Skybox Security joins SANS to address using a network model to gain insight into your attack surface and how to address SANS Critical Controls 10 and 11
Axa Assurance Maroc - Insurer Innovation Award 2024
Using a Network Model to Address SANS Critical Controls 10 and 11
1. 1
Strategies to Address SANS
Critical Controls 10 and 11 -
Secure Configurations and
Control of Network Devices
John Pescatore, SANS
Michelle Johnson Cobb, Skybox Security
Brian Kelly, Skybox Security
2. 2
Making Security Advances During Turbulent
Times
Prevent more, detect faster, respond more effectively
Third party connections are increasingly targeted
How to implement security zones without impacting business?
Misconfigured security controls worse than no controls at all
4. 4
Target Breach Lessons Learned
• Why could HVAC contractors see POS
systems/servers?
○ Zoning
• Why could PoS system malware talk to server?
○ Application control policies
• Why could internal file server talk to external world?
○ All of the above
• Usual reasons:
○ Segmentation broke apps or sys admin
○ Policy was changed “temporarily”
5. 5
The Critical Security Controls History
• 2008 – NSA “Consensus Audit Guidelines”
• 2009 – Center for Strategic and International Studies publishes
the “20 Critical Security Controls”
• 2011 – SANS takes over stewardship
• 2013 – Council on Cybersecurity formed
• 2015 – Critical Security Controls and Council become part of
the Center for Internet Security (MS-ISAC)
6. 6
Critical Security Controls
6
1 2
3
4
5
6
7
8
9
1011
12
13
14
15
16
17
18
19
20
1) Inventory of
Authorized and
Unauthorized Devices
11) Limitation and Control
of Network Ports,
Protocols and Services
2) Inventory of Authorized and Unauthorized Software
3) Secure Configurations for Hardware and
Software on Laptops, Workstations, and Servers
4) Continuous Vulnerability
Assessment and Remediation
5) Malware Defense
6) Application Software
Security
7) Wireless Access Control
8) Data Recovery Capability
9) Security Skills Assessment and Appropriate
Training to Fill Gaps
10) Secure Configuration of Devices such as Firewalls,
Routers, and Switches
20) Penetration Tests and Red Team
Exercises
19) Secure Network Engineering
18) Incident Response Capability
17) Data Protection
15) Controlled Access
Based on Need to Know
14) Maintenance, Monitoring
and Analysis of Audit Logs
13) Boundary Defense
12) Controlled Use of
Administrative Privileges
16) Account Monitoring
and Control
7. 7
Critical Security Controls V6 Draft
Critical Security Controls Version 5.1 Critical Security Controls Draft 6.0
1 Inventory of Auth/Unauth Devices Inventory of Auth/Unauth Devices
2 Inventory of Auth/Unauth Software Inventory of Auth/Unauth Software
3 Secure Configurations for HW/SW Secure Configurations for HW/SW
4 Continuous Vulnerability Assessment Continuous Vulnerability Assessment
5 Malware Defenses Controlled Use of Admin Privileges
6 Application/Software Security Maint, Monitor, Analysis of Audit Logs
7 Wireless Access Control Email/Browser Security (new)
8 Data Recovery Malware Defenses
9 Security Skills Limitation/Control of Ports
10 Secure Configurations for Network HW Data Recovery
8. 8
Critical Security Controls V6 Draft
Critical Security Controls Version 5.1 Critical Security Controls Draft 6.0
11 Limitation/Control of Ports Secure Configurations for Network HW
12 Controlled Use of Admin Privileges Boundary Defenses
13 Boundary Defenses Data Protection
14 Maint, Monitor, Analysis of Audit Logs Controlled Access/Need to Know
15 Controlled Access/Need to Know Wireless Access Control
16 Account Monitoring and Control Account Monitoring and Control
17 Data Protection Security Skills
18 Incident Response and Management Application and Software Security
19 Secure Network Engineering Incident Response and Management
20 Penetration Test/Red Team Exercises Penetration Test/Red Team Exercises
10. 10
Bottom Line: Avoiding Self Inflicted Wounds
• Zoning or segmenting the network is Security 101
• Flat networks are usually the path of least resistance
• Reducing attack apertures without impacting business flows
requires
○ Next Generation Firewall/Application Aware Policies
○ Accurate and timely inventory
○ Rapid reaction to both change requests and alerts
○ Repeatable, scalable policy management processes and governance
11. Michelle Johnson Cobb
VP, Worldwide Marketing
Using a Model of the Attack Surface
to Address SANS Critical Controls 10 & 11
Gartner's vulnerability management life cycle defines the operational processes and technologies that are needed to discover and remediate security weaknesses before they are exploited. Policies that define a secure IT infrastructure are used as the reference for a baseline to discover vulnerabilities and security configuration policy compliance issues. Security weaknesses should be assessed with respect to the vulnerability, the current threat environment and the business use of the asset to to prioritize the shielding and remediation tasks that follow. Remediation is facilitated through cross-organizational processes and workflow. Remediation activity is also driven through monitoring of privileged user access, of compliance with technical controls and for new vulnerabilities. Vulnerability management operationally implements a subset of the controls that are defined within a security program. The life cycle implements many of the basic security controls that auditors seek when evaluating compliance. Organizations that take the extra step of mapping the policies that are implemented by vulnerability management to control standards and best practices can strengthen their posture with auditors and reduce the cost of compliance reporting through automation.
