlling network security risks.
  5. So what are your options for automating this kind of data analysis challenge? This is not a trivial issue. But it’s one that has been solved in other industries. When you are looking for a systems that handles heavy-duty analysis of interactions of complex variables, you might think of climate models, flight simulation, maybe the Google self-driving car. All deal with visualization and gleaning intelligence from complex data. In information security, the comparable model is an attack surface model. If you can create an effective model of your attack surface – of all of the attack vectors facing your organization, you can use that knowledge to answer a lot of questions. “Is there an attack vector caused by this misconfiguration”? If not, I might not care about it. I could consider whether the size of the attack surface grows over time, showing we are getting worse at controlling network security risks.
  6. Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
  7. Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
  8. Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
  9. Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
  10. Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
  11. Script: (click through first 5 builds – last one is Threat Actors) But how do you make a picture of the attack surface? Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
  12. The part of the Skybox security suite that I’ll be discussing today fits squarely in Critical Security Control 4.
  13. Benefit – topology intelligence and network context – use knowledge of what the firewall is protecting, use knowledge of paths, of available security controls Rule analysis – normalized data for more consistent checks Platform config checks – is there an issue with the device itself, like the operating system of the router or switch missing a patch Network compliance – access, zones, regulatory Path visualization – step by step understanding of accessible or blocked paths, final all ACL’s, routing rules. Pay attention to NAT, dynamic routing, authenticated rules Rule optimization – Normalize data Automate all tasks – data collection, analysis, reporting Policy compliance analysis Access analysis and troubleshooting Find unused rules Eliminates potential attack scenarios Optimize the rulebase Improves firewall performance Produce reports Demonstrate compliance on-demand Documenting changes
  14. Ongoing operational use – which means a one-time pen test is not enough. But a model and simulation allows you to check ongoing operational use very well – just re-run the model when you want to update the assessment.
  15. Script: (click through first 5 builds – last one is Threat Actors) Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack? Different version script: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing.   When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
  16. Script: (click through first 5 builds – last one is Threat Actors) Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack? Different version script: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing.   When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
  17. Script: (click through first 5 builds – last one is Threat Actors) Explain layer by layer the information that is needed to address the previous questions. Massive amount of data to correlate and combinations of factors to consider Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface Fast-changing Network context sensitive Time context sensitive This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents. (last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network. Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack? Different version script: Presentation Notes: After talking about likelihood, it’s a good segue into the attack simulation slide. This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement. Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling. May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing.   When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities. Script: This slide shows how our attack simulation works. We start with that network model containing layer 3 devices. <advance> On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations. Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities. As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
  18. Skybox Security PPT Template May 2014