Action Item: Link vulnerability management and compliance projects to ensure that compliance spending results in lower security operations costs and a more secure environment.
Action Item: IT security organizations must work with IT operations to develop and implement the operational processes that are needed for effective vulnerability mitigation.
Skybox Security has a software platform that uses analytics to give you comprehensive information about your organization’s attack surface. That knowledge is crucial to solving everyday security problems in an accurate and actionable manner. Our solutions are used for firewall management, network compliance, vulnerability management, and more.
We believe that Continuous visibility of attack surface is critical
That to get this visibility you have to Combine a lot of data about your network and endpoint, sometimes from dozens of vendor systems
That analytics are a must to solve complex information security challenges
And once you have the intelligence, you need to work it into regular security processes, automating security management at every step in order to stay ahead of attacks
Safe to say, that if implementing the Critical Controls were easy, we wouldn’t be having this webcast.
First, you need to make sure all of your devices are configured – according to security best practices, according to vendor recommended configurations. And you have lots of vendors. Devices that speak different languages, or require the Cisco expert, or the Juniper expert to be on hand to deciper what’s what.
Even if the device configurations are maintained to meet Control 10, the sheer size or complexity, or both, of most enterprise networks makes analysis of device configurations, rules, and changes a complex nightmare.
And you need to keep up with changes – changes that may impact compliance with policy, or interfere with intended protection.
Logical checks on a device by device basis aren’t enough, because it’s a complex system we are talking about. A necessary firewall rule can be shadowed by other rules, an improperly configured device can render your segmentation strategy ineffective.
So what are your options for automating this kind of data analysis challenge? This is not a trivial issue.
But it’s one that has been solved in other industries. When you are looking for a systems that handles heavy-duty analysis of interactions of complex variables, you might think of climate models, flight simulation, maybe the Google self-driving car. All deal with visualization and gleaning intelligence from complex data. In information security, the comparable model is an attack surface model.
If you can create an effective model of your attack surface – of all of the attack vectors facing your organization, you can use that knowledge to answer a lot of questions.
“Is there an attack vector caused by this misconfiguration”? If not, I might not care about it. I could consider whether the size of the attack surface grows over time, showing we are getting worse at controlling network security risks.
So what are your options for automating this kind of data analysis challenge? This is not a trivial issue.
But it’s one that has been solved in other industries. When you are looking for a systems that handles heavy-duty analysis of interactions of complex variables, you might think of climate models, flight simulation, maybe the Google self-driving car. All deal with visualization and gleaning intelligence from complex data. In information security, the comparable model is an attack surface model.
If you can create an effective model of your attack surface – of all of the attack vectors facing your organization, you can use that knowledge to answer a lot of questions.
“Is there an attack vector caused by this misconfiguration”? If not, I might not care about it. I could consider whether the size of the attack surface grows over time, showing we are getting worse at controlling network security risks.
Script: (click through first 5 builds – last one is Threat Actors)
But how do you make a picture of the attack surface?
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Script: (click through first 5 builds – last one is Threat Actors)
But how do you make a picture of the attack surface?
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Script: (click through first 5 builds – last one is Threat Actors)
But how do you make a picture of the attack surface?
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Script: (click through first 5 builds – last one is Threat Actors)
But how do you make a picture of the attack surface?
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Script: (click through first 5 builds – last one is Threat Actors)
But how do you make a picture of the attack surface?
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Script: (click through first 5 builds – last one is Threat Actors)
But how do you make a picture of the attack surface?
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
The part of the Skybox security suite that I’ll be discussing today fits squarely in Critical Security Control 4.
Benefit – topology intelligence and network context – use knowledge of what the firewall is protecting, use knowledge of paths, of available security controls
Rule analysis – normalized data for more consistent checks
Platform config checks – is there an issue with the device itself, like the operating system of the router or switch missing a patch
Network compliance – access, zones, regulatory
Path visualization – step by step understanding of accessible or blocked paths, final all ACL’s, routing rules. Pay attention to NAT, dynamic routing, authenticated rules
Rule optimization –
Normalize data
Automate all tasks – data collection, analysis, reporting
Policy compliance analysis
Access analysis and troubleshooting
Find unused rules
Eliminates potential attack scenarios
Optimize the rulebase
Improves firewall performance
Produce reports
Demonstrate compliance on-demand
Documenting changes
Ongoing operational use – which means a one-time pen test is not enough. But a model and simulation allows you to check ongoing operational use very well – just re-run the model when you want to update the assessment.
Script: (click through first 5 builds – last one is Threat Actors)
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Different version script:
Presentation Notes:
After talking about likelihood, it’s a good segue into the attack simulation slide.
This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement.
Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling.
May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing.
When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities.
Script:
This slide shows how our attack simulation works. We start with that network model containing layer 3 devices.
<advance>
On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations.
Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities.
As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
Script: (click through first 5 builds – last one is Threat Actors)
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Different version script:
Presentation Notes:
After talking about likelihood, it’s a good segue into the attack simulation slide.
This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement.
Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling.
May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing.
When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities.
Script:
This slide shows how our attack simulation works. We start with that network model containing layer 3 devices.
<advance>
On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations.
Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities.
As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.
Script: (click through first 5 builds – last one is Threat Actors)
Explain layer by layer the information that is needed to address the previous questions.
Massive amount of data to correlate and combinations of factors to consider
Complex, heterogeneous data - the average CISO reports 50-70 information security tools in use, all contributing to the understanding of the attack surface
Fast-changing
Network context sensitive
Time context sensitive
This is a model of the attack surface. For an organization of any size, being able to see the attack surface is an amazing help to understand and respond to security incidents.
(last click) The attack surface is the sum of all reachable and exploitable attack vectors against an organization’s network.
Having visibility and intelligence of the attack surface is a real benefit to security teams. It allows them to compare event information to the attack surface in real time - - is it a real attack? Is there an attack vector to this important asset? What’s the next step in an attack?
Different version script:
Presentation Notes:
After talking about likelihood, it’s a good segue into the attack simulation slide.
This slide shows how we calculate that likelihood. We start with the network map bringing vulnerabilities; we model threat origins, virtual bad guys … not only inside the network, but outside the network as well, as such as rogue administrators, disgruntled employees and especially compromised work statement.
Customer often want to understand what’s the reachability of a compromised work statement, so if an employee downloads malware, what kind of reachability would they have inside the network? Skybox can determine that with the threat modeling.
May want to point out that this happens on the network model – not on the live network. It can be confused with penetration testing.
When Skybox finds an attack that completely compromises the host, it will start the attack simulation all over again from that compromised host, which allows us to see the difference between directly exposed vulnerabilities and indirectly exposed vulnerabilities.
Script:
This slide shows how our attack simulation works. We start with that network model containing layer 3 devices.
<advance>
On top of this model we add vulnerability scan data taken from a customer’s vulnerability scanner. From this data we pull assets and match them up with critical assets imported during the deployment phase. Then we model Threat Origins. These are virtual bad guys and are places at ingress points of the network as well as inside to model things like rogue administrators, disgruntled employees and compromised workstations.
Then we do attack simulation. From every one of the threat origins we try to exploit every vulnerability on every asset we know about by seeing if the data necessary to exploit the vulnerability can be moved from the threat origin through the network past firewalls and IPSs to the asset. Every time one of those simulated attacks is successful, we assign risk. This risk can be viewed from the perspective of the Threat Origins, the Assets themselves or the Vulnerabilities.
As you can probably imagine this is an immense amount of calculation, especially in an global enterprise environment. Skybox’s patented algorithms (Can I say that?) allow our customers to enjoy the fastest analysis rate in the industry.